TechSpot

Still not clean after XP Security 2012

By ST Dog
Jun 18, 2011
  1. My son's computer rebooted after a windows update and then wouldn't boot normally. Got to safe mode and discovers one of the AV trogans that ran anytime you stared an app. Ran through the tools I used last time on mine and cleaned out a bunch of stuff, even a rootkit.

    Still don't think it's clean though.

    For one, I get a warning about ActiveX when not even runnig a browser (like ejecting a USB drive)

    **************
    MBAM.txt
    **************
    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6888

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/18/2011 2:18:05 PM
    mbam-log-2011-06-18 (14-18-05).txt

    Scan type: Quick scan
    Objects scanned: 208678
    Time elapsed: 17 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    *************
    GMER.log
    *************
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-18 14:21:43
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HTS54108 rev.MB4I
    Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgtdrpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    **********
    DDS.txt
    **********
    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Run by Administrator at 14:21:52 on 2011-06-18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -5:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
    C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\TPFanControl\TPFanControl.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
    C:\PROGRA~1\WI3712~1\Datamngr\DATAMN~1.EXE
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://home.jzip.com
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mSearchAssistant = hxxp://start.facemoods.com/?a=ppcb4&s={searchTerms}&f=4
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: IMVU Inc Toolbar: {90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\imvu_inc\tbIMVU.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi3712~1\toolbar\searchqudtx.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TpShocks] TpShocks.exe
    mRun: [TP4EX] tp4ex.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
    mRun: [AMSG] c:\progra~1\thinkv~2\amsg\Amsg.exe /startup
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
    mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
    mRun: [LPMailChecker] c:\progra~1\thinkv~2\prdctr\LPMLCHK.exe
    mRun: [<NO NAME>]
    mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [TPFanControl] c:\program files\tpfancontrol\TPFanControl.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [CorelDRAW Graphics Suite 11b] c:\program files\corel\corel graphics 11\register\registration.exe /title="CorelDRAW Graphics Suite 11" /date=062611 serial=DR11CRD-0044977-NMV
    mRun: [DATAMNGR] c:\progra~1\wi3712~1\datamngr\DATAMN~1.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\openURL.vbs
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Search - http://tbedits.smileycentral.com/on...549E-3BDE-4680-807B-772223E02256&n=2011011321
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
    IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\alex\start menu\programs\imvu\Run IMVU.lnk
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276268207234
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287407776625
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{A7772497-ECCC-469E-888B-29D1FAC53D9A} : DhcpNameServer = 192.168.1.254
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: ACNotify - ACNotify.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
    AppInit_DLLs: c:\progra~1\wi3712~1\datamngr\datamngr.dll c:\progra~1\wi3712~1\datamngr\IEBHO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Notification Packages = scecli ACGina c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
    Hosts: 184.95.59.211 www.google.com
    Hosts: 184.95.59.212 search.yahoo.com
    Hosts: 184.95.59.212 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2i5fcpny.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\smileycentral_1v\bar\1.bin\NP1vStub.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-10-18 25968]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2010-6-16 20592]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-10-18 13680]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-10-18 292200]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-6-18 148840]
    R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-6-18 99328]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-10-18 64440]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2010-12-26 6609920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-10-18 45496]
    S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-10-18 69632]
    S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1vbarsvc.exe [2011-1-13 28766]
    S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
    S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\coh_mon.sys --> c:\windows\system32\drivers\COH_Mon.sys [?]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gkmixern;gkmixern;\??\c:\docume~1\alex\locals~1\temp\gkmixern.sys --> c:\docume~1\alex\locals~1\temp\gkmixern.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1980-1-1 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== File Associations ===============
    .
    exefile="c:\documents and settings\networkservice\local settings\application data\rax.exe" -a "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-06-18 18:43:07 -------- d-----w- c:\documents and settings\administrator\application data\PCDr
    2011-06-18 18:42:17 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
    2011-06-18 18:29:27 -------- d-----w- c:\program files\common files\Lenovo
    2011-06-18 15:04:51 54016 ----a-w- c:\windows\system32\drivers\qgfsyq.sys
    2011-06-18 13:38:27 -------- d-s---w- C:\ComboFix
    2011-06-17 06:29:02 -------- d-----w- c:\program files\AVAST Software
    2011-06-17 05:56:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-06-17 05:56:34 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
    2011-06-17 05:55:50 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-16 03:26:13 233472 --sha-r- c:\windows\system32\rwinstau.dll
    2011-06-16 03:26:13 233472 --sha-r- c:\windows\system32\dsoundv.dll
    2011-06-05 04:49:46 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras
    2011-06-05 04:47:09 -------- d-----r- c:\program files\Skype
    2011-05-23 14:12:28 -------- d-----w- c:\program files\Pearl Harbor
    2011-05-21 04:12:21 -------- d-----w- C:\ini
    2011-05-21 04:04:44 -------- d-----w- C:\cfg
    2011-05-20 23:25:06 56832 ------w- c:\windows\system32\iyvu9_32.dll
    2011-05-20 23:25:05 143872 ------w- c:\windows\system32\iacenc.dll
    2011-05-20 23:25:01 1622016 ------w- c:\program files\microsoft games\age of empires\EMPIRES.EXE
    2011-05-20 23:25:00 1513984 ------w- c:\program files\microsoft games\age of empires\EMPIRESX.EXE
    2011-05-20 23:24:58 319553 ------w- c:\program files\microsoft games\age of empires\Uninstal.Exe
    2011-05-20 23:24:57 2744320 ------w- c:\program files\microsoft games\age of empires\SETUPENU.DLL
    2011-05-20 23:24:52 174080 ------w- c:\program files\microsoft games\age of empires\language.dll
    2011-05-20 23:24:52 160256 ------w- c:\program files\microsoft games\age of empires\languagex.dll
    2011-05-20 23:24:38 29184 ------w- c:\program files\microsoft games\age of empires\data2\closedpw.exe
    2011-05-20 23:24:16 29184 ------w- c:\program files\microsoft games\age of empires\data\closedpw.exe
    2011-05-20 23:23:04 32768 ------w- c:\program files\microsoft games\age of empires\AoEHlp.dll
    2011-05-20 23:23:04 32768 ------w- c:\program files\microsoft games\age of empires\aelaunch.dll
    2011-05-20 23:22:59 -------- d-----w- c:\program files\Microsoft Games
    .
    ==================== Find3M ====================
    .
    2011-06-18 03:55:53 118784 ----a-w- c:\windows\DUMPc8fd.tmp
    2011-06-17 11:53:36 118784 ----a-w- c:\windows\DUMPbe6e.tmp
    2011-06-17 06:40:04 118784 ----a-w- c:\windows\DUMPc330.tmp
    2011-06-16 13:04:49 118784 ----a-w- c:\windows\DUMPbc7a.tmp
    2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-10 06:39:00 292200 ------w- c:\windows\system32\PWMCPl.cpl
    2011-05-10 06:39:00 25968 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
    2011-05-10 06:39:00 12144 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
    2011-05-06 01:33:00 1344560 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2011-05-06 01:31:56 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
    2011-05-06 01:31:52 222504 ----a-w- c:\windows\system32\SynCtrl.dll
    2011-05-06 01:31:52 177448 ----a-w- c:\windows\system32\SynCOM.dll
    2011-04-12 20:09:49 23 ----a-w- C:\NUKEM2.BAT
    2011-04-08 22:27:40 292152 ----a-w- c:\windows\system32\tvt_gina_api.dll
    2011-04-08 22:27:32 582968 ----a-w- c:\windows\system32\tvt_gina.dll
    2011-04-08 22:24:24 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
    2011-04-08 22:23:02 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
    2011-03-23 02:10:24 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-03-23 02:10:18 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-03-23 02:10:18 270240 ----a-w- c:\windows\system32\PnkBstrB.exe
    .
    ============= FINISH: 14:22:30.40 ===============


    **************
    attach.txt
    **************
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/11/2010 9:48:18 AM
    System Uptime: 6/18/2011 1:48:57 PM (1 hours ago)
    .
    Motherboard: LENOVO | | 2613EKU
    Processor: Genuine Intel(R) CPU T2500 @ 2.00GHz | None | 997/167mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 70 GiB total, 9.669 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Access Help
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader X (10.0.1)
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Ask Toolbar
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    ATI HYDRAVISION
    Audacity 1.2.6
    Battlefield Heroes
    Bing Bar
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Dutch
    CCC Help English
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Portuguese
    CCC Help Spanish
    CCC Help Swedish
    CCleaner
    Combat Arms
    Conduit Engine
    Corel Graphics Suite 11
    CorelDRAW Graphics Suite 11
    Deer Hunter - The 2005 Season
    Desktop iPhone
    Diskeeper Lite
    EA Download Manager
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Help Center
    Heroes Of Hellas
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB971276-v3)
    Hotfix for Windows XP (KB981793)
    IBM 32-bit Runtime Environment for Java 2, v1.4.2
    IMVU Inc Toolbar
    Intel PROSet Wireless
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless WiFi Software
    InterVideo WinDVD
    IrfanView (remove only)
    Japanese Language Support
    Java Auto Updater
    Java(TM) 6 Update 16
    Java(TM) 6 Update 22
    Java(TM) 6 Update 23
    jZip
    LAME v3.98.2 for Audacity
    Lenovo Auto Scroll Utility
    Lenovo System Interface Driver
    Lenovo ThinkVantage Toolbox
    Magic Encyclopedia. First Story
    Maintenance Manager
    Malwarebytes' Anti-Malware version 1.51.0.1200
    MATonline2.1.6.325
    Message Center
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Age of Empires Gold
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Default Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox 4.0.1 (x86 en-US)
    Mozilla Thunderbird (3.1.7)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MuseScore 0.9.6 MuseScore score typesetter
    Mytheon
    Natalie Brooks - Secrets of Treasure House
    Nexon Game Manager
    On Screen Display
    OpenOffice.org 3.3
    Opera 11.11
    Pando Media Booster
    Pearl Harbor
    PerfectDisk 11 Professional
    Picasa 2
    Presentation Director
    Productivity Center Supplement for ThinkPad
    Project Blackout
    Project64 1.6
    PunkBuster Services
    QuickTime
    Raptr
    RecordNow Audio
    RecordNow Copy
    RecordNow Data
    Remove Multimedia Center
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Skins
    Skype Toolbars
    Skype™ 5.3
    SmileyCentral
    Software Installer
    Sonic DLA
    Sonic Express Labeler
    Sonic Update Manager
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    Splinter Cell Pandora Tomorrow
    Sprill - The Mystery of The Bermuda Triangle
    SUPERAntiSpyware
    System Migration Assistant
    System Requirements Lab CYRI
    System Update
    Temple of Elemental Evil
    The Lord of the Rings Online™ v03.02.05.8032
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Integration Setup
    ThinkPad Hotkey Features Setup
    ThinkPad Keyboard Customizer Utility
    ThinkPad Modem
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Utility
    ThinkPad UltraNav Wizard
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    ThinkVantage Fingerprint Software
    ThinkVantage Productivity Center
    ThinkVantage Technologies Welcome Message
    TPFanControl v0.62
    TrackPoint Accessibility Features
    Turtix
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2362765)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    uTorrentBar Toolbar
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows ilivid Toolbar
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WinZip 12.0
    XP Themes
    XPS Essentials Pack
    XPS Essentials Pack 1.0
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are we working on 2 separate systems> Your 'T61 and your son's? If yes, you have set the threads up correctly. If not, the threads will have to be merged.
    (http://www.techspot.com/vb/topic166708.html)

    Let me know.'
     
  3. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Yes, two seperate systems.
    His is a T60. The titles were to help me keep them straight :)
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you. There are numerous entries that brought malware with them and we will remove them with script after Combofix has been run.
    ======================================
    This program must be removed: (See list below for related entries to remove.)
    S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1vbarsvc.exe [2011-1-13 28766]
    And the Service Disabled:
    Start> Run> type in services.msc> enter> Double click on SmileyCentral_1vService to open> Change Startup Type to Disabled> Stop the Service.

    I'm guessing that much of the malware you have seen came from MyWebSearch, Hotbar and a few related processes. This Services is described as:
    Much comes from the Fun Web Products and associated sites: Remove any on the system.
    Those smiling faces, 3D cursors, screensavers, wallpaper, et all are not free! They come with a price!
    =======================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
     
  5. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36


    Good to know the source. He's been told about down.loading/installing random stuff, but you cannt tell a teen much. They have to learn the hard way.

    And of course "all" his friends are running the same things "without problems"

    Guess I have a busy evening.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What to tell a teen:

    1. If he doesn't practice Safe Surfing, you won't help him clean the system.
    2. His friends have malware also- they just haven't found it yet!
    4. If the system gets overwhelmed with malware infections- and the FunWeb Products can do it, his system will become unbootable and he won't be able to use it at all.
    5. "Guess I have a busy evening. " Tell him you love him lots, but have other thing to do.

    But you're right- you can't tell a teen much- so let him have the experience of learning what to do.:rolleyes:

    Will review logs when ready.
     
  7. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Interesting. I got home and went to run the scans and noticed no IE.

    iexplore.exe is missing form Program Files.

    Tried Microsoft update and it loaded IE8, but didn't bring up the MS site.
    Tried to log in at TechSpot and the submit button didn't work.
    FF is working though. I guess one more item to correct.
     
  8. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    **********
    ESET.txt
    ***********

    C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe a variant of Win32/Kryptik.NQS trojan
    C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe a variant of Win32/Kryptik.NQS trojan
    C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe probably a variant of Win32/SweetIM.A application
    C:\WINDOWS\Temp\jdpf\setup.exe Win32/Clemag.NAD trojan


    ****************
    ComboFix.txt
    ****************
    ComboFix 11-06-19.0r1 - Administrator 06/20/2011 23:27:03.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1250 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\MalwareStuff\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\Sun\mnj.dat
    c:\documents and settings\Alex\WINDOWS
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\09ce0ed7-58db-4be9-b311-80b4fd9fd9bc.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\0bd031fd-3064-40a9-a3a3-7379b9bd4435.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\0e53a45b-5a41-43e5-96ab-776b00e48a6e.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\1330efea-5af3-4b2b-984a-ddf5bed068a9.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\283cdc40-c633-4749-b3ad-8eb5e8b11b5c.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\434b795d-fe06-4495-801e-fa92d93babbc.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\4506fabd-988f-4627-a1de-44b2f1093b08.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\54874b0a-fb04-44ef-ad2b-c957aafea033.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\562ad818-216b-4d77-8b40-834630104d2c.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\60e1ddc2-8de1-4bd0-8e65-4c3d56791c8e.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\6a673ee4-43f7-4820-9e11-38692474f211.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\746b3523-df66-4ed9-beaa-88464b84933f.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\83db0f34-4452-4946-92c2-31dcd99767dd.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\90110d4d-0aa3-42f8-b48a-92aebd9d59f3.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\9ad80016-92d9-41a4-9436-c44907366397.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\aaafe845-287d-4966-bd17-65877f9d0d2e.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\b34a10f6-a592-424f-af97-b051783f9dd2.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\b52e5bed-821a-41fc-9d4b-24d443ee0ad9.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\bead45d2-b2dc-44e3-94f8-c7de6979be60.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\c4f7c843-a9b2-44f7-8e17-7891e2fe36ec.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\d580236a-e7d8-408d-9250-dfc70ec5d5e3.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\d754c4cc-ae68-4d17-afb7-55002296e1e2.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\ec6735a3-9204-4734-bb0f-5859e58b13b2.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f1d18230-9731-47f0-b9f4-b537abcbb39c.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f45a4f6c-32c1-48c0-9ee9-e840f397e395.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\f64109b2-74cc-4638-ae17-228b7886774b.dll
    c:\documents and settings\All Users\Application Data\PCDr\5802\AddOnDownloaded\fd85aea7-408e-4ff8-bdca-73b1320e8b27.dll
    c:\documents and settings\SchoolandCompetition\Application Data\facemoods.com
    c:\program files\Internet Explorer\SET459.tmp
    c:\program files\Internet Explorer\SET45E.tmp
    c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-21 04:34 . 2011-06-21 04:34 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
    2011-06-21 04:34 . 2011-06-21 04:34 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
    2011-06-21 04:34 . 2011-06-21 04:34 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
    2011-06-21 04:34 . 2011-06-21 04:34 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
    2011-06-21 04:34 . 2011-06-21 04:34 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
    2011-06-21 04:34 . 2011-06-21 04:34 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
    2011-06-21 04:34 . 2011-06-21 04:34 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
    2011-06-21 04:34 . 2011-06-21 04:34 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
    2011-06-21 04:34 . 2011-06-21 04:34 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
    2011-06-21 04:34 . 2011-06-21 04:34 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
    2011-06-21 04:34 . 2011-06-21 04:34 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
    2011-06-21 04:34 . 2011-06-21 04:34 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
    2011-06-21 04:33 . 2011-06-21 04:33 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
    2011-06-21 04:33 . 2011-06-21 04:33 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
    2011-06-21 04:33 . 2011-06-21 04:33 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
    2011-06-21 04:33 . 2011-06-21 04:33 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
    2011-06-21 04:33 . 2011-06-21 04:33 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
    2011-06-21 01:34 . 2011-06-21 01:34 -------- d-----w- c:\program files\ESET
    2011-06-18 20:15 . 2011-06-18 20:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-18 20:09 . 2011-06-18 20:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\PwrMgr
    2011-06-18 20:01 . 2011-06-18 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinBatch
    2011-06-18 19:37 . 2011-06-18 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\DeviceDoctorSoftware
    2011-06-18 19:29 . 2011-06-18 19:29 -------- d-----w- c:\program files\Common Files\Adobe
    2011-06-18 18:43 . 2011-06-19 19:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\PCDr
    2011-06-18 18:42 . 2011-05-06 01:31 120104 ----a-w- c:\windows\system32\SynTPCo9.dll
    2011-06-18 18:29 . 2011-06-18 18:29 -------- d-----w- c:\program files\Common Files\Lenovo
    2011-06-18 15:04 . 2011-06-18 15:04 54016 ----a-w- c:\windows\system32\drivers\qgfsyq.sys
    2011-06-17 06:29 . 2011-06-17 06:29 -------- d-----w- c:\program files\AVAST Software
    2011-06-17 05:56 . 2011-06-17 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-06-17 05:56 . 2011-06-17 05:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-06-17 05:55 . 2011-06-18 20:18 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-16 08:33 . 2011-06-16 08:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-06-16 07:50 . 2011-06-16 07:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\rwinstau.dll
    2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\dsoundv.dll
    2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-06-05 04:49 . 2011-06-05 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
    2011-06-05 04:47 . 2011-06-05 04:47 -------- d-----w- c:\program files\Common Files\Skype
    2011-06-05 04:47 . 2011-06-05 04:48 -------- d-----r- c:\program files\Skype
    2011-06-05 04:46 . 2011-06-05 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2011-05-27 03:33 . 2011-05-27 03:33 -------- d-----w- c:\program files\Opera
    2011-05-23 14:12 . 2011-05-23 14:12 -------- d-----w- c:\program files\Pearl Harbor
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-18 03:55 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPc8fd.tmp
    2011-06-17 11:53 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPbe6e.tmp
    2011-06-17 06:40 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPc330.tmp
    2011-06-16 13:04 . 2010-06-11 13:31 118784 ----a-w- c:\windows\DUMPbc7a.tmp
    2011-05-29 14:11 . 2010-06-11 18:19 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 14:11 . 2010-06-11 18:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-10 06:39 . 2010-10-18 15:40 292200 ------w- c:\windows\system32\PWMCPl.cpl
    2011-05-10 06:39 . 2010-10-18 15:40 25968 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
    2011-05-10 06:39 . 2010-06-11 14:14 12144 ------w- c:\windows\system32\drivers\TPPWRIF.SYS
    2011-05-06 01:33 . 1980-01-01 07:00 1344560 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2011-05-06 01:31 . 1980-01-01 07:00 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
    2011-05-06 01:31 . 1980-01-01 07:00 222504 ----a-w- c:\windows\system32\SynCtrl.dll
    2011-05-06 01:31 . 1980-01-01 07:00 177448 ----a-w- c:\windows\system32\SynCOM.dll
    2011-04-12 20:09 . 2011-04-12 20:09 23 ----a-w- C:\NUKEM2.BAT
    2011-04-08 22:27 . 2005-12-22 00:19 292152 ----a-w- c:\windows\system32\tvt_gina_api.dll
    2011-04-08 22:27 . 2005-12-22 00:19 582968 ----a-w- c:\windows\system32\tvt_gina.dll
    2011-04-08 22:24 . 2010-06-11 14:14 4224 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys
    2011-04-08 22:23 . 2010-06-11 14:14 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
    2011-04-30 04:15 . 2011-04-22 01:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2011-05-06 132392]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-05-06 2262312]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
    "TpShocks"="TpShocks.exe" [2010-07-02 337256]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
    "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-07-23 185688]
    "AMSG"="c:\progra~1\THINKV~2\AMSG\Amsg.exe" [2009-09-03 436800]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2011-04-14 431464]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2011-05-10 759144]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2011-05-10 208896]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
    "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-26 62312]
    "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
    "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-10-19 1400832]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-10-19 1206544]
    "TPFanControl"="c:\program files\TPFanControl\TPFanControl.exe" [2010-04-23 154112]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 11\Register\registration.exe" [2005-02-17 315392]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-18 50688]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2009-12-01 18:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\SG Interactive\\Project Blackout\\PBlackout.exe"=
    "c:\\Program Files\\TrueGames\\Mytheon\\launcher.ui.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Nexon\\Combat Arms\\NMService.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Windows ilivid Toolbar\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Raptr\\raptr.exe"=
    "c:\\Program Files\\Raptr\\raptr_im.exe"=
    "c:\\Nexon\\Combat Arms\\Engine.exe"=
    "c:\\Nexon\\Combat Arms\\CombatArms.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    "56693:TCP"= 56693:TCP:pando Media Booster
    "56693:UDP"= 56693:UDP:pando Media Booster
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [10/18/2010 10:40 AM 25968]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/16/2010 1:44 PM 20592]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [10/18/2010 10:38 AM 13680]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [10/18/2010 10:40 AM 292200]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.exe [6/18/2011 1:40 PM 148840]
    R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 1:47 PM 12560]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [6/18/2011 1:39 PM 99328]
    R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/18/2010 10:38 AM 64440]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [12/26/2010 10:59 AM 6609920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2010 2:08 PM 136176]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [10/18/2010 10:38 AM 45496]
    S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/18/2010 10:40 AM 69632]
    S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
    S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gkmixern;gkmixern;\??\c:\docume~1\Alex\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Alex\LOCALS~1\Temp\gkmixern.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2010 2:08 PM 136176]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/1/1980 2:00 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WUAUSERV
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 19:08]
    .
    2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-26 19:08]
    .
    2011-06-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
    .
    2011-06-21 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-06-11 06:39]
    .
    2011-06-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-05-17 18:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Alex\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2i5fcpny.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
    FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
    .
    .
    ------- File Associations -------
    .
    exefile="c:\documents and settings\NetworkService\Local Settings\Application Data\rax.exe" -a "%1" %*
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{90b49673-5506-483e-b92b-ca0265bd9ca8} - c:\program files\IMVU_Inc\tbIMVU.dll
    Toolbar-10 - (no file)
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    Notify-ACNotify - ACNotify.dll
    Notify-NavLogon - (no file)
    AddRemove-IMVU_Inc Toolbar - c:\progra~1\IMVU_Inc\UNWISE.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-20 23:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1011569218-1715225952-1085146821-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,a7,b3,e4,7d,08,cf,42,95,2f,89,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,a7,b3,e4,7d,08,cf,42,95,2f,89,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(960)
    c:\windows\system32\vrlogon.dll
    c:\windows\system32\iwpdgina.dll
    c:\program files\Intel\WiFi\bin\LangResources\ENU\SsoGnENU.dll
    c:\windows\system32\tvt_gina.dll
    c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
    c:\program files\ThinkPad\ConnectUtilities\ACON.dll
    c:\windows\system32\WININET.dll
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
    c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
    c:\program files\ThinkPad\ConnectUtilities\ACNewBiosHelper.dll
    c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
    c:\program files\ThinkPad\ConnectUtilities\AcWrpc.dll
    c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\windows\system32\Ati2evxx.dll
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
    c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
    .
    - - - - - - - > 'lsass.exe'(1016)
    c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infql2.dll
    .
    - - - - - - - > 'explorer.exe'(3332)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\program files\PC-Doctor\ATLPcdToolbar580224.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Intel\WiFi\bin\S24EvMon.exe
    c:\program files\Intel\WiFi\bin\WLKeeper.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\IPSSVC.EXE
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Raxco\PerfectDisk\PDAgent.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\lenovo\system update\suservice.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\program files\LENOVO\HOTKEY\tposdsvc.exe
    c:\program files\Lenovo\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\Zoom\TpScrex.exe
    c:\windows\system32\TpShocks.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\progra~1\ThinkPad\UTILIT~1\SCHTASK.exe
    c:\progra~1\WI3712~1\Datamngr\DATAMN~1.EXE
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-20 23:42:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-21 04:42
    .
    Pre-Run: 14,599,626,752 bytes free
    Post-Run: 14,626,267,136 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    .
    - - End Of File - - FFE2DF1A67A09EC44D1BDC2AD7FC43C9
     
  9. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Still no IE icon, but update loaded.

    When ComboFix finished, the update notifier said updates were ready.
    I checked and it shows 15 high priority updates. Should I install them now, or wait?

    Also, the middle button is bringing up a magnifier, and it's annoying as hell as I use the middle button foe scrolling.

    Edit, fixed the magnifier. Some setting got reset to a default value.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay. I updated Firefox and it trashed my computer. First time that's happened. Worked last night and 3 hours this AM- Still haven't gotten screens right.

    For the mouse problem: Check first in the Control Panel> Mouse> Buttons> Make sure middle button is set for scrolling.

    Go ahead with the updates.
    As for the settings, it is not unusual for malware to mess with settings. There is also the possibility that some were changed by Combofix. (There's a note stating this)

    I'm going to check the Combofix log now- bear with me as I have a 'mini' display to read from!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For Eset entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe 
      C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe 
      C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe 
      C:\WINDOWS\Temp\jdpf\setup.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================
    Please run this Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  12. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    No problem. I know the feeling all too well.
    That was me the other day when the boy first brought me this machine.
    I was just about to use a rescue CD just to boot the thing when I finally got into safe mode to start cleaning it up.

    Any idea how to get IE repaired?
    No desktop icon, no start menu entry, no exe in Program Files
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running this:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    ============================================
    If this does not restore the IE entries, you are going to need to reinstall it. You can try going to Add/Remove Programs> Windows Components> Fine Internet Explorer and check-or uncheck it> the opposite of how you find it. See if this will restore IE6. You can update from that. Since there is no executable for it, you can't even create a new shortcut.
    ===================================================
     
  14. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Didn't need unhide. That got me thinking and I remembered that the default folder options were on earlier (like hide known extensions and don't show hidden files). I had reset them to show stuff (long time Unix user and I like to see the details) so I went back and saw the executable.

    It wasn't set as hidden or system, so I don't know what brought it back


    Logs follow.

    *********
    OTM log
    *********
    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Alex\Local Settings\Temp\Gvb.exe moved successfully.
    C:\Documents and Settings\Alex\Local Settings\Temp\Gvc.exe moved successfully.
    C:\Documents and Settings\Alex\Local Settings\Temp\FacemoodsReinstal\GameBario_fmds4.exe moved successfully.
    File/Folder C:\WINDOWS\Temp\jdpf\setup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1860516 bytes
    ->FireFox cache emptied: 70788779 bytes
    ->Flash cache emptied: 470 bytes

    User: Alex
    ->Temp folder emptied: 1310774029 bytes
    ->Temporary Internet Files folder emptied: 1240440899 bytes
    ->Java cache emptied: 25955601 bytes
    ->FireFox cache emptied: 119177453 bytes
    ->Apple Safari cache emptied: 91489280 bytes
    ->Opera cache emptied: 16029871 bytes
    ->Flash cache emptied: 1808306 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32969 bytes
    ->Flash cache emptied: 56466 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 12650 bytes

    User: SchoolandCompetition
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 34882738 bytes
    ->Flash cache emptied: 657 bytes

    User: User-1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 494705 bytes
    %systemroot%\System32 .tmp files removed: 29335892 bytes
    %systemroot%\System32\dllcache .tmp files removed: 66560 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 645624 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 2,808.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 06232011_181603

    Files moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_c74.dat moved successfully.

    Registry entries deleted on Reboot...


    ********
    checkup.txt
    ********
    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ESET Online Scanner v3
    MuseScore 0.9.6 MuseScore score typesetter
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    IBM 32-bit Runtime Environment for Java 2, v1.4.2
    Java(TM) 6 Update 16
    Java(TM) 6 Update 22
    Java(TM) 6 Update 23
    IBM 32-bit Runtime Environment for Java 2, v1.4.2
    Out of date Java installed!
    Adobe Flash Player 10.3.181.26
    Adobe Reader X (10.1.0)
    Mozilla Firefox (x86 en-US..) Firefox Out of Date!
    Mozilla Thunderbird (3.1.7)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Administrator Desktop MalwareStuff SecurityCheck.exe
    ``````````End of Log````````````

    **************
    Firefox is not out of date, as it just updated to 5.0 a day or two back.

    I'm going to remove/install Java and the Microsoft updates.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Firefox v5 is not an update. It is an upgrade There is a big difference. Considering it was only set for release on June 21st, 2011, I strongly recommend that you take it off of automatic updating and wait for new upgrade problems to be resolved.

    FYI: I did a FF upgrade and it totaled my system! Removed all of my display settings, trashed my network. I finally ended up uninstalling it and going back the the previous earlier version. Keep in mind: New does not always mean better!
    ========================================
    Regarding this:
    I wish it was that easy to restore the files and programs that these malware programs hide! It isn't- the malware puts the attribute in for 'hide' and changing the View in Folder Options doesn't help. And as word> the files and folders are not hidden so you don't see them. It's not a conspiracy by MS! They are hidden to keep you from accidentally deleting processes that are needed.
    ======================================
    The outdated Java programs are vulnerabilities to your system as long as they are on it. Suggest you run the following to remove all old Java entries then install the current version:You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK. I do not need or want this log!
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    ===========================================
     
  16. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Interesting. I had no issues with the upgrade on the 3 systems I installed it on (the two Thinkpads and a desktop)

    I've never had problems with any FF (or Mozilla) updates/upgrades going all the way back to the pre-1.0 days on Windows (and the earlier milestone releases in Unix)

    Like I said I don't know what brought iexplore.exe back. It wasn't set to system or hidden. My point was I remembered I had changed that setting, and decided to look.

    Agree it's not a conspiracy, it's just Microsoft doing their "we know better than you" routine. It fine to mark things read only to prevent accidental deletion, but hiding them? And how about that nice warning when you go to \Windows or \Program Files.

    And while hide part of the file name? Think of the attacks that let too.
    Of course relying on a 3 letter extensions to identify file type was pretty dumb anyway. Far better to use the data headers in the file to identify it.

    I uninstalled everything in the "Add/Remove Programs" list.
    Is it likely that some installations might be missed that way?
    Would the above tool remove more?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Of course, you are free to configure your computer however you want.

    As for the FF update/upgrade. I also have used FF since Day 1- without problems. But I've had to stay with the 3.5 or earlier updates for v3.6 because one of my addoms will not work with the later versions. And I have FF on 3 compouters. The updae was v3.6.18 or 19. I've been updating regularly since it was released. My system is clean and well maintained- I don't have a clue what went wrong.

    Perhaps you can observe this first hand by looking at the Java Ra log. Please keep in mind that I do not want this log.

    Add/Remove Programs does not always remove all of the associated files. If it did I would have just had you uninstall in Add/Remove Programs.

    Again, I mention the OTM results: Total Files Cleaned = 2,808.00 mb
    Suggest you set a schedule for doing the maintenance and clean up on thep system.
    =======================================
    I'd like for you to submit this for identification as follows:

    Please go to VirSCAN.org FREE on-line scan service:

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\drivers\qgfsyq.sys
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.

    Are there any problems remaining from the malware?
     
  18. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    OK. I asked because that is what you said do in my other thread.
    http://www.techspot.com/vb/topic166708.html#post1054730

    That certainly got my attention. What would be the maintenance/clean up steps you suggest? I've got other systems that likely need similar clean up.
    Using OTM? Some portion of the script above?


    After work today.

    After fixing the exe registry keys for the other user (I've been using the Admin account as it's "cleaner") is seams OK so far. Really haven't tested it much yet though.

    Wanted to get it clean first, then get AV tools re-installed before he did anything with it. Mainly he uses it for games, email, and facebook, with occasional school work.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you look at the OTM log, you will see the command to [EMPTYTEMP] and it does this for each system account.

    "User Alex" has the most files. There are 7 other 'users' with varying numbers of temporary internet files and flash cache.

    Maintenance for the Computer System

    1. Error Checking (CHKDSK) This checks your hard drive for errors. With Windows XP, you will need to restart your computer after selecting this task for it to run.

    2. Disk defrag, This takes all of the bits of data on your hard drive and puts them in order. If you use your computer a lot, you can have data scattered all over your hard drive. It makes you computer run slower when it is looking for this information.

    3. Deleting temporary internet files, Each time you go to a site, a temporary file is placed on you computer's hard drive. These can add up to a lot of space if not deleted regularly.

    4. Deleting cookies, These are small files web site put on your hard drive to identify you and track your surfing habits. If you have a password save for a certain web site, deleting your cookies will delete that as well. Over the years there have been some lively debates about how often to do this. I don't very often, others do it daily. It is really up to each person.
    5. Delete History- This is similar to temporary internet files. But when you delete History, it deletes the URLs in the Address box drop-down menu.

    6.. Checking for security and critical updates, This requires you to go to Microsoft.com and do an Windows update scan. Often there are security problems or hackers have found a vulnerable spot in Windows that needs to be fixed. I do this once a week. The updates are not that frequent but, while online, I'll just check and see if there are any.

    And of course, regular scans with the security programs.
     
  20. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    I'll let the boy back on the machine tonight and let you know how it does.

    Report below.


    VirSCAN.org Scanned Report :
    Scanned time : 2011/06/25 07:47:41 (CST)
    Scanner results: 3% Scanner(s) (1/37) found malware!
    File Name : qgfsyq.sys
    File Size : 54016 byte
    File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5 : e6d35f3aa51a65eb35c1f2340154a25e
    SHA1 : aabbd57e20d2e7041f9e7abce6cfd8a53c366537
    Online report : http://file.virscan.org/report/91c19be6e4c02b2c706ec6ffd43df138.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.2 20110624151216 2011-06-24 5.54 -
    AhnLab V3 2011.06.24.01 2011.06.24 2011-06-24 1.65 -
    AntiVir 8.2.5.24 7.11.10.104 2011-06-24 0.27 -
    Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
    Arcavir 2011 201105080215 2011-05-08 0.03 -
    Authentium 5.1.1 201106241321 2011-06-24 2.00 -
    AVAST! 4.7.4 110624-1 2011-06-24 0.01 -
    AVG 8.5.850 271.1.1/3724 2011-06-25 0.25 -
    BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
    ClamAV 0.96.5 13236 2011-06-24 0.02 BC.Heuristics.Rootkit.B-11.MV
    Comodo 4.0 9180 2011-06-24 1.80 -
    CP Secure 1.3.0.5 2011.06.24 2011-06-24 0.05 -
    Dr.Web 5.0.2.3300 2011.06.25 2011-06-25 13.19 -
    F-Prot 4.4.4.56 20110624 2011-06-24 1.97 -
    F-Secure 7.02.73807 2011.06.24.03 2011-06-24 0.18 -
    Fortinet 4.2.257 13.359 2011-06-24 0.23 -
    GData 22.709/22.183 20110624 2011-06-24 9.11 -
    ViRobot 20110624 2011.06.24 2011-06-24 0.36 -
    Ikarus T3.1.32.20.0 2011.06.24.78674 2011-06-24 4.70 -
    JiangMin 13.0.900 2011.06.24 2011-06-24 1.57 -
    Kaspersky 5.5.10 2011.06.24 2011-06-24 0.10 -
    KingSoft 2009.2.5.15 2011.6.24.18 2011-06-24 0.85 -
    McAfee 5400.1158 6387 2011-06-24 11.39 -
    Microsoft 1.7000 2011.06.24 2011-06-24 3.43 -
    NOD32 3.0.21 6228 2011-06-22 0.02 -
    Norman 6.07.10 6.07.00 2011-06-24 14.02 -
    Panda 9.05.01 2011.06.24 2011-06-24 2.06 -
    Trend Micro 9.200-1012 8.246.17 2011-06-24 0.03 -
    Quick Heal 11.00 2011.06.23 2011-06-23 1.18 -
    Rising 20.0 23.63.04.01 2011-06-24 2.19 -
    Sophos 3.20.2 4.66 2011-06-25 3.74 -
    Sunbelt 3.9.2496.2 9682 2011-06-24 0.75 -
    Symantec 1.3.0.24 20110624.002 2011-06-24 0.19 -
    nProtect 20110601.01 3460661 2011-06-01 6.36 -
    The Hacker 6.7.0.1 v00176 2011-04-18 0.60 -
    VBA32 3.12.16.3 20110624.1226 2011-06-24 4.29 -
    VirusBuster 5.3.0.4 14.0.94.0/5468796 2011-06-24 0.00 -
     
  21. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Well, I though it was clean.
    I installed avast and ran a full scan before giving it back.

    Two detections:
    C:\WINDOWS\system32\dsoundv.dll
    C:\WINDOWS\system32\rwinstau.dll

    Both flagged as Win32:Trojan-gen
    avast cannot fix or move them.
    Tried to run them both through VirSCAN, but they wouldn't upload.

    Both are in the earlier logs:
    2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\rwinstau.dll
    2011-06-16 03:26 . 2011-06-16 03:26 233472 --sha-r- c:\windows\system32\dsoundv.dll


    I tried to reset the permissions and windows won't/can't.

    Neither are present on the T61. I'm going to try a boot scan and see it it can get them.
    May need OTM to get them.
     
  22. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    double post
     
  23. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    Boot time scan moved them to quarantine.
    Also fond a few files in a restore point that it moved.

    So, I don't know if I can call it clean yet or not.

    On the subject if users, how do I delete unneeded user accounts?

    Alex and Admin are needed. At least one isn't needed now, maybe two (I';ll have to ask him about it).

    The other 3 were set by windows (Guest, LocalService, and NetworkService) and I think are needed for some things to work (like the home network)
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Run this again- observe that I do not want you to check for removal:

    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Keep in mind that even if malware is in a restore point or the Qoobox from Combofix, Avast may still show it. But it is not active in the ststem and shold be removed at the end of cleaning.
     
  25. ST Dog

    ST Dog TS Rookie Topic Starter Posts: 36

    You may have mised this edit above.

    ESET took about 2 hours last time. I'll be back.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...