Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe, ad pop-ups, wave audio control goes mute


  • This topic is locked This topic is locked
14 replies to this topic

#1 chamished

chamished

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 24 July 2010 - 01:13 PM


Hello,

I have the following problems
- a couple IEXPLORE.exe processes running in the background while i use firefox most of the time (i have Internet Explorer installed)
- Occasionally an Internet Explorer window would open with an ad or I'll hear an ad playing with no visible window
- I hear occasional clicking sounds in the background (the sound is that of clicking a link in Internet Explorer)
- My wave control is muted every few minutes, sometimes seconds.

Been unsuccessful in deleting this and need some help. Thank you.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 01 August 2010 - 05:16 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 August 2010 - 04:35 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 17:19:19.84 on Mon 08/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_06
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.982.436 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
svchost.exe 4
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
svchost.exe 4
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Styler\Styler.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SoundMax] "c:\program files\analog devices\soundmax\smax4.exe" /tray
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\styler.lnk - c:\docume~1\mike\applic~1\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\d5whm8nf.default\
FF - prefs.js: browser.startup.homepage - hxxp://scoute.org/blog/?p=238#more-238
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-17 33824]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]

=============== Created Last 30 ================

2010-08-02 21:13:21 176 ----a-w- c:\documents and settings\mike\defogger_reenable
2010-07-22 19:45:13 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-16 21:18:23 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-07-13 20:04:44 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:11:23 0 d-sha-r- C:\cmdcons
2010-07-11 03:07:33 98816 ----a-w- c:\windows\sed.exe
2010-07-11 03:07:33 77312 ----a-w- c:\windows\MBR.exe
2010-07-11 03:07:33 256512 ----a-w- c:\windows\PEV.exe
2010-07-11 03:07:33 161792 ----a-w- c:\windows\SWREG.exe
2010-07-11 03:07:25 0 d-----w- C:\ComboFix
2010-07-11 02:31:17 41 ----a-w- c:\windows\SMWizard.INI

==================== Find3M ====================

2010-05-14 02:22:59 7652 ----a-w- c:\windows\fonts\Ela Swashes Bold Italic PDF.ttf
2010-05-14 02:21:59 75060 ----a-w- c:\windows\fonts\saffrontoo.TTF
2010-05-14 02:20:55 92900 ----a-w- c:\windows\fonts\Grover Slab Bold Italic.ttf
2010-05-14 02:19:58 74364 ----a-w- c:\windows\fonts\Divina.ttf
2010-05-14 02:18:48 46016 ----a-w- c:\windows\fonts\Kushtie Ligatures.ttf
2010-05-14 02:17:56 144496 ----a-w- c:\windows\fonts\Berlin Email Serif Shadow.ttf
2010-05-14 02:16:57 118848 ----a-w- c:\windows\fonts\Vivian Plus.ttf
2010-05-14 02:16:55 75336 ----a-w- c:\windows\fonts\HabanoST.ttf
2010-05-14 02:16:55 51934 ----a-w- c:\windows\fonts\hadfieldletplain-1.0.ttf
2010-05-14 02:16:48 22196 ----a-w- c:\windows\fonts\Misfortune.ttf
2010-05-14 02:16:42 39448 ----a-w- c:\windows\fonts\LHF Mirage Regular.ttf
2010-05-14 02:16:37 53784 ----a-w- c:\windows\fonts\HabanoST.otf
2010-05-14 02:16:35 61172 ----a-w- c:\windows\fonts\SOUCISAN.TTF
2010-05-14 02:16:35 53592 ----a-w- c:\windows\fonts\Spacearella.ttf
2010-05-14 02:16:35 31188 ----a-w- c:\windows\fonts\SoProlix.otf
2010-05-14 02:16:34 30968 ----a-w- c:\windows\fonts\SoProlix Bold.otf
2010-05-14 02:16:24 107068 ----a-w- c:\windows\fonts\Mr Rafkin.ttf
2010-05-14 02:15:51 216364 ----a-w- c:\windows\fonts\Cacao Plain Inline PDF.ttf
2010-05-14 02:15:37 95732 ----a-w- c:\windows\fonts\Bodoni Classic Ad Bold Italic PDF.ttf
2010-05-14 02:15:37 90444 ----a-w- c:\windows\fonts\LHF Mister Spooky Condensed.ttf
2010-05-14 02:15:37 55460 ----a-w- c:\windows\fonts\LHF Mister Spooky COND.ttf
2010-05-14 02:15:37 27516 ----a-w- c:\windows\fonts\LHF Mister Kooky REG.TTF
2010-05-14 02:15:37 27420 ----a-w- c:\windows\fonts\LHF Mister Kooky COND.ttf
2010-05-14 02:15:04 111300 ----a-w- c:\windows\fonts\NeutrafaceSlabDisplay-Medium.otf
2010-05-14 02:15:04 101388 ----a-w- c:\windows\fonts\NeutrafaceSlabDisplay-Light.otf
2010-05-14 02:14:59 96300 ----a-w- c:\windows\fonts\Royal Bavarian Plain PDF.ttf
2010-05-14 02:14:59 64252 ----a-w- c:\windows\fonts\P22 Constructivist Extras.ttf
2010-05-14 02:14:59 20944 ----a-w- c:\windows\fonts\P22 Constructivist Line.ttf
2010-05-14 02:14:59 119784 ----a-w- c:\windows\fonts\Royal Bavarian Fancy PDF.ttf
2010-05-14 02:14:58 22732 ----a-w- c:\windows\fonts\P22 Constructivist Cyrillic.ttf
2010-05-14 02:14:58 20064 ----a-w- c:\windows\fonts\P22 Constructivist Block.ttf
2010-05-14 02:14:58 102528 ----a-w- c:\windows\fonts\P22 Ching Mang.ttf
2010-05-14 02:14:26 68100 ----a-w- c:\windows\fonts\casbantn.TTF
2010-05-14 02:14:26 44396 ----a-w- c:\windows\fonts\CARDS.TTF
2010-05-14 02:14:26 33356 ----a-w- c:\windows\fonts\Carribeans_Treasure.ttf
2010-05-14 02:12:48 206396 ----a-w- c:\windows\fonts\Herencia.ttf
2010-05-14 02:12:48 112492 ----a-w- c:\windows\fonts\HelvetidoodlebyEdT.ttf
2010-05-14 02:12:44 55800 ----a-w- c:\windows\fonts\helveticabold.ttf
2010-05-14 02:12:43 61172 ----a-w- c:\windows\fonts\Helvetica LT Ultra Compressed.ttf
2010-05-14 02:12:35 56484 ----a-w- c:\windows\fonts\ZapfinoForteLT-Pro.otf
2010-05-14 02:12:35 30220 ----a-w- c:\windows\fonts\zebra_01-49-58.ttf
2010-05-14 02:12:34 47484 ----a-w- c:\windows\fonts\ZapfinoForteLT-One.otf
2010-05-14 02:12:34 18876 ----a-w- c:\windows\fonts\ZapfinoForteLT-Alternate.otf
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-29 05:16:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122820091229\index.dat

============= FINISH: 17:19:51.79 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/29/2009 12:24:17 AM
System Uptime: 8/2/2010 5:14:47 PM (0 hours ago)

Motherboard: LENOVO | | 6465CTO
Processor: Intel® Core™2 Duo CPU T7100 @ 1.80GHz | None | 1795/200mhz
Processor: Intel® Core™2 Duo CPU T7100 @ 1.80GHz | None | 1795/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 106 GiB total, 16.442 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
PNP Device ID: ROOT\NET\0000
Service: vpnva

==== System Restore Points ===================

RP98: 5/6/2010 12:05:09 AM - System Checkpoint
RP99: 5/7/2010 12:48:58 AM - System Checkpoint
RP100: 5/8/2010 3:44:38 PM - System Checkpoint
RP101: 5/9/2010 9:53:56 PM - System Checkpoint
RP102: 5/11/2010 6:18:47 PM - System Checkpoint
RP103: 5/12/2010 3:10:15 PM - Software Distribution Service 3.0
RP104: 5/13/2010 4:05:07 PM - System Checkpoint
RP105: 5/13/2010 9:34:59 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP106: 5/15/2010 6:01:34 PM - System Checkpoint
RP107: 5/16/2010 6:49:45 PM - System Checkpoint
RP108: 5/18/2010 7:03:21 PM - System Checkpoint
RP109: 5/22/2010 1:54:44 AM - System Checkpoint
RP110: 5/23/2010 2:03:40 AM - System Checkpoint
RP111: 5/24/2010 2:03:59 AM - System Checkpoint
RP112: 5/26/2010 11:26:50 PM - System Checkpoint
RP113: 5/27/2010 2:58:33 AM - Software Distribution Service 3.0
RP114: 5/28/2010 10:01:35 PM - System Checkpoint
RP115: 5/29/2010 10:23:44 PM - System Checkpoint
RP116: 5/30/2010 10:48:13 PM - System Checkpoint
RP117: 5/31/2010 3:31:58 PM - Software Distribution Service 3.0
RP118: 5/31/2010 3:33:27 PM - Installed Zune 4.2
RP119: 5/31/2010 4:08:09 PM - Installed Windows XP Wudf01009.
RP120: 5/31/2010 4:09:29 PM - Installed Windows XP winusb0100.
RP121: 6/1/2010 10:10:54 PM - System Checkpoint
RP122: 6/3/2010 10:56:42 PM - System Checkpoint
RP123: 6/6/2010 1:56:05 PM - System Checkpoint
RP124: 6/8/2010 3:56:52 PM - System Checkpoint
RP125: 6/9/2010 5:58:23 PM - System Checkpoint
RP126: 6/10/2010 3:00:16 AM - Software Distribution Service 3.0
RP127: 6/11/2010 11:46:35 PM - System Checkpoint
RP128: 6/15/2010 2:27:38 PM - System Checkpoint
RP129: 6/16/2010 3:56:42 PM - System Checkpoint
RP130: 6/20/2010 10:45:15 PM - System Checkpoint
RP131: 6/21/2010 11:55:01 PM - System Checkpoint
RP132: 6/24/2010 6:16:19 PM - System Checkpoint
RP133: 6/26/2010 2:29:40 AM - System Checkpoint
RP134: 6/26/2010 8:09:01 PM - Software Distribution Service 3.0
RP135: 6/29/2010 12:06:23 AM - System Checkpoint
RP136: 6/30/2010 2:34:46 AM - System Checkpoint
RP137: 6/30/2010 1:59:29 PM - Software Distribution Service 3.0
RP138: 7/5/2010 1:06:48 AM - System Checkpoint
RP139: 7/7/2010 3:33:20 PM - System Checkpoint
RP140: 7/9/2010 2:54:09 PM - System Checkpoint
RP141: 7/13/2010 3:32:53 PM - System Checkpoint
RP142: 7/14/2010 3:00:22 AM - Software Distribution Service 3.0
RP143: 7/16/2010 5:02:28 PM - System Checkpoint
RP144: 7/16/2010 5:18:03 PM - Removed Java™ 6 Update 18
RP145: 7/18/2010 4:59:57 PM - System Checkpoint
RP146: 7/21/2010 12:32:57 PM - System Checkpoint
RP147: 7/23/2010 5:35:18 PM - System Checkpoint
RP148: 7/27/2010 1:12:18 AM - System Checkpoint
RP149: 7/31/2010 1:32:25 PM - System Checkpoint

==== Installed Programs ======================


µTorrent
7-Zip 4.65
Access Help
Adobe Flash Player 10 Plugin
Adobe Photoshop CS4
Adobe Reader 8
Apple Application Support
Apple Software Update
Audacity 1.2.6
Beat Hazard 1.3s
Bizarro DC++ 0.674z
CDisplay 1.8
Cisco AnyConnect VPN Client
Combat Arms
Digsby
EndNote X3
ffdshow (remove only)
Help Center
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB889816)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894686)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB898456)
Hotfix for Windows XP (KB903250)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB909667)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB916189)
Hotfix for Windows XP (KB917332)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918837)
Hotfix for Windows XP (KB923293)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB935192)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Integrated Camera
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo Register Manager
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Lenovo Registration
Maintenance Manager
Malwarebytes' Anti-Malware
mCore
mDriver
MediaMonkey 3.2
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
mMHouse
Mozilla Firefox (3.5.6)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
On Screen Display
OpenOffice.org 3.2
Pando Media Booster
Picasa 2
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Rainmeter (remove only)
Remove Multimedia Center
Rescue and Recovery
ResearchSoft Direct Export Helper
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
RocketDock 1.3.5
Rome - Total War
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Serious Samurize
Sonic DLA
Sonic Icons for Lenovo
Sonic Update Manager
SoundMAX
Styler
System Migration Assistant
System Update
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Wallpapers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889315
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896613
XP Themes
Xtranormal State
Xtranormal State - Showpak-Playgoz-Preview
Xtranormal State - SoundPack-Starter Kit
Xtranormal State - Voicepack-English-UK-Daniel
Xtranormal State - Voicepack-English-UK-Serena
Xtranormal State - Voicepack-English-US-Samantha
Xtranormal State - Voicepack-English-US-Tom
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

==== Event Viewer Messages From Past Week ========

8/2/2010 5:00:13 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0013E852B687 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
8/1/2010 2:52:43 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/1/2010 2:52:42 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/1/2010 2:52:42 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
8/1/2010 2:52:42 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/31/2010 7:38:50 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0013E852B687. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/30/2010 12:03:09 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/29/2010 1:04:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AcSvc service.
7/28/2010 12:31:12 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0013E852B687. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xF564E000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5701632 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF1D8000 C:\WINDOWS\System32\igxpdx32.DLL 2600960 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xF5395000 C:\WINDOWS\system32\DRIVERS\NETw4x32.sys 2207744 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1613824 bytes (Intel Corporation, Component GHAL Driver)
0xA5ED0000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0x9C670000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 778240 bytes
0xF7312000 iaStor.sys 778240 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xA5E1D000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF720F000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF51BE000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xA5BCC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA5D19000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF522F000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0x9C400000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF5330000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xA6030000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 319488 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF55F9000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x9C4F7000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA5FC2000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF5288000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF745C000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF71E2000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9C5B0000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF5304000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 180224 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x9B302000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA5C63000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA5CF1000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73E8000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF55B0000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF55D5000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF52E1000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA5CAE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA600E000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xA5CD0000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806FF000 ACPI_HAL 134272 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134272 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72F2000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF740E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF742D000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF71C6000 Apsx86.sys 114688 bytes (Lenovo., Shockproof Disk Driver)
0xF71AB000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA5FF6000 C:\WINDOWS\system32\drivers\AEAudio.sys 98304 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xF73D0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9C642000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xF72B3000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF52CA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF729C000 WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x9C65A000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0x9C62C000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF72CA000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0x9C323000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5381000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xF563A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA5D72000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF72E0000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF744B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF52B9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9E437000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75CB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF764B000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xA688A000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xA6EC4000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF750B000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF75DB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF759B000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0xA9C25000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xA6ED4000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF5C36000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xF751B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF74EB000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF75AB000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF75EB000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74CB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF760B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF75BB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74BB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF75FB000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF5BE6000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF5C16000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF5C76000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF5C46000 C:\WINDOWS\system32\DRIVERS\zumbus.sys 40960 bytes (Microsoft Corporation, Zune User-Mode Bus Enumerator)
0xF74DB000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA686A000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF758B000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF74AB000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF69DC000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA6E94000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9C055000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xA687A000 C:\WINDOWS\system32\drivers\oreans32.sys 36864 bytes
0xF74FB000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF5BF6000 C:\WINDOWS\system32\DRIVERS\tvtfilter.sys 36864 bytes (Lenovo, Rescue and Recovery filter driver)
0xA68AA000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF773B000 ApsHM86.sys 32768 bytes (Lenovo., ThinkVantage Active Protection System HID Digitizer Activity Monitor Driver)
0xF785B000 C:\WINDOWS\system32\DRIVERS\atmeltpm.sys 32768 bytes (Atmel, Inc., Atmel TPM Driver)
0xA98B6000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA81A9000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7843000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x9E120000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF772B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x9CD78000 C:\WINDOWS\system32\DRIVERS\PROCDD.SYS 28672 bytes (Lenovo Group Limited, IPS Helper Driver)
0xF7743000 risdptsk.sys 28672 bytes (REDC, RICOH SD/MMC Driver)
0xF788B000 C:\WINDOWS\system32\DRIVERS\Tvti2c.sys 28672 bytes (Lenovo (United States) Inc., SMBUS Driver)
0xA98A6000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF784B000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7853000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7883000 C:\WINDOWS\system32\DRIVERS\psadd.sys 24576 bytes (Lenovo (United States) Inc., SMBIOS Driver)
0xA81A1000 C:\WINDOWS\System32\drivers\TSMAPIP.SYS 24576 bytes
0xF783B000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA81B9000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9CDA8000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Cisco Systems, Inc., IEEE 802.1X Protocol Driver)
0xA81B1000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7733000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7873000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF787B000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF786B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA8191000 C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys 20480 bytes (IBM Corporation, ThinkPad Hotkey Driver)
0xA8199000 C:\WINDOWS\System32\drivers\Tppwrif.sys 20480 bytes
0xF7863000 C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys 20480 bytes (Lenovo Group Limited, TVT NDIS 5.1 Intermediate Miniport Filter Driver)
0x9E130000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78C3000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7993000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA4ED7000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7997000 C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys 16384 bytes (Lenovo., ThinkPad Power Management Driver)
0x9C554000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xF716F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF519E000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF519A000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF78C7000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xA8462000 C:\WINDOWS\System32\drivers\ANC.SYS 12288 bytes (IBM Corp., IBM Access Connections - ANC)
0xF78BB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF78BF000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x9E4D7000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7187000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA9A7B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79A3000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7A6B000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A01000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0x9F264000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79AF000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A69000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A67000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7A71000 C:\WINDOWS\system32\Drivers\IBMBLDID.sys 8192 bytes
0xF79AB000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A6D000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0x9E40A000 C:\WINDOWS\System32\drivers\pmemnt.sys 8192 bytes (Microsoft Corporation, Physical Memory Driver)
0xF7A6F000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A03000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79FF000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF79AD000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7B64000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA4BB4000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0x9C917000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA7180000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A74000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A73000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 160):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF79AB000 \WINDOWS\system32\KDCOM.DLL
0xF78BB000 \WINDOWS\system32\BOOTVID.dll
0xF745C000 ACPI.sys
0xF79AD000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF744B000 pci.sys
0xF74AB000 isapnp.sys
0xF78BF000 compbatt.sys
0xF78C3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A73000 pciide.sys
0xF772B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF742D000 pcmcia.sys
0xF74BB000 MountMgr.sys
0xF740E000 ftdisk.sys
0xF79AF000 dmload.sys
0xF73E8000 dmio.sys
0xF7733000 PartMgr.sys
0xF78C7000 ACPIEC.sys
0xF7A74000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF74CB000 VolSnap.sys
0xF73D0000 atapi.sys
0xF7312000 iaStor.sys
0xF74DB000 disk.sys
0xF74EB000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72F2000 fltMgr.sys
0xF72E0000 sr.sys
0xF72CA000 DRVMCDB.SYS
0xF74FB000 PxHelp20.sys
0xF72B3000 KSecDD.sys
0xF729C000 WudfPf.sys
0xF720F000 Ntfs.sys
0xF71E2000 NDIS.sys
0xF71C6000 Apsx86.sys
0xF773B000 ApsHM86.sys
0xF7743000 risdptsk.sys
0xF750B000 ohci1394.sys
0xF751B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF71AB000 Mup.sys
0xF764B000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF758B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF564E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF563A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF55F9000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF783B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF55D5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7843000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF55B0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5395000 \SystemRoot\system32\DRIVERS\NETw4x32.sys
0xF759B000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF5381000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF5330000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF75AB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF784B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5304000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7853000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF785B000 \SystemRoot\system32\DRIVERS\atmeltpm.sys
0xF7993000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7997000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF75BB000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A01000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF75CB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75DB000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF52E1000 \SystemRoot\system32\DRIVERS\ks.sys
0xF79A3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7863000 \SystemRoot\system32\DRIVERS\tvtpktfilter.sys
0xF7B64000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF75EB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7187000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF52CA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75FB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF760B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF786B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF52B9000 \SystemRoot\system32\DRIVERS\psched.sys
0xF69DC000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7873000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF787B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5288000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF5C76000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7883000 \SystemRoot\system32\DRIVERS\psadd.sys
0xF788B000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF522F000 \SystemRoot\system32\DRIVERS\update.sys
0xF716F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF5C46000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xF5C36000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF51BE000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF5C16000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA6ED4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA6030000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA600E000 \SystemRoot\system32\drivers\portcls.sys
0xA6EC4000 \SystemRoot\system32\drivers\drmk.sys
0xA5FF6000 \SystemRoot\system32\drivers\AEAudio.sys
0xA5FC2000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA5ED0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA5E1D000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xA98B6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A67000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7A69000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA7180000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A6B000 \SystemRoot\System32\Drivers\Beep.SYS
0xA98A6000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xA81B9000 \SystemRoot\System32\drivers\vga.sys
0xF7A6D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A6F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA81B1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA81A9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA9A7B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA5D72000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA5D19000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA5CF1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA5CD0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA5CAE000 \SystemRoot\System32\drivers\afd.sys
0xA6E94000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA68AA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA81A1000 \SystemRoot\System32\drivers\TSMAPIP.SYS
0xA8199000 \SystemRoot\System32\drivers\Tppwrif.sys
0xA8191000 \SystemRoot\system32\DRIVERS\TPHKDRV.sys
0xA688A000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA5C63000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA687A000 \??\C:\WINDOWS\system32\drivers\oreans32.sys
0xA5BCC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7A71000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xA686A000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8462000 \SystemRoot\System32\drivers\ANC.SYS
0x9E437000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9C670000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9E4D7000 \SystemRoot\System32\drivers\Dxapi.sys
0x9E130000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x9C917000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF5BF6000 \SystemRoot\system32\DRIVERS\tvtfilter.sys
0xF5BE6000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xA4BB4000 \SystemRoot\System32\DLA\DLADResN.SYS
0x9C65A000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xA4ED7000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0x9F264000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0x9E120000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9C642000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9C62C000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0x9CDA8000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF519E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF519A000 \SystemRoot\system32\DRIVERS\s24trans.sys
0x9C5B0000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9CD78000 \SystemRoot\system32\DRIVERS\PROCDD.SYS
0x9C4F7000 \SystemRoot\System32\Drivers\HTTP.sys
0x9C554000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9E40A000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0x9C400000 \SystemRoot\system32\DRIVERS\srv.sys
0x9C323000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9C25000 \SystemRoot\system32\drivers\sysaudio.sys
0x9B302000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 79):
0 System Idle Process
4 System
1340 C:\WINDOWS\system32\smss.exe
1392 csrss.exe
1420 C:\WINDOWS\system32\winlogon.exe
1464 C:\WINDOWS\system32\services.exe
1476 C:\WINDOWS\system32\lsass.exe
1672 C:\WINDOWS\system32\ibmpmsvc.exe
1704 C:\WINDOWS\system32\svchost.exe
1788 svchost.exe
1984 C:\WINDOWS\system32\svchost.exe
2024 C:\WINDOWS\system32\svchost.exe
244 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
488 svchost.exe
656 svchost.exe
764 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
1268 C:\WINDOWS\system32\spoolsv.exe
1380 svchost.exe
1552 C:\WINDOWS\system32\IPSSVC.EXE
1776 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1920 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
272 C:\WINDOWS\system32\svchost.exe
296 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
652 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
932 C:\WINDOWS\system32\svchost.exe
960 C:\Program Files\Lenovo\System Update\SUService.exe
1044 C:\WINDOWS\explorer.exe
380 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
976 C:\WINDOWS\system32\svchost.exe
1104 C:\WINDOWS\system32\TPHDEXLG.exe
1240 C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
804 C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
1844 C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
1872 C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
2064 C:\WINDOWS\system32\ZuneBusEnum.exe
2120 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
2240 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
2248 wmpnetwk.exe
2452 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2532 C:\WINDOWS\system32\rundll32.exe
2592 C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
2628 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
2752 C:\WINDOWS\system32\TpShocks.exe
2812 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
2936 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2952 C:\WINDOWS\system32\svchost.exe
3060 C:\WINDOWS\system32\hkcmd.exe
3072 C:\WINDOWS\system32\igfxpers.exe
3260 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
3340 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
3400 C:\Program Files\Common Files\Installshield\UpdateService\issch.exe
3412 C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
3436 C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
3444 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.EXE
3492 C:\Program Files\ThinkVantage\AMSG\Amsg.exe
3504 C:\WINDOWS\system32\igfxsrvc.exe
3512 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
3520 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
3552 alg.exe
3568 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
3640 C:\Program Files\Lenovo\ZOOM\TpScrex.exe
3692 C:\Program Files\Zune\ZuneLauncher.exe
3764 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
4084 C:\Program Files\Windows Media Player\wmpnscfg.exe
612 C:\Program Files\RocketDock\RocketDock.exe
2192 C:\Program Files\Pando Networks\Media Booster\PMB.exe
2300 C:\WINDOWS\system32\ctfmon.exe
2648 C:\Program Files\Digital Line Detect\DLG.exe
2696 C:\Program Files\Rainmeter\Rainmeter.exe
2964 C:\Program Files\OpenOffice.org 3\program\soffice.exe
3068 C:\Program Files\OpenOffice.org 3\program\soffice.bin
3008 C:\Program Files\Styler\Styler.exe
2228 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
2536 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
1532 iexplore.exe
1300 C:\Program Files\Internet Explorer\iexplore.exe
2712 C:\Program Files\Mozilla Firefox\firefox.exe
2560 C:\WINDOWS\system32\notepad.exe
3796 C:\Documents and Settings\Mike\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHIHTS541612J9SA00, Rev: SBDIC7JP

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


The problem hasn't really stopped or gotten better. Thanks for your help.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 02 August 2010 - 04:47 PM

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.


After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. report from MBRcheck
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 August 2010 - 06:03 PM

Here are the new logs



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 159):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF79AB000 \WINDOWS\system32\KDCOM.DLL
0xF78BB000 \WINDOWS\system32\BOOTVID.dll
0xF745C000 ACPI.sys
0xF79AD000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF744B000 pci.sys
0xF74AB000 isapnp.sys
0xF78BF000 compbatt.sys
0xF78C3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A73000 pciide.sys
0xF772B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF742D000 pcmcia.sys
0xF74BB000 MountMgr.sys
0xF740E000 ftdisk.sys
0xF79AF000 dmload.sys
0xF73E8000 dmio.sys
0xF7733000 PartMgr.sys
0xF78C7000 ACPIEC.sys
0xF7A74000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF74CB000 VolSnap.sys
0xF73D0000 atapi.sys
0xF7312000 iaStor.sys
0xF74DB000 disk.sys
0xF74EB000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72F2000 fltMgr.sys
0xF72E0000 sr.sys
0xF72CA000 DRVMCDB.SYS
0xF74FB000 PxHelp20.sys
0xF72B3000 KSecDD.sys
0xF729C000 WudfPf.sys
0xF720F000 Ntfs.sys
0xF71E2000 NDIS.sys
0xF71C6000 Apsx86.sys
0xF773B000 ApsHM86.sys
0xF7743000 risdptsk.sys
0xF750B000 ohci1394.sys
0xF751B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF71AB000 Mup.sys
0xF764B000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF757B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5593000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF557F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF553E000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF784B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF551A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7853000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF54F5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF52DA000 \SystemRoot\system32\DRIVERS\NETw4x32.sys
0xF758B000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF52C6000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF5275000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF759B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF785B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5249000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7863000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF786B000 \SystemRoot\system32\DRIVERS\atmeltpm.sys
0xF7993000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7997000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF75AB000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A0B000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF75BB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75CB000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5226000 \SystemRoot\system32\DRIVERS\ks.sys
0xF79A3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7873000 \SystemRoot\system32\DRIVERS\tvtpktfilter.sys
0xF7B73000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF75DB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7187000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF520F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75EB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75FB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF787B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF51FE000 \SystemRoot\system32\DRIVERS\psched.sys
0xF5E83000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7883000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF788B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF51CD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF5E73000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7893000 \SystemRoot\system32\DRIVERS\psadd.sys
0xF789B000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0xF7A0D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5174000 \SystemRoot\system32\DRIVERS\update.sys
0xF716F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF5E43000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xF5E33000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF5103000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF5E13000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA6C8B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA5C56000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA5C34000 \SystemRoot\system32\drivers\portcls.sys
0xA69E4000 \SystemRoot\system32\drivers\drmk.sys
0xA5B7C000 \SystemRoot\system32\drivers\AEAudio.sys
0xA5B48000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA5A56000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA59A3000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xA9167000 \SystemRoot\System32\Drivers\Modem.SYS
0xF79B3000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79B5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA6EBA000 \SystemRoot\System32\Drivers\Null.SYS
0xF79B7000 \SystemRoot\System32\Drivers\Beep.SYS
0xA9157000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xA7D45000 \SystemRoot\System32\drivers\vga.sys
0xF79B9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79BB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA7D3D000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA7D35000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA9AA9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA58E4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA588B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA5863000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA5842000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA5820000 \SystemRoot\System32\drivers\afd.sys
0xA69A4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA6994000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA6964000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA7D2D000 \SystemRoot\System32\drivers\TSMAPIP.SYS
0xA7D25000 \SystemRoot\System32\drivers\Tppwrif.sys
0xA7D1D000 \SystemRoot\system32\DRIVERS\TPHKDRV.sys
0xA57D5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6954000 \??\C:\WINDOWS\system32\drivers\oreans32.sys
0xA573E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF79BD000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xA630F000 \SystemRoot\System32\Drivers\Fips.SYS
0xA86AB000 \SystemRoot\System32\drivers\ANC.SYS
0x9D42A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9BC54000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9C2E7000 \SystemRoot\System32\drivers\Dxapi.sys
0x9C577000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA54B6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF68C1000 \SystemRoot\system32\DRIVERS\tvtfilter.sys
0xF68B1000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7AEE000 \SystemRoot\System32\DLA\DLADResN.SYS
0x9BC3E000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF5B0B000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0x9D778000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0x9C54F000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9BC26000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9BC10000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0x9C108000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA1457000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9DBB5000 \SystemRoot\system32\DRIVERS\s24trans.sys
0x9BB6C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9C0D8000 \SystemRoot\system32\DRIVERS\PROCDD.SYS
0x9BADB000 \SystemRoot\System32\Drivers\HTTP.sys
0x9BB34000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA45DB000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0x9BA0C000 \SystemRoot\system32\DRIVERS\srv.sys
0x9B92F000 \SystemRoot\system32\drivers\wdmaud.sys
0x9D44A000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 80):
0 System Idle Process
4 System
1344 C:\WINDOWS\system32\smss.exe
1396 csrss.exe
1420 C:\WINDOWS\system32\winlogon.exe
1464 C:\WINDOWS\system32\services.exe
1476 C:\WINDOWS\system32\lsass.exe
1672 C:\WINDOWS\system32\ibmpmsvc.exe
1700 C:\WINDOWS\system32\svchost.exe
1788 svchost.exe
1984 C:\WINDOWS\system32\svchost.exe
2024 C:\WINDOWS\system32\svchost.exe
356 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
556 svchost.exe
760 svchost.exe
772 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
1308 C:\WINDOWS\system32\spoolsv.exe
1480 svchost.exe
1772 C:\WINDOWS\system32\IPSSVC.EXE
1836 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1912 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
2008 C:\WINDOWS\system32\svchost.exe
2036 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
408 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
748 C:\WINDOWS\system32\svchost.exe
920 C:\Program Files\Lenovo\System Update\SUService.exe
1100 C:\WINDOWS\explorer.exe
1896 C:\WINDOWS\system32\svchost.exe
1840 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
2060 C:\WINDOWS\system32\TPHDEXLG.exe
2388 C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
2432 C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
2464 C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
2488 C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
2528 C:\WINDOWS\system32\ZuneBusEnum.exe
2620 C:\WINDOWS\system32\wuauclt.exe
2636 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
2824 wmpnetwk.exe
2832 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
3092 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3164 C:\WINDOWS\system32\rundll32.exe
3220 C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
3240 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
3256 C:\WINDOWS\system32\TpShocks.exe
3268 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE
3340 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3380 C:\WINDOWS\system32\hkcmd.exe
3396 C:\WINDOWS\system32\igfxpers.exe
3476 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
3496 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
3508 C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
3516 C:\Program Files\Common Files\Installshield\UpdateService\issch.exe
3684 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.EXE
3768 C:\Program Files\ThinkVantage\AMSG\Amsg.exe
3832 C:\WINDOWS\system32\igfxsrvc.exe
3844 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
3852 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
3928 C:\WINDOWS\system32\svchost.exe
456 C:\Program Files\Zune\ZuneLauncher.exe
852 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
1316 C:\Program Files\Windows Media Player\wmpnscfg.exe
932 wmiprvse.exe
1000 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
536 C:\Program Files\RocketDock\RocketDock.exe
388 alg.exe
1168 C:\Program Files\Pando Networks\Media Booster\PMB.exe
1176 C:\Program Files\Lenovo\ZOOM\TpScrex.exe
1244 C:\WINDOWS\system32\ctfmon.exe
2240 C:\Program Files\Digital Line Detect\DLG.exe
2700 C:\Program Files\Rainmeter\Rainmeter.exe
3124 C:\Program Files\OpenOffice.org 3\program\soffice.exe
3444 C:\Program Files\OpenOffice.org 3\program\soffice.bin
4004 C:\Program Files\Styler\Styler.exe
2988 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
3044 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
1096 C:\WINDOWS\system32\notepad.exe
2776 iexplore.exe
876 C:\Program Files\Internet Explorer\iexplore.exe
3052 C:\Program Files\Internet Explorer\iexplore.exe
1080 C:\Documents and Settings\Mike\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHIHTS541612J9SA00, Rev: SBDIC7JP

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


ComboFix 10-08-02.01 - Mike 08/02/2010 18:51:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.982.510 [GMT -4:00]
Running from: c:\documents and settings\Mike\My Documents\Apps\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike\Recent\Thumbs.db

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-07-22 19:45 . 2010-08-02 04:16 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-13 20:04 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:10 . 2010-07-11 03:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-11 03:02 . 2010-07-11 03:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-11 01:27 . 2010-07-11 01:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-11 01:17 . 2010-07-11 01:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-09 18:30 . 2010-07-09 18:30 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 21:51 . 2010-03-26 01:01 1 ----a-w- c:\documents and settings\Mike\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-27 23:09 . 2010-01-30 20:05 -------- d-----w- c:\program files\Bizarro
2010-07-23 17:46 . 2010-02-19 17:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-07-20 01:48 . 2010-02-27 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 21:18 . 2009-12-29 04:56 -------- d-----w- c:\program files\Common Files\Java
2010-07-09 18:30 . 2009-12-31 02:20 -------- d-----w- c:\program files\CDisplay
2010-07-08 22:16 . 2010-01-16 18:35 -------- d-----w- c:\documents and settings\Mike\Application Data\uTorrent
2010-07-01 03:34 . 2010-06-11 05:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 14:30 . 2006-04-30 07:10 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-23 18:35 . 2010-05-23 18:35 503808 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcp71.dll
2010-05-23 18:35 . 2010-05-23 18:35 499712 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\jmc.dll
2010-05-23 18:35 . 2010-05-23 18:35 348160 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcr71.dll
2010-05-23 18:35 . 2010-05-23 18:35 61440 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-sse.dll
2010-05-23 18:35 . 2010-05-23 18:35 12800 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-d3d.dll
2010-05-15 17:39 . 2009-12-29 04:34 450896 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 02:23 . 2010-05-14 02:37 17680 ----a-w- c:\windows\Fonts\PAGAP___.FON
2010-05-06 10:41 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_03.20.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 00:48 . 2005-11-10 19:27 49250 c:\windows\system32\javaw.exe
+ 2010-03-26 00:48 . 2005-11-10 19:27 49248 c:\windows\system32\java.exe
- 2010-02-27 20:53 . 2010-01-07 21:07 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 20952 c:\windows\system32\drivers\mbam.sys
- 2010-07-11 01:27 . 2010-07-11 03:06 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2010-07-11 01:27 . 2010-07-27 03:35 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 22:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 22:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-29 05:24 . 2010-07-11 03:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-12-29 05:24 . 2010-07-27 03:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-12-29 05:14 . 2010-08-02 22:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FD66AC26-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC29-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC27-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4D-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4C-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4B-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE3C-9930-11DF-B643-0013E852B687}.dat
+ 2010-03-26 00:48 . 2005-11-10 21:03 127078 c:\windows\system32\javaws.exe
+ 2010-01-01 00:58 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-11 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-28 221184]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
Styler.lnk - c:\documents and settings\Mike\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-1-23 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-29 50688]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-11-1 119296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bizarro\\DCPlusPlus.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\MediaMonkey\\MediaMonkey.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Beat Hazard\\BeatHazard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56199:TCP"= 56199:TCP:Pando Media Booster
"56199:UDP"= 56199:UDP:Pando Media Booster

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/17/2010 4:43 PM 33824]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 5:11 PM 569344]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 9:07 AM 493248]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 4:42 PM 35264]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/18/2010 2:22 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-29 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\d5whm8nf.default\
FF - prefs.js: browser.startup.homepage - hxxp://scoute.org/blog/?p=238#more-238
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2010-08-02 19:00:16
ComboFix-quarantined-files.txt 2010-08-02 23:00
ComboFix2.txt 2010-07-11 03:25

Pre-Run: 17,703,612,416 bytes free
Post-Run: 18,193,735,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E2F39F9C1723419B492B93C5C4DCD540



It's weird, because when combofix had finished running, and was preparing a log report, a window opened up asking me if I wanted to make Internetexplorer my default browser, which it isn't. Also, I now have a IE icon on my desktop, the problems with the muting and clicking still exist though.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 02 August 2010 - 06:40 PM

Hello

please delete combofix and download this new one from >here< run the program and send me the new log please


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 August 2010 - 07:18 PM

ComboFix 10-07-31.01 - Mike 08/02/2010 20:07:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.982.655 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\wCFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-07-22 19:45 . 2010-08-02 04:16 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-13 20:04 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:10 . 2010-07-11 03:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-11 03:02 . 2010-07-11 03:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-11 01:27 . 2010-07-11 01:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-11 01:17 . 2010-07-11 01:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-09 18:30 . 2010-07-09 18:30 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 21:51 . 2010-03-26 01:01 1 ----a-w- c:\documents and settings\Mike\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-27 23:09 . 2010-01-30 20:05 -------- d-----w- c:\program files\Bizarro
2010-07-23 17:46 . 2010-02-19 17:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-07-20 01:48 . 2010-02-27 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 21:18 . 2009-12-29 04:56 -------- d-----w- c:\program files\Common Files\Java
2010-07-09 18:30 . 2009-12-31 02:20 -------- d-----w- c:\program files\CDisplay
2010-07-08 22:16 . 2010-01-16 18:35 -------- d-----w- c:\documents and settings\Mike\Application Data\uTorrent
2010-07-01 03:34 . 2010-06-11 05:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 14:30 . 2006-04-30 07:10 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-23 18:35 . 2010-05-23 18:35 503808 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcp71.dll
2010-05-23 18:35 . 2010-05-23 18:35 499712 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\jmc.dll
2010-05-23 18:35 . 2010-05-23 18:35 348160 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcr71.dll
2010-05-23 18:35 . 2010-05-23 18:35 61440 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-sse.dll
2010-05-23 18:35 . 2010-05-23 18:35 12800 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-d3d.dll
2010-05-15 17:39 . 2009-12-29 04:34 450896 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 02:23 . 2010-05-14 02:37 17680 ----a-w- c:\windows\Fonts\PAGAP___.FON
2010-05-06 10:41 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_03.20.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 00:48 . 2005-11-10 19:27 49250 c:\windows\system32\javaw.exe
+ 2010-03-26 00:48 . 2005-11-10 19:27 49248 c:\windows\system32\java.exe
- 2010-02-27 20:53 . 2010-01-07 21:07 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 20952 c:\windows\system32\drivers\mbam.sys
- 2010-07-11 01:27 . 2010-07-11 03:06 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2010-07-11 01:27 . 2010-07-27 03:35 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-29 05:24 . 2010-07-11 03:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-12-29 05:24 . 2010-07-27 03:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-12-29 05:14 . 2010-08-02 23:51 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FD66AC26-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC29-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC27-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4D-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4C-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4B-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE3C-9930-11DF-B643-0013E852B687}.dat
+ 2010-03-26 00:48 . 2005-11-10 21:03 127078 c:\windows\system32\javaws.exe
+ 2010-01-01 00:58 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-11 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-28 221184]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
Styler.lnk - c:\documents and settings\Mike\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-1-23 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-29 50688]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-11-1 119296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bizarro\\DCPlusPlus.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\MediaMonkey\\MediaMonkey.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Beat Hazard\\BeatHazard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56199:TCP"= 56199:TCP:Pando Media Booster
"56199:UDP"= 56199:UDP:Pando Media Booster

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/17/2010 4:43 PM 33824]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 5:11 PM 569344]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 9:07 AM 493248]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 4:42 PM 35264]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/18/2010 2:22 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-29 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\d5whm8nf.default\
FF - prefs.js: browser.startup.homepage - hxxp://scoute.org/blog/?p=238#more-238
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2010-08-02 20:16:25
ComboFix-quarantined-files.txt 2010-08-03 00:16
ComboFix2.txt 2010-08-02 23:00
ComboFix3.txt 2010-07-11 03:25

Pre-Run: 18,187,509,760 bytes free
Post-Run: 18,189,983,744 bytes free

- - End Of File - - 02D668497CA2DE300F499F747DC4641D


Is the Whistler Bootkit hard to get rid of?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 02 August 2010 - 10:30 PM

Greetings

Is the Whistler Bootkit hard to get rid of?
It can be but we have removed it.

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 August 2010 - 11:46 PM

ComboFix 10-07-31.01 - Mike 08/02/2010 23:55:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.982.335 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\wCFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-07-22 19:45 . 2010-08-02 04:16 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-13 20:04 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:10 . 2010-07-11 03:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-11 03:02 . 2010-07-11 03:02 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-11 01:27 . 2010-07-11 01:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-11 01:17 . 2010-07-11 01:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-09 18:30 . 2010-07-09 18:30 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 21:51 . 2010-03-26 01:01 1 ----a-w- c:\documents and settings\Mike\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-27 23:09 . 2010-01-30 20:05 -------- d-----w- c:\program files\Bizarro
2010-07-23 17:46 . 2010-02-19 17:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-07-20 01:48 . 2010-02-27 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 21:18 . 2009-12-29 04:56 -------- d-----w- c:\program files\Common Files\Java
2010-07-09 18:30 . 2009-12-31 02:20 -------- d-----w- c:\program files\CDisplay
2010-07-08 22:16 . 2010-01-16 18:35 -------- d-----w- c:\documents and settings\Mike\Application Data\uTorrent
2010-07-01 03:34 . 2010-06-11 05:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 14:30 . 2006-04-30 07:10 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-23 18:35 . 2010-05-23 18:35 503808 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcp71.dll
2010-05-23 18:35 . 2010-05-23 18:35 499712 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\jmc.dll
2010-05-23 18:35 . 2010-05-23 18:35 348160 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f5122f8-n\msvcr71.dll
2010-05-23 18:35 . 2010-05-23 18:35 61440 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-sse.dll
2010-05-23 18:35 . 2010-05-23 18:35 12800 ----a-w- c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6323bfff-n\decora-d3d.dll
2010-05-15 17:39 . 2009-12-29 04:34 450896 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 02:23 . 2010-05-14 02:37 17680 ----a-w- c:\windows\Fonts\PAGAP___.FON
2010-05-06 10:41 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_03.20.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 00:48 . 2005-11-10 19:27 49250 c:\windows\system32\javaw.exe
+ 2010-03-26 00:48 . 2005-11-10 19:27 49248 c:\windows\system32\java.exe
- 2010-02-27 20:53 . 2010-01-07 21:07 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-27 20:53 . 2010-04-29 19:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-07-11 01:27 . 2010-07-27 03:35 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2010-07-11 01:27 . 2010-07-11 03:06 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-29 05:14 . 2010-08-02 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-29 05:14 . 2010-07-11 03:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-29 05:24 . 2010-07-27 03:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-12-29 05:24 . 2010-07-11 03:06 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FD66AC26-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC29-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD66AC27-992F-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4D-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4C-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE4B-9930-11DF-B643-0013E852B687}.dat
+ 2010-07-27 03:35 . 2010-07-27 03:35 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0574FE3C-9930-11DF-B643-0013E852B687}.dat
+ 2010-03-26 00:48 . 2005-11-10 21:03 127078 c:\windows\system32\javaws.exe
+ 2010-01-01 00:58 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-11 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 536576]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-28 221184]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
Styler.lnk - c:\documents and settings\Mike\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2010-1-23 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-29 50688]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-11-1 119296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bizarro\\DCPlusPlus.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Program Files\\MediaMonkey\\MediaMonkey.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Beat Hazard\\BeatHazard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56199:TCP"= 56199:TCP:Pando Media Booster
"56199:UDP"= 56199:UDP:Pando Media Booster

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 9:47 PM 19760]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/17/2010 4:43 PM 33824]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 5:11 PM 569344]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 9:07 AM 493248]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 4:42 PM 35264]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/18/2010 2:22 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-12-29 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\d5whm8nf.default\
FF - prefs.js: browser.startup.homepage - hxxp://scoute.org/blog/?p=238#more-238
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 00:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Mike\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,80,73,f0,0b,8b,0e,45,88,4d,d1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(1424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-03 00:05:28
ComboFix-quarantined-files.txt 2010-08-03 04:05
ComboFix2.txt 2010-08-03 00:16
ComboFix3.txt 2010-08-02 23:00
ComboFix4.txt 2010-07-11 03:25

Pre-Run: 18,180,923,392 bytes free
Post-Run: 18,170,224,640 bytes free

- - End Of File - - 63D1D8FFF6AF54BA92A959DA557B5600

It seems like things are better. I don't experience the same problems at least.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 02 August 2010 - 11:56 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8
    J2SE Runtime Environment 5.0 Update 6


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 03 August 2010 - 03:11 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4386

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

8/3/2010 3:56:06 PM
mbam-log-2010-08-03 (15-56-06).txt

Scan type: Quick scan
Objects scanned: 137024
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:08:43 PM, on 8/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

--
End of file - 9588 bytes


Everything seems to be going well. However, I wasn't able to carry out your entire malware bytes directions because I never received the prompt to remove anything.
I think it's fixed. Thank you.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 03 August 2010 - 03:43 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
      O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
      O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
      O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
      O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
      O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
      O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
      O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
      O4 - Startup: Styler.lnk = ?
      O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
      O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Report from ESET
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 chamished

chamished
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 06 August 2010 - 02:06 AM

Sorry for the late reply. Was without internet for awhile.

Here's the ESET log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3792055fc830844af467ae74c25674b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-06 05:58:45
# local_time=2010-08-06 01:58:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 117178 117178 0 0
# compatibility_mode=768 16777215 100 0 18090501 18090501 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=98277
# found=2
# cleaned=0
# scan_time=4666
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP146\A0085034.exe a variant of Win32/Kryptik.DHM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP146\A0085035.exe Win32/Adware.Toolbar.Shopper application 00000000000000000000000000000000 I


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 06 August 2010 - 03:00 AM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

please read this great article by miekiemoes How to prevent Malware:

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:27 AM

Posted 10 August 2010 - 04:08 AM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users