Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

boot.tidserv infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 feivel

feivel

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 02 August 2011 - 02:45 PM

lenovo computer

windows7 home 64bt

i5 cpu

8 g ram

2 int hard drives, 1 ext esata hd

comcast cable with a wifi dlink router

windows firewall enabled



the comp is only a few days old

i have done little internet surfing, didnt even check my email

downloaded a few well known programs



norton av 2011 finds "boot.tidserv" but is unable to remove it.

ran norton from a cd, finds it but still unable to remove it.

norton website had a program specifically for this virus, i ran it, it did not recognize any threats.

ran malwarebytes full scan on all my drives, did not detect any threats.

my computer seems to be running normally.

it really seems to me that this is a false positive by norton, however i am concerned because i cant find any other instances of a false positive for this threat on symantec website, searching norton forums, or the net (google).


DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by feivel at 14:38:52 on 2011-08-02
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8175.6657 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\SysWOW64\UMonit.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\jmesoft\hotkey.exe
C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Internet Content Filter\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://lenovo.msn.com
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: Safe &Eyes Toolbar: {430ddb4f-38cc-4e91-af33-4157334ec937} - C:\Program Files (x86)\Internet Content Filter\setoolbar.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [ICF] "C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Windows\System32\icf.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{668A0E46-0B9F-42EB-9DD5-7B0CCFE7C034} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: Safe &Eyes Toolbar: {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files (x86)\Internet Content Filter\setoolbar.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun-x64: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun-x64: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun-x64: [ICF] "C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\feivel\AppData\Roaming\Mozilla\Firefox\Profiles\2btjijj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\windows\system32\DRIVERS\tdrpm273.sys --> C:\windows\system32\DRIVERS\tdrpm273.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [2011-8-1 945200]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110801.030\IDSviA64.sys [2011-8-2 488056]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS --> C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS [?]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-7-31 3246040]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2010-8-30 96752]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-18 13336]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [2011-8-1 130008]
R2 seUpdateSvc;Safe Eyes Update Service;C:\Program Files (x86)\Internet Content Filter\UpdateService.exe [2011-7-31 287232]
R3 afcdp;afcdp;C:\windows\system32\DRIVERS\afcdp.sys --> C:\windows\system32\DRIVERS\afcdp.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 USTOR2K;USB Mass Storage Windows Driver;C:\windows\system32\DRIVERS\ustor2k.sys --> C:\windows\system32\DRIVERS\ustor2k.sys [?]
S3 Revoflt;Revoflt;C:\windows\system32\DRIVERS\revoflt.sys --> C:\windows\system32\DRIVERS\revoflt.sys [?]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\windows\system32\DRIVERS\Rtnic64.sys --> C:\windows\system32\DRIVERS\Rtnic64.sys [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-08-02 03:08:31 912504 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symefa64.sys
2011-08-02 03:08:31 744568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtsp64.sys
2011-08-02 03:08:31 450680 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symds64.sys
2011-08-02 03:08:31 40568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtspx64.sys
2011-08-02 03:08:31 382584 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symnets.sys
2011-08-02 03:08:31 171128 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\ironx64.sys
2011-08-02 03:08:29 -------- d-----w- C:\windows\System32\drivers\NAVx64\1206000.01D
2011-08-02 03:05:51 174200 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-08-02 03:05:51 -------- d-----w- C:\Program Files\Symantec
2011-08-02 03:05:51 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-08-02 03:05:37 -------- d-----w- C:\windows\System32\drivers\NAVx64
2011-08-02 03:05:35 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2011-08-02 00:51:34 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-08-02 00:36:37 -------- d-----w- C:\Users\feivel\AppData\Roaming\Malwarebytes
2011-08-02 00:36:30 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 00:36:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 00:36:27 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-08-02 00:36:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-02 00:08:56 -------- d-----w- C:\ProgramData\Norton
2011-08-02 00:07:26 -------- d-----w- C:\ProgramData\NortonInstaller
2011-08-02 00:07:26 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-08-01 19:27:45 -------- d-----w- C:\Users\feivel\AppData\Local\Microsoft Games
2011-08-01 00:16:17 411864 ----a-w- C:\windows\System32\seinst.dll
2011-08-01 00:16:17 392408 ----a-w- C:\windows\sediag.exe
2011-08-01 00:16:17 320216 ----a-w- C:\windows\SysWow64\seinst.dll
2011-08-01 00:16:17 304336 ----a-w- C:\windows\SysWow64\ICF.dll
2011-08-01 00:16:17 189952 ----a-w- C:\windows\SERecat.exe
2011-08-01 00:16:17 -------- d-----w- C:\Program Files (x86)\Internet Content Filter
2011-08-01 00:16:14 344272 ----a-w- C:\windows\System32\ICF.dll
2011-07-31 22:34:57 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{28E27539-2B3A-477B-A3B9-0A9AB3AD563F}\mpengine.dll
2011-07-31 22:34:57 270720 ------w- C:\windows\System32\MpSigStub.exe
2011-07-31 22:13:16 -------- d-----w- C:\Users\feivel\AppData\Local\VS Revo Group
2011-07-31 22:13:14 31800 ----a-w- C:\windows\System32\drivers\revoflt.sys
2011-07-31 22:13:14 -------- d-----w- C:\Program Files\VS Revo Group
2011-07-31 22:10:44 404640 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-31 21:57:35 2784608 ----a-w- C:\windows\System32\auto_reactivate.exe
2011-07-31 21:57:28 -------- d-sh--r- C:\bootwiz
2011-07-31 21:53:20 285280 ----a-w- C:\windows\System32\drivers\afcdp.sys
2011-07-31 21:53:20 1263200 ----a-w- C:\windows\System32\drivers\tdrpm273.sys
2011-07-31 21:53:18 970336 ----a-w- C:\windows\System32\drivers\timntr.sys
2011-07-31 21:53:15 277088 ----a-w- C:\windows\System32\drivers\snapman.sys
2011-07-31 21:42:09 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation
2011-07-31 19:08:28 -------- d-----w- C:\Users\feivel\AppData\Local\Adobe
2011-07-31 17:49:35 -------- d-----w- C:\Users\feivel\AppData\Roaming\Intel Corporation
2011-07-31 17:49:34 -------- d-----w- C:\Users\feivel\AppData\Local\Lenovo
2011-07-31 17:49:30 -------- d-----w- C:\Users\feivel\AppData\Local\Power2Go
.
==================== Find3M ====================
.
.
============= FINISH: 14:39:13.13 ===============

Attached File  Attach.txt   2.68KB   1 downloads

i ran kapersky antivirus tool while im waiting
it found something and removed it although the name was not boot.tidserv
i ran norton again and it didnt find anything
here are the dds files after i ran the tool

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by feivel at 18:00:26 on 2011-08-02
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8175.6413 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\SysWOW64\UMonit.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\jmesoft\hotkey.exe
C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Internet Content Filter\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\SysWOW64\NOTEPAD.EXE
C:\windows\SysWOW64\NOTEPAD.EXE
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://lenovo.msn.com
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: Safe &Eyes Toolbar: {430ddb4f-38cc-4e91-af33-4157334ec937} - C:\Program Files (x86)\Internet Content Filter\setoolbar.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [ICF] "C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe"
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Windows\System32\icf.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{668A0E46-0B9F-42EB-9DD5-7B0CCFE7C034} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: Safe &Eyes Toolbar: {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files (x86)\Internet Content Filter\setoolbar.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun-x64: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun-x64: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun-x64: [ICF] "C:\Program Files (x86)\Internet Content Filter\SafeEyes.exe"
mRunOnce-x64: [GrpConv] grpconv -o
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\feivel\AppData\Roaming\Mozilla\Firefox\Profiles\2btjijj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\windows\system32\DRIVERS\tdrpm273.sys --> C:\windows\system32\DRIVERS\tdrpm273.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20100810.004\BHDrvx64.sys [2011-8-1 945200]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110801.030\IDSviA64.sys [2011-8-2 488056]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS --> C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS [?]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-7-31 3246040]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2010-8-30 96752]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-18 13336]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [2011-8-1 130008]
R2 seUpdateSvc;Safe Eyes Update Service;C:\Program Files (x86)\Internet Content Filter\UpdateService.exe [2011-7-31 287232]
R3 afcdp;afcdp;C:\windows\system32\DRIVERS\afcdp.sys --> C:\windows\system32\DRIVERS\afcdp.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 USTOR2K;USB Mass Storage Windows Driver;C:\windows\system32\DRIVERS\ustor2k.sys --> C:\windows\system32\DRIVERS\ustor2k.sys [?]
RUnknown 39903043;39903043; [x]
RUnknown 57924567;57924567; [x]
RUnknown 9396086drv;9396086drv; [x]
S3 Revoflt;Revoflt;C:\windows\system32\DRIVERS\revoflt.sys --> C:\windows\system32\DRIVERS\revoflt.sys [?]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\windows\system32\DRIVERS\Rtnic64.sys --> C:\windows\system32\DRIVERS\Rtnic64.sys [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-08-02 19:50:18 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-08-02 03:08:31 912504 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symefa64.sys
2011-08-02 03:08:31 744568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtsp64.sys
2011-08-02 03:08:31 450680 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symds64.sys
2011-08-02 03:08:31 40568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtspx64.sys
2011-08-02 03:08:31 382584 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symnets.sys
2011-08-02 03:08:31 171128 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\ironx64.sys
2011-08-02 03:08:29 -------- d-----w- C:\windows\System32\drivers\NAVx64\1206000.01D
2011-08-02 03:05:51 174200 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-08-02 03:05:51 -------- d-----w- C:\Program Files\Symantec
2011-08-02 03:05:51 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-08-02 03:05:37 -------- d-----w- C:\windows\System32\drivers\NAVx64
2011-08-02 03:05:35 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2011-08-02 00:51:34 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-08-02 00:36:37 -------- d-----w- C:\Users\feivel\AppData\Roaming\Malwarebytes
2011-08-02 00:36:30 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 00:36:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 00:36:27 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-08-02 00:36:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-02 00:08:56 -------- d-----w- C:\ProgramData\Norton
2011-08-02 00:07:26 -------- d-----w- C:\ProgramData\NortonInstaller
2011-08-02 00:07:26 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-08-01 19:27:45 -------- d-----w- C:\Users\feivel\AppData\Local\Microsoft Games
2011-08-01 00:16:17 411864 ----a-w- C:\windows\System32\seinst.dll
2011-08-01 00:16:17 392408 ----a-w- C:\windows\sediag.exe
2011-08-01 00:16:17 320216 ----a-w- C:\windows\SysWow64\seinst.dll
2011-08-01 00:16:17 304336 ----a-w- C:\windows\SysWow64\ICF.dll
2011-08-01 00:16:17 189952 ----a-w- C:\windows\SERecat.exe
2011-08-01 00:16:17 -------- d-----w- C:\Program Files (x86)\Internet Content Filter
2011-08-01 00:16:14 344272 ----a-w- C:\windows\System32\ICF.dll
2011-07-31 22:34:57 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{28E27539-2B3A-477B-A3B9-0A9AB3AD563F}\mpengine.dll
2011-07-31 22:34:57 270720 ------w- C:\windows\System32\MpSigStub.exe
2011-07-31 22:13:16 -------- d-----w- C:\Users\feivel\AppData\Local\VS Revo Group
2011-07-31 22:13:14 31800 ----a-w- C:\windows\System32\drivers\revoflt.sys
2011-07-31 22:13:14 -------- d-----w- C:\Program Files\VS Revo Group
2011-07-31 22:10:44 404640 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-31 21:57:35 2784608 ----a-w- C:\windows\System32\auto_reactivate.exe
2011-07-31 21:57:28 -------- d-sh--r- C:\bootwiz
2011-07-31 21:53:20 285280 ----a-w- C:\windows\System32\drivers\afcdp.sys
2011-07-31 21:53:20 1263200 ----a-w- C:\windows\System32\drivers\tdrpm273.sys
2011-07-31 21:53:18 970336 ----a-w- C:\windows\System32\drivers\timntr.sys
2011-07-31 21:53:15 277088 ----a-w- C:\windows\System32\drivers\snapman.sys
2011-07-31 21:42:09 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation
2011-07-31 19:08:28 -------- d-----w- C:\Users\feivel\AppData\Local\Adobe
2011-07-31 17:49:35 -------- d-----w- C:\Users\feivel\AppData\Roaming\Intel Corporation
2011-07-31 17:49:34 -------- d-----w- C:\Users\feivel\AppData\Local\Lenovo
2011-07-31 17:49:30 -------- d-----w- C:\Users\feivel\AppData\Local\Power2Go
.
==================== Find3M ====================
.
.
============= FINISH: 18:00:42.04 ===============


Attached File  Attach.txt   2.63KB   1 downloads

Another critical consideration!

im certain now that the infection came from some files i transferred from my old computer
i placed them on an external drive and connected this external esata drive to my new computer
all it contained were a lot of mp3 files, pictures and some documents. i transferred the data folder by folder, i didnt clone the disk or anything
the computer guy whom i originally called to fix my old computer that wouldnt boot, told me this exact same virus was on the old computer
he couldnt remove it so he formatted and reinstalled windows and suggested i get a new computer (which i was ready for anyway)
he saved my important data on my new ext drive. (which i then connected to the new computer)

anyway even if kapersky removed the virus successfully im afraid it might still be residing on my ext drive (which i really really dont want to erase.)

if you guys tell me i still need to go through some steps with you, WILL IT CLEAN UP AND FIX ALL MY DRIVES?

thank you so much

feivel

sorry for the rambling
i figure the more info you have the less questions you will have to ask


MOD EDIT :Merged 3 posts into 1...

Edited by boopme, 04 August 2011 - 01:46 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 07 August 2011 - 03:20 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 09:23 AM

i will do as you suggest right away.
but there are two things i need you to take into consideration before we go further than that

1. i have this lenovo computer
it does not come with a windows disk
instead it has windows saved in some form on the C drive and uses lenovos own proprietary program to fix or restore windows.
so i wont be able to use the windows recovery console
which makes me nervous about using programs like combofix

2.i dont really know about these things but i have a strong feeling that im no longer infected (see my post above)
i ran kasperskys antivirus tool and it found something and removed it.
after that i ran
norton
kaspersky
kasperskys tdsskiller
malwarebytes
spyware doctor

they all reported "no threats found"

thank you for responding

#4 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 09:28 AM

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by feivel at 9:26:42 on 2011-08-07
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8175.6885 [GMT -5:00]
.
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\nvvsvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\SysWOW64\UMonit.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\jmesoft\hotkey.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://lenovo.msn.com
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{668A0E46-0B9F-42EB-9DD5-7B0CCFE7C034} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
mRun-x64: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun-x64: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\feivel\AppData\Roaming\Mozilla\Firefox\Profiles\2btjijj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\windows\system32\DRIVERS\tdrpm273.sys --> C:\windows\system32\DRIVERS\tdrpm273.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110723.001\BHDrvx64.sys [2011-7-23 1151096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110805.030\IDSviA64.sys [2011-8-6 488056]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS --> C:\windows\system32\Drivers\NAVx64\1206000.01D\SYMNETS.SYS [?]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-7-31 3246040]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2010-8-30 96752]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-18 13336]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [2011-8-3 130008]
R3 afcdp;afcdp;C:\windows\system32\DRIVERS\afcdp.sys --> C:\windows\system32\DRIVERS\afcdp.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-8-5 136824]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 USTOR2K;USB Mass Storage Windows Driver;C:\windows\system32\DRIVERS\ustor2k.sys --> C:\windows\system32\DRIVERS\ustor2k.sys [?]
S3 Revoflt;Revoflt;C:\windows\system32\DRIVERS\revoflt.sys --> C:\windows\system32\DRIVERS\revoflt.sys [?]
S3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;C:\windows\system32\DRIVERS\Rtnic64.sys --> C:\windows\system32\DRIVERS\Rtnic64.sys [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-08-03 21:20:55 -------- d-----w- C:\Program Files (x86)\Seagate
2011-08-03 14:08:30 912504 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symefa64.sys
2011-08-03 14:08:30 744568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtsp64.sys
2011-08-03 14:08:30 450680 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symds64.sys
2011-08-03 14:08:30 40568 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\srtspx64.sys
2011-08-03 14:08:30 386168 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\symnets.sys
2011-08-03 14:08:30 171128 ----a-w- C:\windows\System32\drivers\NAVx64\1206000.01D\ironx64.sys
2011-08-03 14:08:27 -------- d-----w- C:\windows\System32\drivers\NAVx64\1206000.01D
2011-08-03 14:02:26 174200 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-08-03 14:02:26 -------- d-----w- C:\Program Files\Symantec
2011-08-03 14:02:26 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-08-03 14:02:14 -------- d-----w- C:\windows\System32\drivers\NAVx64
2011-08-03 14:02:12 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2011-08-03 14:01:30 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-08-03 02:39:41 -------- d-----w- C:\ProgramData\PC Tools
2011-08-02 23:21:05 -------- d-----w- C:\Users\feivel\AppData\Local\CrashDumps
2011-08-02 19:50:18 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-08-02 00:51:34 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-08-02 00:36:37 -------- d-----w- C:\Users\feivel\AppData\Roaming\Malwarebytes
2011-08-02 00:36:30 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-02 00:36:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-02 00:36:27 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-08-02 00:36:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-02 00:08:56 -------- d-----w- C:\ProgramData\Norton
2011-08-02 00:07:26 -------- d-----w- C:\ProgramData\NortonInstaller
2011-08-01 19:27:45 -------- d-----w- C:\Users\feivel\AppData\Local\Microsoft Games
2011-08-01 00:16:17 392408 ----a-w- C:\windows\sediag.exe
2011-08-01 00:16:14 344272 ----a-w- C:\windows\System32\ICF.dll
2011-07-31 22:34:57 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{28E27539-2B3A-477B-A3B9-0A9AB3AD563F}\mpengine.dll
2011-07-31 22:34:57 270720 ------w- C:\windows\System32\MpSigStub.exe
2011-07-31 22:13:16 -------- d-----w- C:\Users\feivel\AppData\Local\VS Revo Group
2011-07-31 22:13:14 31800 ----a-w- C:\windows\System32\drivers\revoflt.sys
2011-07-31 22:13:14 -------- d-----w- C:\Program Files\VS Revo Group
2011-07-31 22:10:44 404640 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-31 21:57:35 2784608 ----a-w- C:\windows\System32\auto_reactivate.exe
2011-07-31 21:57:28 -------- d-sh--r- C:\bootwiz
2011-07-31 21:53:20 285280 ----a-w- C:\windows\System32\drivers\afcdp.sys
2011-07-31 21:53:20 1263200 ----a-w- C:\windows\System32\drivers\tdrpm273.sys
2011-07-31 21:53:18 970336 ----a-w- C:\windows\System32\drivers\timntr.sys
2011-07-31 21:53:15 277088 ----a-w- C:\windows\System32\drivers\snapman.sys
2011-07-31 21:42:09 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation
2011-07-31 19:08:28 -------- d-----w- C:\Users\feivel\AppData\Local\Adobe
2011-07-31 17:49:35 -------- d-----w- C:\Users\feivel\AppData\Roaming\Intel Corporation
2011-07-31 17:49:34 -------- d-----w- C:\Users\feivel\AppData\Local\Lenovo
2011-07-31 17:49:30 -------- d-----w- C:\Users\feivel\AppData\Local\Power2Go
.
==================== Find3M ====================
.
.
============= FINISH: 9:27:00.39 ===============

Attached File  Attach.txt   2.94KB   1 downloads

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 07 August 2011 - 11:23 AM

Hello

1. i have this lenovo computer
it does not come with a windows disk
instead it has windows saved in some form on the C drive and uses lenovos own proprietary program to fix or restore windows.
so i wont be able to use the windows recovery console
which makes me nervous about using programs like combofix

The recovery console will not harm in anyway the recovery partition

what you are thinking about is The MBR and if that needs to be rewritten then you have already lost access to this partition as the virus has already rewritten the MBR with its bad code

It is better to be on the safe side so I will do some checking anyway

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 11:37 AM

OTL logfile created on: 8/7/2011 11:34:36 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\feivel\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.69 Gb Available Physical Memory | 83.84% Memory free
15.96 Gb Paging File | 14.60 Gb Available in Paging File | 91.45% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 906.34 Gb Total Space | 876.44 Gb Free Space | 96.70% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 911.62 Gb Free Space | 97.86% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 840.74 Gb Free Space | 90.26% Space Free | Partition Type: NTFS

Computer Name: FEIVEL-PC | User Name: feivel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\feivel\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe (Acronis)
PRC - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe ()
PRC - C:\Windows\SysWOW64\UMonit.exe ()
PRC - C:\Program Files (x86)\jmesoft\hotkey.exe (JME)


========== Modules (SafeList) ==========

MOD - C:\Users\feivel\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (afcdpsrv) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis)
SRV - (AcrSch2Svc) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (NAV) -- C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe (Symantec Corporation)
SRV - (IAStorDataMgrSvc) Intel® -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (CEEBC40A-FDED-4C59-B354-939132350B01) -- C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe ()
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)
DRV:64bit: - (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273) -- C:\Windows\SysNative\drivers\tdrpm273.sys (Acronis)
DRV:64bit: - (afcdp) -- C:\Windows\SysNative\drivers\afcdp.sys (Acronis)
DRV:64bit: - (timounter) -- C:\Windows\SysNative\drivers\timntr.sys (Acronis)
DRV:64bit: - (snapman) -- C:\Windows\SysNative\drivers\snapman.sys (Acronis)
DRV:64bit: - (SymNetS) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\symnets.sys (Symantec Corporation)
DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\srtsp64.sys (Symantec Corporation)
DRV:64bit: - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\srtspx64.sys (Symantec Corporation)
DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\symefa64.sys (Symantec Corporation)
DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\symds64.sys (Symantec Corporation)
DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NAVx64\1206000.01D\ironx64.sys (Symantec Corporation)
DRV:64bit: - (e1cexpress) Intel® -- C:\Windows\SysNative\drivers\e1c62x64.sys (Intel Corporation)
DRV:64bit: - (MEIx64) Intel® -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (USTOR2K) -- C:\Windows\SysNative\drivers\ustor2k.sys (Genesys Logic)
DRV:64bit: - (Revoflt) -- C:\Windows\SysNative\drivers\revoflt.sys (VS Revo Group)
DRV:64bit: - (wsvd) -- C:\Windows\SysNative\drivers\wsvd.sys (CyberLink)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (RTL8023x64) -- C:\Windows\SysNative\drivers\Rtnic64.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110807.002\EX64.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110807.002\ENG64.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110805.030\IDSviA64.sys (Symantec Corporation)
DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110723.001\BHDrvx64.sys (Symantec Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1981454315-1737432814-3596652152-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1981454315-1737432814-3596652152-1002\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1981454315-1737432814-3596652152-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPlgn\ [2011/08/05 14:48:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/07/31 16:09:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/07/31 16:09:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\feivel\AppData\Roaming\Mozilla\Extensions
[2011/08/01 09:25:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\feivel\AppData\Roaming\Mozilla\Firefox\Profiles\2btjijj5.default\extensions
[2011/08/01 09:21:12 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Users\feivel\AppData\Roaming\Mozilla\Firefox\Profiles\2btjijj5.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2011/07/31 16:09:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
File not found (No name found) --
[2011/08/05 14:48:25 | 000,000,000 | ---D | M] (Symantec IPS) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\IPSFFPLGN
() (No name found) -- C:\USERS\FEIVEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2BTJIJJ5.DEFAULT\EXTENSIONS\{0545B830-F0AA-4D7E-8820-50A4629A56FE}.XPI
() (No name found) -- C:\USERS\FEIVEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2BTJIJJ5.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\USERS\FEIVEL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2BTJIJJ5.DEFAULT\EXTENSIONS\SIMPLECLOCKS@GRBRADT.ORG.XPI
[2011/07/08 02:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [UMonit] C:\Windows\SysWOW64\UMonit.exe ()
O4:64bit: - HKLM..\Run: [Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] File not found
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe (JME)
O4 - HKLM..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe (Lenovo)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePRCShortCut] C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (auto_reactivate C:\bootwiz\asrm.bin) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/07 11:33:11 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\feivel\Desktop\OTL.exe
[2011/08/06 21:33:39 | 000,000,000 | ---D | C] -- C:\Users\feivel\Documents\tdsskiller
[2011/08/05 16:10:42 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\feivel\Desktop\TDSSKiller.exe
[2011/08/03 16:20:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Seagate
[2011/08/03 09:08:30 | 000,912,504 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symefa64.sys
[2011/08/03 09:08:30 | 000,744,568 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtsp64.sys
[2011/08/03 09:08:30 | 000,450,680 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symds64.sys
[2011/08/03 09:08:30 | 000,386,168 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symnets.sys
[2011/08/03 09:08:30 | 000,171,128 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\ironx64.sys
[2011/08/03 09:08:30 | 000,040,568 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtspx64.sys
[2011/08/03 09:08:27 | 000,000,000 | ---D | C] -- C:\windows\SysNative\drivers\NAVx64\1206000.01D
[2011/08/03 09:02:26 | 000,174,200 | ---- | C] (Symantec Corporation) -- C:\windows\SysNative\drivers\SYMEVENT64x86.SYS
[2011/08/03 09:02:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/08/03 09:02:26 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/08/03 09:02:14 | 000,000,000 | ---D | C] -- C:\windows\SysNative\drivers\NAVx64
[2011/08/03 09:02:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton AntiVirus
[2011/08/03 09:02:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton AntiVirus
[2011/08/03 09:01:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller
[2011/08/02 21:39:41 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2011/08/02 18:21:05 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\CrashDumps
[2011/08/02 17:58:23 | 000,607,017 | R--- | C] (Swearware) -- C:\Users\feivel\Desktop\dds.scr
[2011/08/02 14:50:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/08/01 20:12:02 | 000,000,000 | ---D | C] -- C:\windows\SysNative\DRVSTORE
[2011/08/01 20:09:56 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
[2011/08/01 19:51:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2011/08/01 19:36:37 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Malwarebytes
[2011/08/01 19:36:30 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2011/08/01 19:36:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/01 19:36:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/08/01 19:36:27 | 000,025,912 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/08/01 19:36:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/08/01 19:09:52 | 000,000,000 | ---D | C] -- C:\Users\feivel\Documents\Symantec
[2011/08/01 19:08:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/08/01 19:07:26 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2011/08/01 14:27:45 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Microsoft Games
[2011/07/31 19:16:17 | 000,392,408 | ---- | C] (InternetSafety.com, Inc.) -- C:\windows\sediag.exe
[2011/07/31 19:16:14 | 000,344,272 | ---- | C] (InternetSafety.com, Inc.) -- C:\windows\SysNative\ICF.dll
[2011/07/31 17:13:16 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\VS Revo Group
[2011/07/31 17:13:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/07/31 17:13:14 | 000,031,800 | ---- | C] (VS Revo Group) -- C:\windows\SysNative\drivers\revoflt.sys
[2011/07/31 17:13:14 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/07/31 17:10:44 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/07/31 16:57:35 | 002,784,608 | ---- | C] (Acronis) -- C:\windows\SysNative\auto_reactivate.exe
[2011/07/31 16:57:28 | 000,000,000 | RHSD | C] -- C:\bootwiz
[2011/07/31 16:53:20 | 001,263,200 | ---- | C] (Acronis) -- C:\windows\SysNative\drivers\tdrpm273.sys
[2011/07/31 16:53:20 | 000,285,280 | ---- | C] (Acronis) -- C:\windows\SysNative\drivers\afcdp.sys
[2011/07/31 16:53:18 | 000,970,336 | ---- | C] (Acronis) -- C:\windows\SysNative\drivers\timntr.sys
[2011/07/31 16:53:15 | 000,277,088 | ---- | C] (Acronis) -- C:\windows\SysNative\drivers\snapman.sys
[2011/07/31 16:53:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis
[2011/07/31 16:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Acronis
[2011/07/31 16:53:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Acronis
[2011/07/31 16:49:08 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Acronis
[2011/07/31 16:49:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Acronis
[2011/07/31 16:42:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Intel Corporation
[2011/07/31 16:09:32 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Mozilla
[2011/07/31 16:09:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2011/07/31 14:10:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2011/07/31 14:08:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2011/07/31 14:08:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Adobe
[2011/07/31 14:08:28 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Adobe
[2011/07/31 13:08:25 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Mozilla
[2011/07/31 13:07:35 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Macromedia
[2011/07/31 13:07:34 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Adobe
[2011/07/31 12:49:35 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Intel Corporation
[2011/07/31 12:49:34 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Lenovo
[2011/07/31 12:49:30 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Power2Go
[2011/07/31 12:49:12 | 000,000,000 | R--D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011/07/31 12:49:12 | 000,000,000 | R--D | C] -- C:\Users\feivel\Searches
[2011/07/31 12:49:12 | 000,000,000 | R--D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/07/31 12:49:12 | 000,000,000 | -H-D | C] -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2011/07/31 12:49:03 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Identities
[2011/07/31 12:49:01 | 000,000,000 | R--D | C] -- C:\Users\feivel\Contacts
[2011/07/31 12:48:59 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\VirtualStore
[2011/07/31 12:48:53 | 000,000,000 | --SD | C] -- C:\Users\feivel\AppData\Roaming\Microsoft
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Videos
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Saved Games
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Pictures
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Music
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Links
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Favorites
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Downloads
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Documents
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\Desktop
[2011/07/31 12:48:53 | 000,000,000 | R--D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\AppData\Local\Temporary Internet Files
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Templates
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Start Menu
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\SendTo
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Recent
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\PrintHood
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\NetHood
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Documents\My Videos
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Documents\My Pictures
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Documents\My Music
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\My Documents
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Local Settings
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\AppData\Local\History
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Cookies
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\Application Data
[2011/07/31 12:48:53 | 000,000,000 | -HSD | C] -- C:\Users\feivel\AppData\Local\Application Data
[2011/07/31 12:48:53 | 000,000,000 | -H-D | C] -- C:\Users\feivel\AppData
[2011/07/31 12:48:53 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Temp
[2011/07/31 12:48:53 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Local\Microsoft
[2011/07/31 12:48:53 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Media Center Programs
[2011/07/31 12:48:53 | 000,000,000 | ---D | C] -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Templates
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Start Menu
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Videos
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Pictures
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Music
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favorites
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\Documents and Settings
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Documents
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Desktop
[2011/07/31 12:48:23 | 000,000,000 | -HSD | C] -- C:\ProgramData\Application Data
[2010/12/18 18:31:13 | 001,914,000 | ---- | C] (Adobe Systems Incorporated) -- C:\ProgramData\flashax10.exe

========== Files - Modified Within 30 Days ==========

[2011/08/07 11:33:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\feivel\Desktop\OTL.exe
[2011/08/07 09:26:22 | 000,000,000 | ---- | M] () -- C:\Users\feivel\defogger_reenable
[2011/08/07 09:25:53 | 000,050,477 | ---- | M] () -- C:\Users\feivel\Desktop\Defogger.exe
[2011/08/07 09:12:49 | 000,017,744 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/07 09:12:49 | 000,017,744 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/07 09:12:34 | 000,713,888 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/08/07 09:12:34 | 000,615,122 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/08/07 09:12:34 | 000,103,496 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/08/07 09:05:33 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/08/07 09:05:31 | 2133,753,855 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/05 16:10:42 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\feivel\Desktop\TDSSKiller.exe
[2011/08/04 21:50:05 | 000,000,000 | -H-- | M] () -- C:\windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/08/03 09:09:39 | 001,317,264 | ---- | M] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\Cat.DB
[2011/08/03 09:08:31 | 000,174,200 | ---- | M] (Symantec Corporation) -- C:\windows\SysNative\drivers\SYMEVENT64x86.SYS
[2011/08/03 09:08:31 | 000,007,488 | ---- | M] () -- C:\windows\SysNative\drivers\SYMEVENT64x86.CAT
[2011/08/03 09:08:31 | 000,000,855 | ---- | M] () -- C:\windows\SysNative\drivers\SYMEVENT64x86.INF
[2011/08/02 23:35:22 | 001,317,264 | ---- | M] () -- C:\windows\SysNative\drivers\Cat.DB
[2011/08/02 17:58:23 | 000,607,017 | R--- | M] (Swearware) -- C:\Users\feivel\Desktop\dds.scr
[2011/08/02 14:49:28 | 100,637,056 | ---- | M] () -- C:\Users\feivel\Desktop\setup_11.0.0.1245.x01_2011_08_02_21_10.exe
[2011/08/01 19:36:30 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/01 04:44:59 | 000,039,252 | ---- | M] () -- C:\windows\SysWow64\license.rtf
[2011/08/01 04:44:59 | 000,039,252 | ---- | M] () -- C:\windows\SysNative\license.rtf
[2011/07/31 17:13:15 | 000,001,101 | ---- | M] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2011/07/31 17:13:15 | 000,001,077 | ---- | M] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2011/07/31 17:10:44 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/07/31 16:57:35 | 002,784,608 | ---- | M] (Acronis) -- C:\windows\SysNative\auto_reactivate.exe
[2011/07/31 16:53:20 | 001,263,200 | ---- | M] (Acronis) -- C:\windows\SysNative\drivers\tdrpm273.sys
[2011/07/31 16:53:20 | 000,285,280 | ---- | M] (Acronis) -- C:\windows\SysNative\drivers\afcdp.sys
[2011/07/31 16:53:18 | 000,970,336 | ---- | M] (Acronis) -- C:\windows\SysNative\drivers\timntr.sys
[2011/07/31 16:53:15 | 000,277,088 | ---- | M] (Acronis) -- C:\windows\SysNative\drivers\snapman.sys
[2011/07/31 16:53:11 | 000,001,139 | ---- | M] () -- C:\Users\Public\Desktop\Acronis True Image Home 2011.lnk
[2011/07/31 16:09:28 | 000,001,142 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/07/31 13:07:28 | 000,001,441 | ---- | M] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/31 12:49:34 | 000,002,131 | ---- | M] () -- C:\Users\feivel\Desktop\Lenovo Rescue System.lnk
[2011/07/08 17:45:12 | 000,386,168 | ---- | M] (Symantec Corporation) -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symnets.sys

========== Files Created - No Company Name ==========

[2011/08/07 09:26:22 | 000,000,000 | ---- | C] () -- C:\Users\feivel\defogger_reenable
[2011/08/07 09:25:53 | 000,050,477 | ---- | C] () -- C:\Users\feivel\Desktop\Defogger.exe
[2011/08/04 21:50:05 | 000,000,000 | -H-- | C] () -- C:\windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2011/08/03 09:09:31 | 001,317,264 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\Cat.DB
[2011/08/03 09:08:30 | 000,007,492 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\iron.cat
[2011/08/03 09:08:30 | 000,007,462 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtspx64.cat
[2011/08/03 09:08:30 | 000,007,460 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symefa64.cat
[2011/08/03 09:08:30 | 000,007,458 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symnet64.cat
[2011/08/03 09:08:30 | 000,007,458 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtsp64.cat
[2011/08/03 09:08:30 | 000,003,373 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symefa.inf
[2011/08/03 09:08:30 | 000,002,792 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symds.inf
[2011/08/03 09:08:30 | 000,001,446 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symnet.inf
[2011/08/03 09:08:30 | 000,001,438 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtsp64.inf
[2011/08/03 09:08:30 | 000,001,422 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\srtspx64.inf
[2011/08/03 09:08:30 | 000,000,772 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\iron.inf
[2011/08/03 09:08:28 | 000,000,000 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\symds64.cat
[2011/08/03 09:08:27 | 000,000,172 | ---- | C] () -- C:\windows\SysNative\drivers\NAVx64\1206000.01D\isolate.ini
[2011/08/03 09:02:26 | 000,007,488 | ---- | C] () -- C:\windows\SysNative\drivers\SYMEVENT64x86.CAT
[2011/08/03 09:02:26 | 000,000,855 | ---- | C] () -- C:\windows\SysNative\drivers\SYMEVENT64x86.INF
[2011/08/02 23:35:10 | 001,317,264 | ---- | C] () -- C:\windows\SysNative\drivers\Cat.DB
[2011/08/02 14:48:43 | 100,637,056 | ---- | C] () -- C:\Users\feivel\Desktop\setup_11.0.0.1245.x01_2011_08_02_21_10.exe
[2011/08/01 19:36:30 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/31 17:13:15 | 000,001,101 | ---- | C] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2011/07/31 17:13:15 | 000,001,077 | ---- | C] () -- C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
[2011/07/31 16:53:11 | 000,001,139 | ---- | C] () -- C:\Users\Public\Desktop\Acronis True Image Home 2011.lnk
[2011/07/31 16:09:28 | 000,001,154 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/07/31 16:09:28 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/07/31 14:10:21 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/07/31 13:07:28 | 000,001,441 | ---- | C] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/31 12:49:23 | 000,001,413 | ---- | C] () -- C:\Users\feivel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/07/31 12:48:53 | 000,002,131 | ---- | C] () -- C:\Users\feivel\Desktop\Lenovo Rescue System.lnk
[2011/07/31 12:48:53 | 000,000,290 | ---- | C] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/07/31 12:48:53 | 000,000,272 | ---- | C] () -- C:\Users\feivel\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2010/12/20 16:38:58 | 000,000,023 | ---- | C] () -- C:\windows\SysWow64\drivers\psn.dat
[2010/12/18 17:47:39 | 000,139,264 | ---- | C] () -- C:\windows\SysWow64\ustor.dll
[2010/12/18 17:47:39 | 000,040,960 | ---- | C] () -- C:\windows\SysWow64\UMonit.exe
[2010/12/18 17:47:37 | 000,001,393 | ---- | C] () -- C:\windows\SysWow64\IconCfg0.ini
[2010/12/18 17:47:37 | 000,000,722 | ---- | C] () -- C:\windows\SysWow64\ProductName.ini
[2010/12/18 17:44:55 | 000,008,192 | ---- | C] () -- C:\windows\SysWow64\drivers\IntelMEFWVer.dll
[2010/12/18 17:39:00 | 000,201,728 | ---- | C] () -- C:\windows\SetDrive.exe
[2010/12/18 17:38:59 | 000,036,864 | ---- | C] () -- C:\windows\WinWait.exe
[2009/07/26 16:07:52 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\windows\SysWow64\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:DFC5A2B2

< End of report >

#7 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 11:49 AM

also
in case you need to know this
system restore was not enabled.
after running otl and posting the report i remembered about system restore and i enabled it
just in case that affects your interpretation

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 07 August 2011 - 12:09 PM

Hello

I want you to run this custem OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    IE - HKU\S-1-5-21-1981454315-1737432814-3596652152-1002\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
    O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O34 - HKLM BootExecute: (auto_reactivate C:\bootwiz\asrm.bin) - File not found
    O33 - MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autorun.exe  
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:DFC5A2B2
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY] 
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS] 
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 12:26 PM

okay here it is

did you find a problem?
did we fix anything?
the computer was running fine before, i think it still is
was there an infection
?

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1981454315-1737432814-3596652152-1002\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ not found.
File {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324}\ not found.
File {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:auto_reactivate C:\bootwiz\asrm.bin deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9de4274a-bc22-11e0-b118-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9de4274a-bc22-11e0-b118-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9de4274a-bc22-11e0-b118-806e6f6e6963}\ not found.
File E:\Autorun.exe not found.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\feivel\Desktop\cmd.bat deleted successfully.
C:\Users\feivel\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: feivel
->Temp folder emptied: 20434270 bytes
->Temporary Internet Files folder emptied: 175238559 bytes
->FireFox cache emptied: 143059892 bytes
->Flash cache emptied: 2614 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10654246 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 8839673203 bytes

Total Files Cleaned = 8,763.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: feivel
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.1 log created on 08072011_122216

Files\Folders moved on Reboot...
C:\Users\feivel\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 07 August 2011 - 12:58 PM

Hello

Don't see much - just doing some cleanup


Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 01:14 PM

for some reason i have no java icon in control panel
using the search control panel box it showed nothing..

this is the log from MBAM. there was no "show results" dialog
there was no where to check various items to show or not.
also mbam originally failed to detect any threat during the same time period that nortons was reporting an infection (that norton was unable to remove)


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7402

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/7/2011 1:09:58 PM
mbam-log-2011-08-07 (13-09-58).txt

Scan type: Quick scan
Objects scanned: 164157
Time elapsed: 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 01:19 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:18:43 PM, on 8/7/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\SysWOW64\UMonit.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\jmesoft\hotkey.exe
C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
O4 - HKLM\..\Run: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup Service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7445 bytes

#13 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 01:20 PM

i guess the computer is doing
fine
i never really had any problems
only that norton found boot.tidserv and was unable to remove it

please see my entire first post here for a description of the problem and its history
thanks

#14 feivel

feivel
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 07 August 2011 - 02:09 PM

i went to the java site to get additional info and it said that i dont have java installed
i guess that would explain the missing entry in control panel

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 07 August 2011 - 02:10 PM

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users