Inactive Browser redirect and other weirdness

Status
Not open for further replies.
L

lelias

Posts: 13   +0
Hello,
I've seen other threads on the redirect issue but you always stress not to follow instructions for another user so I'm posting my issue.

I got a virus/malware on my work computer but am unable to use our tech support as I am remote for a while. What this really means is I don't have local admin rights. We have McAffee but I've noticed it hasn't updated the signature in a while. i've been meaning to ask them about that.

I had an image similar to Windows Security Center come up saying I had an infected file and to click to clean. Normally I'm smart enough to ignore these but I was distracted and clicked. From that time I had multiple problems.
-When I clicked on my search links I'd be sent to a bogus ad window.
-There was a ping.exe process appearing and using all of my memory.
-At random times audio plays or a small browser ad image appears on my screen.
-Most of my files and desktop were gone.

I ran several programs to clean it up. Malwarebytes cleaned a lot and got rid of the ping issue and unhide.exe returned my files and desktop, but I still have the redirect and random ad issues. When I ran Windows security center it cleaned several items but then added one of them to the "allow" list...? The processes were:
Trojan:Win32/Alureon.FE (removed)
Exploit:SWF/Blacole.E (removed)
Trojan:Win32FakeSysdef (added to allow list)
Exploit:HTML/IframeRef.Z (removed)
TrojanDownloader:Win32/Daragany.F (removed)

Can you help?

lelias
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Hi Broni, Malwarebytes log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8111

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/8/2011 9:53:54 PM
mbam-log-2011-11-08 (21-53-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 302454
Time elapsed: 44 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER logs:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 22:29:37
Windows 5.1.2600 Service Pack 3
Running: tvz54pcb.exe; Driver: C:\DOCUME~1\lelias\LOCALS~1\Temp\kwlyykog.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\78dd08aaeb3b
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\78dd08aaeb3b (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB21449$\2547958807 0 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\cfg.ini 198 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\L 0 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\L\mrlpoown 62976 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U 0 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB21449$\2547958807\U\80000032.@ 95744 bytes
File C:\WINDOWS\$NtUninstallKB21449$\636350626 0 bytes

---- EOF - GMER 1.0.15 ----

Attach.txt coming next
 
dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by lelias at 22:31:48 on 2011-11-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.1877 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
svchost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tvz54pcb.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.netapp.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://my.netapp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IMSS] "c:\program files\intel\intel(r) management engine components\imss\PIconStartup.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [RotateImage] c:\program files\integrated camera driver\RCIMGDIR.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
LSP: mswsock.dll
Trusted Zone: localhost
Trusted Zone: netapp.com\ce.corp
Trusted Zone: netapp.com\my.sharepoint.corp
Trusted Zone: netapp.com\powerond-web.dmz
Trusted Zone: netapp.com\poweronp-app1.dmz
Trusted Zone: netapp.com\poweronp.dmz
Trusted Zone: netapp.com\poweront-web.dmz
Trusted Zone: netapp.com\rms
Trusted Zone: netapp.com\sharepoint.corp
Trusted Zone: sharepoint
Trusted Zone: localhost
Trusted Zone: netapp.com\ce.corp
Trusted Zone: netapp.com\my.sharepoint.corp
Trusted Zone: netapp.com\neophyte-ext
Trusted Zone: netapp.com\pe
Trusted Zone: netapp.com\powerond-web.dmz
Trusted Zone: netapp.com\poweronp-app1.dmz
Trusted Zone: netapp.com\poweronp.dmz
Trusted Zone: netapp.com\poweront-web.dmz
Trusted Zone: netapp.com\rms
Trusted Zone: netapp.com\sharepoint.corp
Trusted Zone: netapp.com\www.pe
Trusted Zone: sharepoint
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} - hxxps://10.26.97.29/wrc.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280347065479
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286490560697
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 10.59.1.1
TCP: Interfaces\{D3D562C6-57B1-46E3-8A78-5B637514A7C4} : DhcpNameServer = 10.59.1.1
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lelias\application data\mozilla\firefox\profiles\hjzc5sb7.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-6-18 24304]
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2010-6-18 21504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-3-22 13480]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-6-8 31848]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl67875363;MpKsl67875363;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\MpKsl67875363.sys [2011-11-8 28752]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-6-18 132456]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\hotkey\cammute.exe [2010-3-22 54632]
R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-3-22 44984]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-11-10 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-6-8 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-6-8 54608]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-6-18 53248]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-18 45056]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-3-22 63928]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2010-6-18 2320920]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-6-18 127232]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-6-18 167080]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-6-18 125696]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-6-18 215040]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-7-15 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-7-15 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-7-15 177864]
S1 MpKsl6b9f7c91;MpKsl6b9f7c91;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bf48484a-faec-4637-bd6b-475dec48b5db}\mpksl6b9f7c91.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bf48484a-faec-4637-bd6b-475dec48b5db}\MpKsl6b9f7c91.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-23 135664]
S3 SMmonitor;Storage Manager Event Monitor;c:\program files\storagemanager\client\monitor\SMmonitor.exe [2011-9-28 69632]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-27 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-27 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-27 136680]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2009-6-18 15744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-09 04:31:22 607260 ------r- C:\dds.scr
2011-11-09 04:17:06 302592 ----a-w- C:\tvz54pcb.exe
2011-11-09 02:47:38 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\MpKsl67875363.sys
2011-11-09 02:47:35 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\offreg.dll
2011-11-09 02:20:46 100604024 ----a-w- C:\setup_11.0.0.1245.x01_2011_11_09_05_52.exe
2011-11-09 01:56:30 -------- d-----w- C:\tdsskiller
2011-11-08 17:25:58 -------- d-----w- C:\567bf7aaae28f5051a58c1285d0fb5
2011-11-08 17:25:07 15293896 ----a-w- C:\windows-kb890830-v4.1.exe
2011-11-08 04:37:07 -------- d-----w- c:\documents and settings\lelias\application data\Product_RM
2011-11-08 04:33:53 -------- d-----w- c:\documents and settings\lelias\application data\RegistryCleanerFree
2011-11-08 04:33:53 -------- d-----w- c:\documents and settings\all users\application data\RegistryCleanerFree
2011-11-08 04:13:44 -------- d-----w- c:\documents and settings\lelias\application data\Malwarebytes
2011-11-08 04:13:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-08 04:13:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-08 04:13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-08 04:05:54 -------- d-----w- c:\documents and settings\lelias\application data\Sammsoft
2011-11-08 01:34:40 1008092 ----a-w- C:\iExplore.exe
2011-11-08 01:02:15 1008092 ----a-w- C:\rkill.exe
2011-11-08 00:56:17 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{daccb58f-b0d7-4ad7-ac6a-7a6e06f365cb}\mpengine.dll
2011-11-08 00:38:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-08 00:38:39 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-07 23:00:25 -------- d-----w- c:\documents and settings\lelias\application data\GetRightToGo
2011-11-07 21:20:23 102400 ----a-w- c:\windows\RegBootClean.exe
2011-11-07 20:46:37 -------- d--h--w- c:\documents and settings\all users\application data\PC Tools
2011-11-07 20:12:19 577956 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
==================== Find3M ====================
.
2011-10-25 21:09:54 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-03 10:17:37 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-08-11 18:04:30 40960 ---ha-w- c:\windows\system32\SMEventLog.dll
.
============= FINISH: 22:38:34.68 ===============
 
attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/18/2010 9:19:12 PM
System Uptime: 11/8/2011 8:47:19 PM (2 hours ago)
.
Motherboard: LENOVO | | 2537GH6
Processor: Intel Pentium II processor | None | 2393/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 108 GiB total, 53.946 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) Centrino(R) Advanced-N 6200 AGN
Device ID: PCI\VEN_8086&DEV_4239&SUBSYS_13118086&REV_35\4&36786977&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) Centrino(R) Advanced-N 6200 AGN
PNP Device ID: PCI\VEN_8086&DEV_4239&SUBSYS_13118086&REV_35\4&36786977&0&00E1
Service: NETw5x32
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GU10N___________________MX05____\4&1544E580&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GU10N
PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GU10N___________________MX05____\4&1544E580&0&0.1.0
Service: cdrom
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP282: 8/9/2011 5:26:11 PM - System Checkpoint
RP283: 8/9/2011 9:13:11 PM - Software Distribution Service 3.0
RP284: 8/11/2011 12:22:56 PM - Software Distribution Service 3.0
RP285: 8/12/2011 2:23:03 PM - Software Distribution Service 3.0
RP286: 8/12/2011 3:00:51 PM - Installed Java(TM) 6 Update 26
RP287: 8/12/2011 3:01:19 PM - Installed Java Runtime Environment
RP288: 8/15/2011 10:10:19 AM - Software Distribution Service 3.0
RP289: 8/15/2011 9:34:34 PM - Installed WebEx Productivity Tools
RP290: 8/16/2011 12:00:52 PM - Software Distribution Service 3.0
RP291: 8/18/2011 7:35:21 PM - Software Distribution Service 3.0
RP292: 8/19/2011 8:52:43 PM - Software Distribution Service 3.0
RP293: 8/21/2011 7:50:54 PM - Software Distribution Service 3.0
RP294: 8/22/2011 10:37:25 AM - Installed RDC RDC.
RP295: 8/22/2011 8:50:33 PM - Software Distribution Service 3.0
RP296: 8/23/2011 9:34:51 PM - System Checkpoint
RP297: 8/24/2011 12:25:02 AM - Software Distribution Service 3.0
RP298: 8/25/2011 9:12:14 AM - Software Distribution Service 3.0
RP299: 8/26/2011 9:36:04 AM - Software Distribution Service 3.0
RP300: 8/27/2011 11:51:39 AM - Software Distribution Service 3.0
RP301: 8/29/2011 11:15:22 AM - Software Distribution Service 3.0
RP302: 8/30/2011 11:20:15 AM - System Checkpoint
RP303: 8/31/2011 9:28:04 AM - Software Distribution Service 3.0
RP304: 9/1/2011 12:15:44 PM - Software Distribution Service 3.0
RP305: 9/2/2011 1:01:09 PM - System Checkpoint
RP306: 9/6/2011 12:35:03 AM - Software Distribution Service 3.0
RP307: 9/7/2011 9:17:23 AM - System Checkpoint
RP308: 9/7/2011 9:25:41 AM - Software Distribution Service 3.0
RP309: 9/8/2011 10:14:12 AM - System Checkpoint
RP310: 9/8/2011 10:22:36 AM - Software Distribution Service 3.0
RP311: 9/9/2011 12:58:35 PM - Software Distribution Service 3.0
RP312: 9/12/2011 10:56:44 AM - Software Distribution Service 3.0
RP313: 9/12/2011 4:46:37 PM - Software Distribution Service 3.0
RP314: 9/14/2011 9:31:55 AM - Software Distribution Service 3.0
RP315: 9/15/2011 10:41:59 AM - Removed WebEx Productivity Tools
RP316: 9/15/2011 10:48:46 AM - Software Distribution Service 3.0
RP317: 9/16/2011 11:09:53 AM - Software Distribution Service 3.0
RP318: 9/17/2011 10:44:08 AM - Software Distribution Service 3.0
RP319: 9/18/2011 8:23:27 PM - Software Distribution Service 3.0
RP320: 9/19/2011 10:06:28 PM - System Checkpoint
RP321: 9/20/2011 10:22:29 PM - System Checkpoint
RP322: 9/22/2011 10:55:17 AM - Software Distribution Service 3.0
RP323: 9/22/2011 12:19:22 PM - Software Distribution Service 3.0
RP324: 9/23/2011 11:09:17 AM - Software Distribution Service 3.0
RP325: 9/26/2011 5:12:31 AM - Software Distribution Service 3.0
RP326: 9/27/2011 9:05:50 AM - Software Distribution Service 3.0
RP327: 9/28/2011 11:44:05 AM - System Checkpoint
RP328: 9/28/2011 12:05:57 PM - Software Distribution Service 3.0
RP329: 9/29/2011 1:01:21 PM - System Checkpoint
RP330: 9/29/2011 8:46:21 PM - Software Distribution Service 3.0
RP331: 10/3/2011 9:22:29 AM - Software Distribution Service 3.0
RP332: 10/4/2011 10:00:00 AM - System Checkpoint
RP333: 10/5/2011 5:58:11 PM - System Checkpoint
RP334: 10/5/2011 8:42:59 PM - Software Distribution Service 3.0
RP335: 10/7/2011 9:53:22 AM - Software Distribution Service 3.0
RP336: 10/10/2011 10:09:03 AM - Software Distribution Service 3.0
RP337: 10/11/2011 10:35:42 AM - Software Distribution Service 3.0
RP338: 10/12/2011 11:22:54 AM - Software Distribution Service 3.0
RP339: 10/13/2011 2:06:27 PM - Software Distribution Service 3.0
RP340: 10/14/2011 9:40:59 AM - Software Distribution Service 3.0
RP341: 10/15/2011 11:45:37 PM - Software Distribution Service 3.0
RP342: 10/17/2011 12:05:22 PM - Software Distribution Service 3.0
RP343: 10/18/2011 1:18:57 PM - System Checkpoint
RP344: 10/18/2011 2:05:50 PM - Software Distribution Service 3.0
RP345: 10/19/2011 11:28:06 PM - System Checkpoint
RP346: 10/21/2011 12:03:57 AM - Software Distribution Service 3.0
RP347: 10/23/2011 7:47:28 PM - Software Distribution Service 3.0
RP348: 10/25/2011 12:42:00 PM - Software Distribution Service 3.0
RP349: 10/26/2011 4:06:07 PM - System Checkpoint
RP350: 10/26/2011 6:07:33 PM - Software Distribution Service 3.0
RP351: 10/27/2011 8:49:23 PM - Software Distribution Service 3.0
RP352: 10/31/2011 1:05:17 PM - Software Distribution Service 3.0
RP353: 11/1/2011 1:54:49 PM - Software Distribution Service 3.0
RP354: 11/3/2011 4:04:07 PM - System Checkpoint
RP355: 11/4/2011 3:48:26 PM - Software Distribution Service 3.0
RP356: 11/5/2011 3:48:31 PM - Software Distribution Service 3.0
RP357: 11/6/2011 2:23:14 AM - Software Distribution Service 3.0
RP358: 11/6/2011 3:48:17 PM - Software Distribution Service 3.0
RP359: 11/7/2011 6:34:03 PM - Restore Operation
RP360: 11/7/2011 6:50:18 PM - Removed Java(TM) 6 Update 20
RP361: 11/7/2011 6:52:34 PM - Removed Java(TM) 6 Update 3
RP362: 11/7/2011 6:55:39 PM - Software Distribution Service 3.0
RP363: 11/7/2011 10:05:17 PM - ARO 2011 - Before Installation
RP364: 11/7/2011 10:06:08 PM - ARO 2011 - FIRST RUN
RP365: 11/7/2011 10:24:26 PM - ARO 2011 Mon, Nov 07, 11 22:24
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
32 Bit HP CIO Components Installer
3ivx MPEG-4 5.0.3 (remove only)
Abyss Web Server X1 (remove only)
Active Ports
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
Alinean EnterpriseROI
Ask Toolbar
Bing Bar
Bing Bar Platform
Burn.Now 4.5
Burn.Now Lenovo Edition
Compatibility Pack for the 2007 Office system
Conexant 20585 SmartAudio HD
Configuration Manager Client
Cribbage 2D
CutePDF Writer 2.8
EZSwitchSetup
FlipShare
Golden FTP Server
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB979306)
Impulse®
Integrated Camera Driver Installer Package Ver.1.1.0.19
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
Intel(R) PROSet/Wireless WiFi Software
InterVideo Register Manager
InterVideo WinDVD
iPassConnect
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Juniper Terminal Services Client
Lenovo System Interface Driver
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Data Access Components KB870669
Microsoft Default Manager
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2005
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.8)
mRemote
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
NetApp System Manager 1.1
Network Recording Player
NX Client for Windows 3.5.0-5
On Screen Display
Origin
PL-2303 USB-to-Serial
Productivity Center Supplement for ThinkPad
RDC
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
RICOH R5U230 Media Driver ver.2.02.02.01
Rights Management Add-on for Internet Explorer
SAMSUNG USB Driver for Mobile Phones
SANtricity ES Storage Manager
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
STM TPM Driver 1.0.4.15 - 32 bits
Symantec Enterprise Vault HTTP-only Outlook Add-In
System Update
The Sims 3
The Sims™ 2 Double Deluxe
The Sims™ 2 University Life Collection
The Sims™ 3
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Integration Setup
ThinkPad Modem Adapter
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Fingerprint Software
ThinkVantage Productivity Center
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB2607712)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
ViewMail for Outlook 5.0(1)
VNC Free Edition 4.1.1
VPN Client
WebEx
WebFldrs XP
WIMGAPI
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Update Modules for ServicePack 2 (US)
Windows XP Service Pack 3
WinZip 11.2
Xming 6.9.0.31
XML Paper Specification Shared Components Pack 1.0
XPS Essentials Pack
XPS Essentials Pack 1.0
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
11/8/2011 6:07:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.65 for the Network Card with network address 002314A17FB0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/7/2011 5:09:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
11/7/2011 5:04:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/7/2011 5:04:46 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1367.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
11/7/2011 5:04:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/7/2011 4:40:22 PM, error: Service Control Manager [7024] - The FlipShare Server service terminated with service-specific error 1 (0x1).
11/7/2011 3:39:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm lenovo.smi MpFilter TPHKDRV TPPWRIF
11/7/2011 3:38:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/7/2011 2:42:18 PM, error: Service Control Manager [7034] - The iPassPeriodicUpdateApp service terminated unexpectedly. It has done this 1 time(s).
11/7/2011 2:21:43 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/3/2011 4:59:59 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NETAPP due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
11/3/2011 3:43:52 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
11/3/2011 3:42:03 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NETAPP due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
11/3/2011 12:58:12 AM, error: Dhcp [1002] - The IP address lease 10.10.56.213 for the Network Card with network address 002314A17FB0 has been denied by the DHCP server 10.4.128.1 (The DHCP Server sent a DHCPNACK message).
11/2/2011 4:47:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1019.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
11/2/2011 10:49:31 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
.
==== End Of File ===========================
 
You're running two AV programs, VirusScan Enterprise and Microsoft Security Essentials.
One of them has to go.
Your choice.

Uninstall Ask Toolbar, typical foistware.

=================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Combofix output- aswMBR wouldn't run

ComboFix 11-11-09.01 - lelias 11/09/2011 14:11:40.1.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2996.2642 [GMT -6:00]
Running from: c:\documents and settings\lelias\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\iexplore.exe
c:\windows\system32\muzapp.exe
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 20:43 . 2008-04-14 06:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-09 19:57 . 2011-11-09 20:01 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DACCB58F-B0D7-4AD7-AC6A-7A6E06F365CB}\offreg.dll
2011-11-09 04:31 . 2011-11-09 04:31 607260 ------r- C:\dds.scr
2011-11-09 04:17 . 2011-11-09 04:17 302592 ----a-w- C:\tvz54pcb.exe
2011-11-09 02:20 . 2011-11-09 02:20 100604024 ----a-w- C:\setup_11.0.0.1245.x01_2011_11_09_05_52.exe
2011-11-09 01:56 . 2011-11-09 02:31 -------- d-----w- C:\tdsskiller
2011-11-08 17:25 . 2011-11-08 17:25 -------- d-----w- C:\567bf7aaae28f5051a58c1285d0fb5
2011-11-08 17:25 . 2011-11-08 17:25 15293896 ----a-w- C:\windows-kb890830-v4.1.exe
2011-11-08 04:37 . 2011-11-08 04:37 -------- d-----w- c:\documents and settings\lelias\Application Data\Product_RM
2011-11-08 04:33 . 2011-11-08 04:33 -------- d-----w- c:\documents and settings\lelias\Application Data\RegistryCleanerFree
2011-11-08 04:33 . 2011-11-08 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\RegistryCleanerFree
2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\documents and settings\lelias\Application Data\Malwarebytes
2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-08 04:13 . 2011-11-08 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-08 04:13 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-08 04:05 . 2011-11-08 04:31 -------- d-----w- c:\documents and settings\lelias\Application Data\Sammsoft
2011-11-08 01:02 . 2011-11-08 01:02 1008092 ----a-w- C:\rkill.exe
2011-11-08 00:56 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DACCB58F-B0D7-4AD7-AC6A-7A6E06F365CB}\mpengine.dll
2011-11-08 00:38 . 2011-11-08 00:38 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-07 23:00 . 2011-11-07 23:04 -------- d-----w- c:\documents and settings\lelias\Application Data\GetRightToGo
2011-11-07 21:20 . 2011-11-07 21:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-11-07 20:46 . 2011-11-07 23:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-07 20:28 . 2011-11-07 23:09 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-07 20:27 . 2011-11-07 20:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-07 20:12 . 2011-11-09 20:01 577956 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 01:54 . 2011-11-09 01:54 1545191 ----a-w- C:\tdsskiller.zip
2011-10-25 21:09 . 2011-05-31 16:51 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48 . 2011-06-18 02:34 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-03 10:17 . 2009-06-18 23:10 599040 ---ha-w- c:\windows\system32\crypt32.dll
2010-07-15 22:53 . 2010-07-15 22:53 101768 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-11-10 136512]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-04 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-04 144920]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768]
"RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-03 1594664]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-01-06 513384]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2009-12-01 55048]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-06-09 111952]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-22 273544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-12-01 20:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\0\0]
"Script"=SCCMAgentInstall.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\1\0]
"Script"=regedit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\0]
"Script"=OAM_Patch.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\1]
"Script"=c:\windows\regedit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-1539987\Scripts\Logon\2\2]
"Script"=NetApplegalDisclaimer.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-73111\Scripts\Logon\0\0]
"Script"=regedit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3567637-1906459281-1427260136-73111\Scripts\Logon\1\0]
"Script"=OAM_Patch.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\lelias\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE12\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [6/18/2010 8:14 PM 24304]
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [6/18/2010 8:13 PM 21504]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [6/18/2010 8:10 PM 45056]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [6/18/2010 8:06 PM 167080]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [3/22/2010 7:49 AM 13480]
S1 MpKsl6b9f7c91;MpKsl6b9f7c91;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF48484A-FAEC-4637-BD6B-475DEC48B5DB}\MpKsl6b9f7c91.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF48484A-FAEC-4637-BD6B-475DEC48B5DB}\MpKsl6b9f7c91.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [6/18/2010 8:14 PM 132456]
S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2010 12:38 PM 135664]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\HOTKEY\cammute.exe [3/22/2010 7:49 AM 54632]
S2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [3/22/2010 7:49 AM 44984]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [6/18/2010 8:14 PM 53248]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
S2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [3/22/2010 7:49 AM 63928]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [6/18/2010 8:11 PM 2320920]
S3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [6/18/2010 8:13 PM 127232]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2010 12:38 PM 135664]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [6/18/2010 8:12 PM 125696]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [6/18/2010 8:12 PM 215040]
S3 SMmonitor;Storage Manager Event Monitor;c:\program files\StorageManager\client\monitor\SMmonitor.exe [9/28/2011 1:37 PM 69632]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [5/27/2011 3:53 PM 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [5/27/2011 3:53 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [5/27/2011 3:53 PM 136680]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [6/18/2009 5:10 PM 15744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 18:38]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 18:38]
.
2011-11-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-11-09 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-06-19 06:13]
.
2011-11-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3567637-1906459281-1427260136-1539987.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3567637-1906459281-1427260136-1539987.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.netapp.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netapp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: localhost
Trusted Zone: netapp.com\ce.corp
Trusted Zone: netapp.com\my.sharepoint.corp
Trusted Zone: netapp.com\powerond-web.dmz
Trusted Zone: netapp.com\poweronp-app1.dmz
Trusted Zone: netapp.com\poweronp.dmz
Trusted Zone: netapp.com\poweront-web.dmz
Trusted Zone: netapp.com\rms
Trusted Zone: netapp.com\sharepoint.corp
Trusted Zone: sharepoint
Trusted Zone: localhost
Trusted Zone: netapp.com\ce.corp
Trusted Zone: netapp.com\my.sharepoint.corp
Trusted Zone: netapp.com\neophyte-ext
Trusted Zone: netapp.com\pe
Trusted Zone: netapp.com\powerond-web.dmz
Trusted Zone: netapp.com\poweronp-app1.dmz
Trusted Zone: netapp.com\poweronp.dmz
Trusted Zone: netapp.com\poweront-web.dmz
Trusted Zone: netapp.com\rms
Trusted Zone: netapp.com\sharepoint.corp
Trusted Zone: netapp.com\www.pe
Trusted Zone: sharepoint
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} - hxxps://10.26.97.29/wrc.cab
FF - ProfilePath - c:\documents and settings\lelias\Application Data\Mozilla\Firefox\Profiles\hjzc5sb7.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 14:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3567637-1906459281-1427260136-1539987\Software\SecuROM\License information*]
"datasecu"=hex:04,94,dc,79,10,3d,b6,69,76,f8,4c,cf,3a,4c,27,53,50,fd,c6,aa,c8,
96,ab,a7,08,6c,58,c3,45,d7,8b,62,db,4b,d6,b8,46,3b,11,6a,33,f8,45,24,c0,99,\
"rkeysecu"=hex:4d,53,a4,b8,d2,30,03,f0,6c,e5,a0,2d,bb,1f,bc,b7
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(1344)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
Completion time: 2011-11-09 15:03:43
ComboFix-quarantined-files.txt 2011-11-09 21:03
.
Pre-Run: 61,287,034,880 bytes free
Post-Run: 63,060,963,328 bytes free
.
- - End Of File - - CB2B1796E7A0B7D1ED1AA0E654ED673F
 
aswMBR

I've tried running it in safe and normal modes. I double click it, Windows asks me if I want to run this program; I click yes and it just disappears. Any suggestions?
 
Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
bootkit remover data

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
119 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
Very well. We have infected MBR there.

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh aswMBR log.
 
recovery console

When I did this it just sat there with a black window and an underscore in the top right corner. It did not respond to keyboard input. Is this normal and I just need to wait a while?
 
Looking at my instructions you have to tell me how far exactly you're able to go.
 
console boot

Oh, sorry. I reboot and select the recovery console. Then it just goes black with the cursor blinking in the top left corner. Nothing more seemed to happen. I tried typing your commands even though no letters appeared but nothing. So I never saw the C:\ prompt.
 
Tried again

Now when I select windows recovery console it simply reboots and brings me back to the "select your operating system" screen. I selected recovery console and it just keeps happening.
 
Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run aswMBR again and post its log.
 
I'll have to do that in the morning as I don't have a CD to burn with me. I'll update you then.
 
OK, I created the CD and reset my computer boot order. when it boots into the program I choose 5 for standard MBR. It asks me 1 for standard and 2 for Windows 7. I tried standard and it asks me to confirm. I hit Y for yes and I end up back at the screen asking me what I want to do. I can not get past that point.
 
Status
Not open for further replies.

Similar threads

AnilD
Instagram is not loading on any desktop browser - here's a fix
Replies
0
Views
2K
AnilD
AnilD
Daniel Sims
Google Chrome now targets ads based on your browser history, here's how to turn that off
Replies
10
Views
653
trieste1s
T
J
🧐 Widescreen monitor text quality 3440x1440 🖥️
Replies
4
Views
48
janet77
J

Latest posts

Back