Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection


  • This topic is locked This topic is locked
52 replies to this topic

#1 jdoe99

jdoe99

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 01 June 2010 - 11:18 AM

Hi,
Last weekend on friday morning, I suddenly got a message that said "on screen message display generator for thinkpad has stopped working". After that I was unable to connect to my wireless network, lost control over volume control and so on. When I rebooted it configured desktop as if i was bringing it uop for the first time and soem of the desktop shortcuts like media player etc was missing. The documents, music and other folders were all empty. When i went into the computer, there were two folders of the same and the older files were all in the other folder and not the one i click on (say my music form the start buttion). when i reboot, sometime i get this new screen and sometime i get my old screen and it seems very random. i still get the "on screen message display generator for thinkpad has stopped working" message. When i ran malware bytes once i got a trojan but after i cleaned it and rebooted i got the same "new desktop" setting and when i ran malware bytes then, i was unable to catch anything. once when i was searching on google during this process, i got browser redirects. Then i closed the window, started to run malware bytes and tried search again,. that time there was no redirect.

i was able to run dds and genarate the log files. when i bring up gmer, i get message that say possible infection and so on, but when it is running after sometime, the system crashes(bsod). this happened 3 times.

i am copying and pasting dds log and attaching the attach.txt. unable to generate gmer log. Please let me what to do next.
Thanks


DDS LOG


DDS (Ver_10-03-17.01) - NTFSx86
Run by ganesh at 8:47:43.60 on Tue 06/01/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.650 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\java.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Freedom Scientific\JAWS\9.0\fsATProxy.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\Bigdog.exe
C:\Windows\LenovoTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcLaunchWirelesslanUI.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\explorer.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\ganesh\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ganesh\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BigDogPath323] c:\windows\BigDog.exe Lenovo USB Webcam(Video)
mRun: [LenovoTray] c:\windows\LenovoTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\users\ganesh\appdata\local\google\update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-7-21 225304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-7 210216]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-12-4 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MySQL5;MySQL5;"c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql5 --> c:\program files\mysql\mysql server 5.0\bin\mysqld-nt [?]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-10-5 66848]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 58736]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-9 569344]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-12-4 72264]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-12-4 168776]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-19 21504]
S3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2009-12-5 360704]
S3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\drivers\vmcam325av.sys [2009-12-5 232448]
S3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2009-12-5 280960]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-05-28 12:33:54 0 d-----w- C:\A
2010-05-25 23:14:23 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-20 20:37:17 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-05-20 20:37:16 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-20 20:34:29 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-20 20:34:29 0 d-----w- c:\program files\Microsoft Help Viewer
2010-05-20 18:57:02 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-05-20 18:57:02 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-20 18:57:02 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-05-20 18:57:02 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-05-20 18:57:02 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-05-19 14:11:29 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-19 12:24:21 0 d-----w- c:\users\ganesh\appdata\roaming\SharePod
2010-05-19 03:03:11 0 d-----w- c:\program files\uTorrent

==================== Find3M ====================

2010-06-01 11:55:21 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-01 11:55:15 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-01 11:47:04 82414 ----a-w- c:\programdata\nvModes.dat
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 20:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 17:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 13:15:26 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2010-03-18 13:15:26 80208 ----a-w- c:\windows\system32\mfcm100.dll
2010-03-18 13:15:26 770384 ----a-w- c:\windows\system32\msvcr100.dll
2010-03-18 13:15:26 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2010-03-18 13:15:26 4342088 ----a-w- c:\windows\system32\mfc100.dll
2010-03-18 13:15:26 421200 ----a-w- c:\windows\system32\msvcp100.dll
2010-03-18 13:15:26 138056 ----a-w- c:\windows\system32\atl100.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-05 16:10:08 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-28 03:15:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-19 13:08:54 174 --sh--w- c:\program files\desktop.ini
2007-11-13 20:01:44 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00:51 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49:19 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48:24 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47:02 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47:02 217 ------w- c:\program files\setup.ini
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 09:06:30 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ------w- c:\program files\instmsia.exe
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-15 13:26:00 32768 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-22 00:48:57 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032120080322\index.dat
2008-06-05 07:19:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008060520080606\index.dat
2008-06-18 22:35:49 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008061820080619\index.dat
2008-06-26 00:44:05 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008062520080626\index.dat
2008-07-07 12:57:52 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008070720080708\index.dat
2008-07-22 01:29:43 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072120080722\index.dat
2008-07-22 11:06:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072220080723\index.dat
2008-10-11 20:33:07 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101120081012\index.dat
2008-10-12 14:13:06 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101220081013\index.dat
2008-11-27 12:47:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008112720081128\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\cookies\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\history\history.ie5\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-11-26 10:05:18 8192 --sh--w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:49:48.82 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:43 AM

Posted 03 June 2010 - 11:04 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 June 2010 - 03:52 PM

i am pasting the dds log below and have also attached the attach.zip created from the dds log as per instructions.

when gmer is running the system crashes(bsod) after sometime. this has happened consistently.

do let me know what to do next.
Thanks


DDS LOG



DDS (Ver_10-03-17.01) - NTFSx86
Run by ganesh at 16:01:02.54 on Thu 06/03/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.629 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Freedom Scientific\JAWS\9.0\fsATProxy.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\Bigdog.exe
C:\Windows\LenovoTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\system32\taskmgr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\ganesh\Documents\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ganesh\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BigDogPath323] c:\windows\BigDog.exe Lenovo USB Webcam(Video)
mRun: [LenovoTray] c:\windows\LenovoTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\users\ganesh\appdata\local\google\update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-7-21 225304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-12-4 72264]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-12-4 168776]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2009-12-5 360704]
S3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\drivers\vmcam325av.sys [2009-12-5 232448]
S3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2009-12-5 280960]

=============== Created Last 30 ================

2010-05-28 12:33:54 0 d-----w- C:\A
2010-05-25 23:14:23 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-20 20:37:17 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-05-20 20:37:16 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-20 20:34:29 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-20 20:34:29 0 d-----w- c:\program files\Microsoft Help Viewer
2010-05-20 18:57:02 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-05-20 18:57:02 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-20 18:57:02 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-05-20 18:57:02 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-05-20 18:57:02 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-05-19 14:11:29 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-19 12:24:21 0 d-----w- c:\users\ganesh\appdata\roaming\SharePod
2010-05-19 03:03:11 0 d-----w- c:\program files\uTorrent

==================== Find3M ====================

2010-06-03 19:53:19 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-03 19:53:18 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-03 19:50:28 82414 ----a-w- c:\programdata\nvModes.dat
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 20:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 17:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 13:15:26 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2010-03-18 13:15:26 80208 ----a-w- c:\windows\system32\mfcm100.dll
2010-03-18 13:15:26 770384 ----a-w- c:\windows\system32\msvcr100.dll
2010-03-18 13:15:26 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2010-03-18 13:15:26 4342088 ----a-w- c:\windows\system32\mfc100.dll
2010-03-18 13:15:26 421200 ----a-w- c:\windows\system32\msvcp100.dll
2010-03-18 13:15:26 138056 ----a-w- c:\windows\system32\atl100.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-05 16:10:08 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-28 03:15:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-19 13:08:54 174 --sh--w- c:\program files\desktop.ini
2007-11-13 20:01:44 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00:51 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49:19 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48:24 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47:02 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47:02 217 ------w- c:\program files\setup.ini
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 09:06:30 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ------w- c:\program files\instmsia.exe
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-15 13:26:00 32768 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-22 00:48:57 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032120080322\index.dat
2008-06-05 07:19:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008060520080606\index.dat
2008-06-18 22:35:49 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008061820080619\index.dat
2008-06-26 00:44:05 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008062520080626\index.dat
2008-07-07 12:57:52 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008070720080708\index.dat
2008-07-22 01:29:43 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072120080722\index.dat
2008-07-22 11:06:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072220080723\index.dat
2008-10-11 20:33:07 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101120081012\index.dat
2008-10-12 14:13:06 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101220081013\index.dat
2008-11-27 12:47:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008112720081128\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\cookies\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\history\history.ie5\index.dat
2007-12-05 22:25:03 16384 --sh--w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-11-26 10:05:18 8192 --sh--w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:05:09.59 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:43 AM

Posted 07 June 2010 - 05:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 June 2010 - 10:16 PM

Hi,
Thanks for your response and instructions. I was unable to run gmer earlier as it kept crashing on me with a BSOD. I ran it this time in safe mode with your links and was able to do it.
The log is as follows. Do advise what to do next.
Thanks.

-------------------------------------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 23:00:58
Windows 6.0.6002 Service Pack 2
Running: n3iqtwle.exe; Driver: C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp\kwlyapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1224] ntdll.dll!NtProtectVirtualMemory 77F34D34 5 Bytes JMP 006C000A
.text C:\Windows\Explorer.EXE[1224] ntdll.dll!NtWriteVirtualMemory 77F35674 5 Bytes JMP 006D000A
.text C:\Windows\Explorer.EXE[1224] ntdll.dll!KiUserExceptionDispatcher 77F35DC8 5 Bytes JMP 0023000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \FileSystem\fastfat \Fat 88131A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86DA3D01

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by jdoe99, 07 June 2010 - 10:16 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:43 AM

Posted 08 June 2010 - 03:47 PM

Gmer has triggered the rootkit. It's called TDL3 and it's a variant of the TDSS rootkit.


Please run Combofix next so it can replace the file that it has infected

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 June 2010 - 04:17 PM

quick question. this has to be done in normal mode itself right? the reason i am asking is because gmer was not running in normal mode and i had to run it in safe mode.
Thanks.

edit: i guess its the normal mode based on your description but just checking in case i get a bsod

Edited by jdoe99, 08 June 2010 - 04:18 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:43 AM

Posted 08 June 2010 - 05:21 PM

It is normal mode. Let me know if it fails. smile.gif
Posted Image
m0le is a proud member of UNITE

#9 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 June 2010 - 09:49 PM

hi,
i ran the combofix according to the instructions. it did a backup and reached a point where it said reboot is necessary. i clicked ok and it rebooted and when i logged back in, combofix continued. after a while i got the bsod and this time, its not rebooting. it keeps saying that some startup file is corrupt and asks to proceed with the disk etc. same thing with safe mode. it keeps saying some system file is corrupt and cannot load.

fyi: i have lenovo system restore software on it and its a lenovo t61p. when i enter that mode i can see the computer data files etc. i copied some file to see if i can caopy files and it was fine as i was able to copy a file. i was just poking around and did some steps to see if there was a system backup. when i select hard drive, i dont see any backup file to which i can revert the system to. the other option there was to restore to factory settings.

lemme know how to proceed with this sad.gif

Edited by jdoe99, 09 June 2010 - 10:38 AM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:43 AM

Posted 09 June 2010 - 03:12 PM

Okay, which startup file is it saying it is missing?
Posted Image
m0le is a proud member of UNITE

#11 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 June 2010 - 04:04 PM

i am at work and its my home laptop thats got the problem. will let you know later when i get home.

since i can see the files from the lenovo rescue and recovery program, is it ok to copy files i want onto a separate hard drive. is there certain files i should avoid altogether. you said that it was the tdl3. does it infect only system files or does it spread to other files and folders as well. whats your recommendation?

thanks.

Edited by jdoe99, 09 June 2010 - 04:21 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:43 AM

Posted 09 June 2010 - 04:30 PM

TDL3 is a rootkit and that is good because you can transfer files off the infected machine without worrying about bringing it with you.

You need to be careful that anything that you transfer off is not infected by other malware so run them through a file scanner such as Jotti

Also, TDL3 has infected only this system file so do not copy this: C:\Windows\system32\drivers\iaStor.sys

Edited by m0le, 09 June 2010 - 04:31 PM.

Posted Image
m0le is a proud member of UNITE

#13 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 June 2010 - 04:36 PM

QUOTE(m0le @ Jun 9 2010, 05:30 PM) View Post
TDL3 is a rootkit and that is good because you can transfer files off the infected machine without worrying about bringing it with you.

You need to be careful that anything that you transfer off is not infected by other malware so run them through a file scanner such as Jotti

Also, TDL3 has infected only this system file so do not copy this: C:\Windows\system32\drivers\iaStor.sys


the jotti link you put up links to winxp hidden files etc. also jotti scans for individual files right? can i transfer the files i want and run it through malware bytes. will that be fine? do let me know.

will let you know of the startup file in probably a couple of hours or so.

thanks

#14 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 June 2010 - 06:00 PM

this is weird. i was in the lenovo rescue and recovery console. i restarted the computer to tell you what the missing / corrupt file was that was preventing me from booting up. but then it booted up fine. the combofix console was running and said something about missing whitefile01 or something to that effect. it then said that it was preparing log report and to not run any program until combofix has finished. will let you know once it stops.



#15 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 June 2010 - 07:12 PM

hi,
so this time i got a combofix output. like i said in the last post, windows did come up and got a log. i would like to add that this log was created after 3-4 attempts of OS not loading. should i run combofix again or is this log giving you the required information. it says disk.sys infected one is cleaned where as you had mentioned iastor.sys. do let me know

thanks.

ComboFix Log is as follows:


ComboFix 10-06-08.02 - ganesh 06/08/2010 19:15:07.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.962 [GMT -4:00]
Running from: c:\users\ganesh\Documents\Desktop\comfix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-08 23:30 . 2010-06-09 22:54 -------- d-----w- c:\users\ganesh\AppData\Local\temp
2010-06-08 23:30 . 2010-06-08 23:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-08 23:30 . 2010-06-09 22:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-08 02:28 . 2010-06-08 02:27 293376 ----a-w- C:\n3iqtwle.exe
2010-05-28 14:00 . 2010-05-28 14:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Lenovo
2010-05-28 13:14 . 2010-05-28 13:14 -------- d-----w- c:\users\Default\AppData\Local\Google
2010-05-28 12:50 . 2010-05-28 12:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Malwarebytes
2010-05-28 12:44 . 2010-05-28 12:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2010-05-28 12:33 . 2010-05-28 12:33 -------- d-----w- C:\A
2010-05-28 12:17 . 2010-05-28 12:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\uTorrent
2010-05-25 23:14 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-20 20:37 . 2010-05-20 20:37 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-05-20 20:37 . 2010-05-20 20:37 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-05-20 20:34 . 2010-05-20 20:38 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-05-20 20:34 . 2010-05-20 20:34 -------- d-----w- c:\program files\Microsoft SDKs
2010-05-20 20:34 . 2010-05-20 20:34 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-05-20 18:57 . 2010-05-20 20:26 -------- d-----w- c:\users\ganesh\AppData\Local\SecondLife
2010-05-20 18:57 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-05-20 18:57 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-20 18:57 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-05-20 18:57 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-05-20 18:57 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-05-19 14:11 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-19 12:24 . 2010-05-19 12:24 -------- d-----w- c:\users\ganesh\AppData\Roaming\SharePod
2010-05-19 03:03 . 2010-05-19 03:03 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 22:57 . 2008-05-18 18:54 -------- d-----w- c:\programdata\Google Updater
2010-06-09 22:53 . 2008-03-06 13:54 82414 ----a-w- c:\programdata\nvModes.dat
2010-06-08 22:53 . 2009-04-07 13:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SACore
2010-05-28 12:18 . 2008-02-02 14:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Lenovo
2010-05-28 12:03 . 2008-10-31 13:40 -------- d-----w- c:\users\ganesh\AppData\Roaming\uTorrent
2010-05-20 20:37 . 2007-11-26 11:39 -------- d-----w- c:\program files\Microsoft SQL Server
2010-05-20 20:36 . 2007-12-04 21:17 117856 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-20 20:27 . 2009-05-18 21:28 -------- d-----w- c:\program files\SecondLife
2010-05-20 19:30 . 2009-05-18 21:29 -------- d-----w- c:\users\ganesh\AppData\Roaming\SecondLife
2010-05-20 18:58 . 2007-11-26 11:37 -------- d-----w- c:\program files\Microsoft.NET
2010-05-19 14:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-19 14:13 . 2007-11-26 11:35 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-03 05:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 22:36 . 2009-09-12 20:04 -------- d-----w- c:\users\ganesh\AppData\Roaming\vlc
2010-05-03 13:29 . 2008-09-10 11:22 -------- d-----w- c:\users\ganesh\AppData\Roaming\Audacity
2010-05-01 17:02 . 2009-06-04 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2009-06-04 12:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-06-04 12:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 18:01 . 2007-11-26 11:14 -------- d-----w- c:\program files\Google
2010-04-16 15:10 . 2008-02-22 02:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-15 04:25 . 2008-07-17 11:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-18 20:47 . 2010-03-18 20:47 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 17:16 . 2010-03-18 17:16 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 13:15 . 2010-03-18 13:15 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2010-03-18 13:15 . 2010-03-18 13:15 80208 ----a-w- c:\windows\system32\mfcm100.dll
2010-03-18 13:15 . 2010-03-18 13:15 770384 ----a-w- c:\windows\system32\msvcr100.dll
2010-03-18 13:15 . 2010-03-18 13:15 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2010-03-18 13:15 . 2010-03-18 13:15 4342088 ----a-w- c:\windows\system32\mfc100.dll
2010-03-18 13:15 . 2010-03-18 13:15 421200 ----a-w- c:\windows\system32\msvcp100.dll
2010-03-18 13:15 . 2010-03-18 13:15 138056 ----a-w- c:\windows\system32\atl100.dll
2007-11-13 20:01 . 2007-11-13 20:01 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00 . 2007-11-13 20:00 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49 . 2007-11-13 19:49 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48 . 2007-11-13 19:48 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47 . 2007-11-13 19:47 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47 . 2007-11-13 19:47 217 ------w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ------w- c:\program files\instmsia.exe
2007-11-26 10:05 . 2007-11-26 10:01 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-10-27 632096]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-10-27 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-22 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TpShocks"="TpShocks.exe" [2008-06-06 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-21 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-07 431392]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-07 148768]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2008-10-02 33304]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"BigDogPath323"="c:\windows\BigDog.exe" [2006-08-08 86016]
"LenovoTray"="c:\windows\LenovoTray.exe" [2007-07-03 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:ee,8b,53,0e,0b,ee,c9,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2007-04-13 360704]
R3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\Drivers\vmcam325av.sys [2007-03-14 232448]
R3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2007-06-20 280960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2008-07-21 225304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 MySQL5;MySQL5;c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 5.0\my.ini MySQL5 [x]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-10-27 66848]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-09 569344]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 08:50]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005Core.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005UA.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.14/uploader2.cab
FF - ProfilePath - c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\ganesh\AppData\Local\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL5]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4640)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\windows\system32\java.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Freedom Scientific\JAWS\9.0\fsATProxy.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\TpShocks.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe
c:\windows\ehome\mcupdate.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WerCon.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Completion time: 2010-06-09 19:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-09 23:07

Pre-Run: 29,366,796,288 bytes free
Post-Run: 29,311,229,952 bytes free

- - End Of File - - 63216F318B592E1099F356EACB36276C

Edited by jdoe99, 10 June 2010 - 08:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users