Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


MULTIPLE Infections including Vista Antivirus 2012, Cryptor

  • This topic is locked This topic is locked
37 replies to this topic

#1 MSiegel


  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 09 January 2012 - 11:14 PM


PC = Lenovo ThinkPad SL500, Windows Vista Home Basic
Virus = Vista Antivirus 2012 + Others
Antivirus Programs Running At Time of Infection = Avast! and Panda Cloud (free versions)

PROBLEM HISTORY (Don't recall everything that occurred but here's what I do remember):

Went to bad website (came up in Yahoo search), got standard box re: open PDF with Adobe, clicked on disallow, then allow when box wouldn't go away.

Still wouldn't go away, had to reboot.

Saw Vista Antivirus 2012 popups, clicked on red X to close some, no good. Rebooted a few times.

Started Task Manager and killed popups by ending (multiple) tkr.exe processes, but this left Windows background and absolutely nothing else (no orb, tray, icons, etc.)

Tried Safe Mode. Had pop-ups - killed them with Task Manager as above. Then could run some things, not others.

Numerous reboots, trying different things.

Looked in registry, found MANY, MANY references to tkr.exe + other possible bad keys.

At some point, Panda suddenly noticed tkr.exe and neutralized it. No more popups but still having trouble running most programs.

Used LenovoCare button to boot into Thinkvantage Rescue and Recovery, did (non-Microsoft) System Restore (of OS only, not data) to LAST MAY.

REGISTRY STILL CORRUPTED WITH MANY REFERENCES TO TKR.EXE!!! (Why wasn't registry rolled back by system restore???) Was also still having trouble with executables.

At some point (maybe earlier, don't recall) noticed some programs could run as admin.

Ran old copy of Malwarebytes as admin, nothing found. Update downloaded but blocked from running.

Found update file and ran as admin.

Ran Quick Scan with Malwarebytes, found some Trojans and "Malware Trace" (registry damage?). Authorized program to fix.

PC now appeared to be functioning normally.

Ran Full Scan with Malwarebytes, found more Trojans, etc. Authorized kill.

Ran Full Scan with Panda, found more Trojans, etc. Authorized kill.

Worried about rootkits. Downloaded and ran TDSSKiller, found nothing.

Downloaded and installed free AVG. Scan for rootkits found 2 issues. 1 possibly fixed (?), 1 definitely not. No visible change to system.
"Object name";"<unknown>"
"Detection name";"Corrupted section ntkrnlpa.exe[PAGE] RtlInitializeSid+0x96A, size 4 bytes"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""

"Object name";"<unknown>"
"Detection name";"Corrupted section ntkrnlpa.exe[PAGE] NtQuerySystemInformation+0x4BEF, size 4 bytes"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is inaccessible."
"Action history";""

Downloaded and installed Threatfire. Full scan found nothing.

Downloaded and ran Norton Power Eraser. Found nothing. I think there was a message that the program had errors while it was running.

Downloaded and ran antizeroaccess.exe. Found nothing.


Ran extremely thorough scan with Avast. Found more trojans, worms, etc. Moved to virus chest.

Not sure of chronology for this event, but at some point tkr.exe (previously neutralized by Panda) "magically" showed up somewhere (don't recall file location, possibly Documents folder) but was listed with length 0.

Updated and ran Full Scan with Malwarebytes. Found some adware on drive S (huh?) and removed.

DURING ABOVE SCAN with Malwarebytes, AVG detected threat tkr.exe "on open".

AVG said it was Win32/Cryptor. Put in virus vault, related items cleaned (supposedly).
Location = C:\Users\Milton\AppData\Local\tkr.exe
Process = C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

Why would Panda be opening a virus file (or is this a false alarm)??? Does this mean Panda is infected??? Why does tkr.exe seem to keep coming back???

Ran another full scan with Panda. Found 2 cookies.

Ran Norton Power Eraser again. Found and fixed 3 Registry entries.

Not sure of chronology for this event, but at some point Vrwd183KH.exe (previously neutralized by Panda) "magically" showed up in Documents folder, listed with length 0. Deleted manually.

Started following Bleepingcomputer procedure to prep for posting.

While following prep procedure, AVG picked up Vrwd183KH.exe THREE TIMES.

AVG said it was Win32/Cryptor. First time moved to virus vault, next two times "Object is inaccessible."
Location = C:\Users\Milton\Documents\Vrwd183KH.exe (Length = 383 kb)
Process = C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe (first time)
Process = C:\Windows\explorer.exe (next two times)

Why does Vrwd183KH.exe keep coming back???

Downloaded and ran dds.scr from Bleepingcomputer. During run (not just at beginning), got MANY messages from AV program(s). Are MULTIPLE messages normal? Continued DDS until confusing message from Threatfire made me stop program:

The program is attempting to load a device driver into the operating system.

Decided to rerun DDS. This time when Threatfire gave same message, kept going. (Mistake???) Logs are from second run.

First time, it ran for a while. Then message from Windows (at least to appearances) that "GMER.exe has stopped working".
Second time, Windows crashed.
Third time, repeat of first.

GMER log could not be obtained.

1) Registry references to tkr.exe. still there.

2) Occasional strange transient messages from Vista about unknown hardware connected to my SATA controller.

3) Long after a startup, still repeatedly get message that Windows has blocked some Startup programs.

4) Windows crashes more frequently than usual.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by Milton at 2:35:42 on 2012-01-07
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3037.1168 [GMT -5:00]
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lenovo\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACGadgetWrapper.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe
C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: BywifiBHO Class: {c4743d3e-20d7-4b52-84f2-5e4e277b2d82} - c:\program files\bywifi\bywifiie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\milton\appdata\local\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10q_ActiveX.exe -update activex
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\LVOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RoxioDragToDisc] "c:\program files\lenovo\drag-to-disc\DrgToDsc.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\lenovo\lenovo~2\LPMLCHK.exe
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [CreateLMBCShortCut] "c:\program files\lenovo\mobile broadband connect\UserShortcutCreator.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
mRun: [iCall Internet Phone] "c:\program files\icall\iCall.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\milton\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TCP: DhcpNameServer =
TCP: Interfaces\{AC298804-43B3-49EC-B896-AE0EEEB057C0} : DhcpNameServer =
TCP: Interfaces\{AF42FD5C-249B-4E59-9FEC-29181350C65F} : DhcpNameServer =
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-12-26 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-12-26 69392]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-1-28 20520]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-24 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-6-30 314456]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 126024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-30 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-30 55128]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-24 44768]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;c:\program files\clearwire\connection manager\clearwireDeviceDiagnosticsService.exe [2010-6-17 398848]
R2 DDNIMSGService;DDNIMSGService;c:\program files\ddni\lenovo idea notes\DDNIMSGService.exe [2009-6-23 171872]
R2 DDNIService;DDNIService;c:\program files\ddni\dibs\DDNIService.exe [2009-10-13 163680]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2009-6-22 208896]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-22 66848]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112712]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2010-11-17 107856]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 58736]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 520192]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-7-8 318464]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-7-8 51456]
R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files\clearwire\connection manager\ConAppsSvc.exe [2010-11-17 124240]
R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2010-11-17 120144]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-22 112128]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-12-26 33552]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-6-22 48192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2008-4-25 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-4-25 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-4-25 166384]
S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 360448]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-4-8 401920]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2008-4-25 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2012-01-05 05:36:46 -------- d--h--w- C:\$AVG
2011-12-29 15:53:52 -------- d-----w- c:\users\milton\appdata\local\CrashDumps
2011-12-28 16:24:51 -------- d-----w- c:\users\milton\appdata\local\NPE
2011-12-28 16:24:51 -------- d-----w- c:\programdata\Norton
2011-12-26 18:16:26 69392 ------w- c:\windows\system32\drivers\TfSysMon.sys
2011-12-26 18:16:26 51984 ------w- c:\windows\system32\drivers\TfFsMon.sys
2011-12-26 18:16:26 33552 ------w- c:\windows\system32\drivers\TfNetMon.sys
2011-12-26 18:16:19 -------- d-----w- c:\programdata\PC Tools
2011-12-26 18:16:19 -------- d-----w- c:\program files\ThreatFire
2011-12-26 03:03:27 -------- d-----w- c:\users\milton\appdata\roaming\AVG2012
2011-12-26 03:00:59 -------- d--h--w- c:\programdata\Common Files
2011-12-26 02:59:25 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-26 02:59:25 -------- d-----w- c:\programdata\AVG2012
2011-12-26 02:58:05 -------- d-----w- c:\program files\AVG
2011-12-26 02:48:11 -------- d-----w- c:\programdata\MFAData
2011-12-24 06:23:48 6823496 ------w- c:\programdata\microsoft\windows defender\definition updates\{c90b4aef-7288-4479-9250-e95808984eea}\mpengine.dll
2011-12-24 05:11:44 435032 ------w- c:\windows\system32\drivers\aswSnx.sys
==================== Find3M ====================
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 18:01:25 41184 ------w- c:\windows\avastSS.scr
2011-11-28 17:52:07 55128 ------w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-23 13:37:27 2043904 ------w- c:\windows\system32\win32k.sys
2011-11-15 19:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-08 14:42:19 2048 ------w- c:\windows\system32\tzres.dll
2011-11-03 06:22:04 916992 ------w- c:\windows\system32\wininet.dll
2011-11-03 06:17:38 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-03 06:17:23 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-03 06:17:08 71680 ------w- c:\windows\system32\iesetup.dll
2011-11-03 06:17:08 109056 ------w- c:\windows\system32\iesysprep.dll
2011-11-03 05:22:43 385024 ------w- c:\windows\system32\html.iec
2011-11-03 04:45:39 133632 ------w- c:\windows\system32\ieUnatt.exe
2011-11-03 04:43:59 1638912 ------w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ------w- c:\windows\system32\csrsrv.dll
2011-10-14 16:02:19 429056 ------w- c:\windows\system32\EncDec.dll
============= FINISH: 2:57:58.40 ===============

Attached Files

BC AdBot (Login to Remove)


#2 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 11 January 2012 - 08:52 PM

Update: Tried disabling my resident malware protection (AVG, Avast, Panda and Threatfire) to get GMER to run. THREE attempts. Windows crashed every time.
Tried updating MBAM in Normal Mode, then ran Full Scan in Safe Mode. Nothing found.
Tried GMER in Safe Mode. Got message that it had stopped.

Later, while using the PC, there was a message that a driver was being installed. The name was composed of weird characters (not alphanumeric).

#3 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 14 January 2012 - 01:43 PM

Hi MSiegel,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. Thanks in advance for your patience. In the meantime, please do not make any changes to your computer.

If you have already resolved your computer problems, please let me know.


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#4 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 15 January 2012 - 03:19 PM

Hi MSiegel,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Please do not make posts in all bold, it is difficult to read.
  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


To answer your questions:
  • The Thinkvantage Rescue and Recovery likely did not backup the registry, which is why it did not get restored when you did the restore to last May.
  • The odd result of AVG detecting Cryptor is likely a result of having more than one antivirus program installed. They're both detecting viruses, and so one flags the other as a virus. This is also likely why Vrwd183KH.exe keeps coming back.
  • Multiple messages from DDS are not normal. This might be a combination of having multiple antivirus programs installed and the infections trying to stop DDS from running.

:step1: Multiple Antivirus Programs
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to Programs & Features in the Control Panel, and uninstall 3 of the following 4 antivirus programs:
  • avast! Free Antivirus
  • AVG 2012
  • Panda Cloud Antivirus
  • ThreatFire

:step2: ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#5 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 15 January 2012 - 06:19 PM


Thank you very much for your assistance.

Before following your instructions, I have a few questions:

1) Is it necessary to completely uninstall three of the listed programs, or would permanently disabling their real-time protection features be sufficient? I would like to keep them installed for occasional scans.

2) Can you recommend which one I should keep as my main protection? Each one catches problems that the others miss.

3) Would it be better to download Combofix in Safe Mode, assuming I can? (I've never used Safe Mode with Networking before.)

4) Is it better to run Combofix in Safe Mode or Normal Mode?

- MSiegel

#6 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 15 January 2012 - 07:16 PM

Hi MSiegel,

Good questions. :)

  • Yes, it is necessary to completely uninstall 3 of the 4. Permanently disabling the protection features would temporarily work, but this is not the intended use of any antivirus program. They're meant to be actively protecting your computer. Additionally, if you ran a scan with one antivirus program, it will likely continue to flag files that another antivirus program had previously detected.
  • If you haven't paid for any of them, I would recommend keeping Avast. I personally haven't ever used Panda Cloud Antivirus, though I have read good reviews of it. AVG has shown poor detection rates recently, and so is not recommended. I have used ThreatFire in the past, but it didn't seem to catch everything other antivirus programs did.
  • If you can download Combofix in normal mode (not Safe Mode), do that. If you can't download Combofix in normal mode, try Safe Mode with Networking.
  • Combofix works best if run in normal mode (if possible).



Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#7 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 15 January 2012 - 10:58 PM

Jason -

1) Threatfire, AVG and Panda were successfully uninstalled, For AVG, I used the uninstall option in the AVG program folder, as opposed to Control Panel. The only unusual things observed were:

a) There was an error when uninstalling Threatfire - something about WFC or WKC. But there was also a message that Threatfire was successfully uninstalled.
B) The restart after uninstalling AVG took longer than a restart usually does.

2) Combofix was downloaded and installed with no problem. Before running it, I disconnected from the Internet and disabled Avast. However, I made a mistake and only disabled it until the next restart.

3) When Combofix restarted the machine (which it did only once), it said not to run anything else until it was finished. Unfortunately, the restart had re-enabled Avast, which was trying to block Combofix. A box said that Combofix was dangerous and recommended that it be run "in the sandbox". I selected "open normally" and clicked ok but the box came back immediately. I permanently disabled Avast in the system tray, went back to the box and again selected "open normally", and clicked ok. This time the box did not reappear but I'm not sure if the conflict with Avast could affect the results from Combofix.

4) After re-enabling Avast, reconnecting to the net and starting IE (to do this post), there was a message from Windows (?) saying that IE was not my default browser and would I like to make it my default browser. This seemed strange since I've never used any other browser on this computer.

5) Here is the Combofix log:

ComboFix 12-01-15.01 - Milton 01/15/2012 21:13:06.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3037.1717 [GMT -5:00]
Running from: c:\users\Milton\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\users\Milton\AppData\Roaming\Microsoft\Windows\Recent\FastStone Image Viewer.url
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
2012-01-16 02:23 . 2012-01-16 02:23 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{46E73DAE-6408-4331-8D64-7AE0B593AEB6}\offreg.dll
2012-01-16 02:21 . 2012-01-16 02:27 -------- d-----w- c:\users\Milton\AppData\Local\temp
2012-01-16 02:21 . 2012-01-16 02:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 01:41 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{46E73DAE-6408-4331-8D64-7AE0B593AEB6}\mpengine.dll
2012-01-11 17:15 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-11 17:15 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 17:15 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-11 17:15 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-11 17:15 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 17:15 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 14:47 . 2012-01-11 14:51 -------- d-----w- C:\a3c445bb7a25b28664009a70
2012-01-11 00:48 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 00:48 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 00:48 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 00:48 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 00:48 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 00:48 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 00:48 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 00:48 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-12-29 15:53 . 2012-01-16 00:40 -------- d-----w- c:\users\Milton\AppData\Local\CrashDumps
2011-12-28 16:24 . 2012-01-07 03:32 -------- d-----w- c:\users\Milton\AppData\Local\NPE
2011-12-28 16:24 . 2011-12-28 16:25 -------- d-----w- c:\programdata\Norton
2011-12-26 18:16 . 2011-12-26 18:16 -------- d-----w- c:\programdata\PC Tools
2011-12-26 03:00 . 2011-12-26 03:00 -------- d--h--w- c:\programdata\Common Files
2011-12-26 02:58 . 2011-12-26 02:58 -------- d-----w- c:\program files\AVG
2011-12-26 02:48 . 2012-01-16 00:55 -------- d-----w- c:\programdata\MFAData
2011-12-24 05:11 . 2011-11-28 17:53 435032 ------w- c:\windows\system32\drivers\aswSnx.sys
2011-12-24 05:01 . 2011-12-24 05:01 -------- d-----w- c:\users\Administrator
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2011-12-10 20:24 . 2010-04-16 22:31 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 18:01 . 2010-08-24 05:44 41184 ------w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2009-06-30 22:42 199816 ------w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2009-06-30 22:43 314456 ------w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2009-06-30 22:43 34392 ------w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2009-06-30 22:43 52952 ------w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2009-06-30 22:42 55128 ------w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-28 17:51 . 2009-06-30 22:43 20568 ------w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-23 13:37 . 2011-12-15 01:50 2043904 ------w- c:\windows\system32\win32k.sys
2011-11-15 19:29 . 2009-10-02 18:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-08 14:42 . 2011-12-15 01:50 2048 ------w- c:\windows\system32\tzres.dll
2011-11-03 06:22 . 2011-12-15 01:50 916992 ------w- c:\windows\system32\wininet.dll
2011-11-03 06:17 . 2011-12-15 01:50 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-03 06:17 . 2011-12-15 01:50 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-03 06:17 . 2011-12-15 01:50 71680 ------w- c:\windows\system32\iesetup.dll
2011-11-03 06:17 . 2011-12-15 01:50 109056 ------w- c:\windows\system32\iesysprep.dll
2011-11-03 05:22 . 2011-12-15 01:50 385024 ------w- c:\windows\system32\html.iec
2011-11-03 04:45 . 2011-12-15 01:50 133632 ------w- c:\windows\system32\ieUnatt.exe
2011-11-03 04:43 . 2011-12-15 01:50 1638912 ------w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01 . 2011-12-15 01:50 3602816 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01 . 2011-12-15 01:50 3550080 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56 . 2011-12-15 01:50 49152 ------w- c:\windows\system32\csrsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
2011-11-28 18:01 122512 ------w- c:\program files\Alwil Software\Avast5\ashShell.dll
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2007-07-11 569344]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 1045800]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2008-03-24 64368]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2008-06-08 165208]
"LPMailChecker"="c:\progra~1\Lenovo\LENOVO~2\LPMLCHK.exe" [2008-06-08 124248]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2009-02-03 16384]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-03-23 644384]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-03-23 214576]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-01-21 36864]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-24 435488]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2009-04-24 177440]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-08-24 221872]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2010-11-17 54608]
"iCall Internet Phone"="c:\program files\iCall\iCall.exe" [2008-12-18 1587576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-11-28 3744552]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
"EnableUIADesktopToggle"= 0 (0x0)
--- Other Services/Drivers In Memory ---
*NewlyCreated* - WS2IFSL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Contents of the 'Scheduled Tasks' folder
2012-01-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3483376825-1778857092-3571725191-1003Core.job
- c:\users\Milton\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 06:12]
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3483376825-1778857092-3571725191-1003UA.job
- c:\users\Milton\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-13 06:12]
2011-10-17 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
------- Supplementary Scan -------
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\Milton\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer =
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
--------------------- LOCKED REGISTRY KEYS ---------------------
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(4304)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
------------------------ Other Running Processes ------------------------
c:\program files\Lenovo\ATK Hotkey\ASLDRSrv.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Lenovo\ATK Hotkey\LFKAS.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe
c:\program files\DDNI\DIBS\DDNIService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe
c:\program files\Lenovo\ATK Hotkey\LFKA.exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\Lenovo\LenovoCare\LPMGR.EXE
c:\program files\Lenovo\LenovoCare\LPMLCHK.EXE
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
c:\program files\ThinkPad\ConnectUtilities\ACGadgetWrapper.exe
Completion time: 2012-01-15 21:32:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-16 02:32
Pre-Run: 179,943,489,536 bytes free
Post-Run: 180,934,807,552 bytes free
- - End Of File - - 3EC55429961462D73193B79D830065C9

#8 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 16 January 2012 - 12:15 PM

Hi MSiegel,

Looking good. :thumbup2:

To answer your questions:
  • It looks like Threatfire was successfully uninstalled, even though it gave you errors.
  • It is sometimes normal for a reboot to take longer after uninstalling an antivirus program. If your computer continues to take longer than normal to reboot, please let me know.
  • Disabling Avast worked as expected. I don't believe it re-enabling itself once your computer rebooted interfered with Combofix running.
  • Internet Explorer will pop up with that message if it has been reset. Just select Yes to make it your default browser.

Please copy and paste the Malwarebytes log that you had previously said Malwarebytes had deleted items from drive S (the log files can be found under the Logs tab in Malwarebytes.)

How's your computer running now?


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#9 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 16 January 2012 - 04:31 PM

Hi, Jason -

The PC is running sort-of okay. No crashes today.

Several things I'm still concerned about:

1) Should I try running GMER, even if only to see if the system crashes again?

2) Today my mouse froze for about 30 seconds. I've never seen that before.

3) Last night, another driver with a name composed of weird symbols was installed.

4) When I first got infected, I looked up instructions for manually removing Vista Antivirus 2012 and similar malware on Bleepingcomputer and other websites. I was afraid to try anything without expert help but I noticed that one of the steps involved deleting a list of registry keys. The registry still contains references to the virus process tkr.exe and possibly some of the other bad keys on the list.

5) Some strange things (like the messages about unknown hardware connected to my SATA controller) occurred at random intervals so I won't be confident they're gone for some time.

6) Still getting messages that Windows has blocked some Startup programs long after startup.

7) The AVG scan for rootkits found two problems. Did Combofix repair them? Should I temporarily reinstall AVG and check?

8) In general, how can anyone ever be sure that a PC has no rootkits? The people who create malware are very clever and I get paranoid when I think about it.

9) How does one protect oneself while web-surfing? In my case, Vista Antivirus 2012 got on my system even though both Avast and Panda were running and fully updated. (Actually, it blew right past both of them, along with a bunch of other bad stuff.)

10) Oh yeah, almost forgot. Here's the MBAM log you requested:

Malwarebytes Anti-Malware

Database version: v2012.01.05.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
Milton :: MILTON-PC [administrator]

1/5/2012 12:03:26 AM
mbam-log-2012-01-05 (00-03-26).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 411113
Time elapsed: 2 hour(s), 50 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
S:\recovery\iub\tools32\shutdown.exe (Adware.Agent.ZGen) -> Quarantined and deleted successfully.


#10 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 17 January 2012 - 08:38 AM

Hi MSiegel,

Again, good questions! :)

  • Yes, I would like you to run GMER again. However, please follow the instructions in step 1, below.
  • I'm not sure why your mouse froze. This may be the result of malware on your computer, it may not be.
  • Windows installing the oddly-named driver is strange. Thank you for telling me about it.
  • The references to tkr.exe in the registry are likely what we call orphans. Without the actual tkr.exe file, these registry entries are harmless. I would advise you NOT to make any edits or changes to the registry without being instructed to first. It is extremely easy to make one mistake and cause your computer to not boot anymore.
  • Windows may block programs at startup, which is normal. This is a feature of Windows Vista. One of the programs I have seen blocked at startup is Malwarebytes. See this Microsoft article for more information.
  • Combofix did not fix what AVG had found. It is not necessary to reinstall AVG to check again. GMER should be able to tell us whether what AVG found is still an issue.
  • Running anti-rootkit programs like GMER usually report rootkits. GMER (and other anti-rootkit programs) use special tecniques to scan your computer for files and registry entries that aren't visible to the computer. This is what the reports contain. You're exactly right, the people who create malware are very clever. Luckily, the people who create programs like Combofix are very clever at combating malware as well. :)
  • Keeping an antivirus program up-to-date is only one way to protect yourself while web surfing. Keeping common programs like Java, Adobe Flash, and Adobe Reader are also ways to prevent getting infected (older versions of these programs contain vulnerabilities that malware can use to reinfect your computer). Once you are no longer infected, I will post several additional recommendations on how to prevent getting infected again.

:step1: Please re-download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#11 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 17 January 2012 - 09:52 PM

Jason -

GMER ran. There were no warnings or other boxes. Right after clicking Scan, I realized that I had not unchecked IAT/EAT. This was in the instructions for running GMER before posting to the forum. Should I have unchecked it or was this time different? The non-system drives Q and S were unchecked by default and I left them that way. The "Show all" checkbox was not checked and appeared to be greyed out. Please let me know if these settings were correct.

One slightly strange observation. After the program finished, I was unable to save the log to my desktop, perhaps because there is a gmer folder on the desktop left over from the first (pre-posting) download. It was saved in my Documents folder instead. (Problem?)


P.S. I just clicked on "Add Reply" (with the log pasted in) and got a message that the post is too long. How should I get the log to you?

#12 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 17 January 2012 - 09:55 PM

Hi MSiegel,

No it doesn't matter where the log is saved.

Try attaching the file to your next reply (you should see a button below the text box where you type in a reply called "Click To Attach Files")


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#13 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 17 January 2012 - 10:18 PM

Jason -

The file is 716 kb. When I tried to attach it (instead of pasting), there was a message that it was too big to upload.


#14 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:57 PM

Posted 17 January 2012 - 10:23 PM

Try rerunning GMER but doing what the previous instructions said, by unchecking the following:Posted Image

This should produce a smaller log. Let me know if you run into any other problems.


Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#15 MSiegel

  • Topic Starter

  • Members
  • 19 posts
  • Local time:12:57 PM

Posted 18 January 2012 - 05:44 AM

Jason -

Odd goings-on (plus I think I might have made a big mistake).

After reading your request to rerun GMER with the changed settings, I shut down IE, shut down my Internet connection software and "permanently" disabled Avast. I did not download GMER again, just launched the randomly named copy from before (m2osuxqz.exe). But something didn't "feel" right - the initial quick scan was taking too long. I decided to close the program window, reboot and start over.

After rebooting, I again shut down my Internet software. When I went to disable Avast, I saw that it was still disabled from before. (I had not re-enabled it before rebooting.) This means that I was (very briefly) connected to the Internet with no AV software running at all (albeit with no web browser either). Could this be a problem? Could I have picked up new infections?

Anyway, I launched GMER (m2osuxqz.exe) again. Windows crashed.

As it was recovering, I didn't want to have another Internet connection while unprotected, so I physically unplugged my Internet hardware (though I worried that this might affect how the system starts up). When GMER was launched, it did the quick scan. I unchecked the IAT/EAT box (the rest were already unchecked) and clicked Scan. After a short time, the program stopped working.

I did a cold reboot and started GMER again the same way. Same result.

I went into Safe Mode and started GMER again. Same result, except the "stopped working" box looks different in Safe Mode.

I remembered that in an earlier post you had listed something else to try if GMER would not run. I needed to see what you had written, so I rebooted into normal mode, re-enabled Avast, plugged in my Internet hardware and rebooted again. The other strategy for GMER was to uncheck "Devices". However, I was not sure whether IAT/EAT needed to be unchecked also (to keep the size of the log down) or if unchecking both would cause some kind of problem.

I ended up making a large number of attempts to run GMER with IAT/EAT either checked or unchecked or with Devices unchecked. (I did not try unchecking both.) After the first few attempts, my goal was less to obtain a shorter log than to see if GMER could run to completion a second time. Bottom line: it won't. Either it stops or Windows crashes completely, both outcomes after varying lengths of time (usually fairly quickly but sometimes long enough to make one think it's going to work).

Last, I tried downloading a fresh copy with another randomized name and running it with the exact same settings that worked previously (IAT/EAT and Devices checked). No good.

What's bothering me the most is that GMER stopping or crashing Windows looks suspiciously like what was happening before Combofix was run. Of course, this is an impression from someone who understands very little about what we're doing....


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users