Jump to content

Windows AntiVirus Pro


Recommended Posts

I can not access many .exe's on my laptop and receive this message' "Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item." I have also already followed the instructions for removing it on this page; http://www.2-spyware.com/remove-windows-antivirus-pro.html. Unfortunately, I cannot run Malwarebytes or HiJackThis. From reading some of the posts they have been recommending ComboFix. Here is the log... Please advise.

ComboFix 09-08-20.01 - tmcilhenney 08/20/2009 20:53.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2543 [GMT -4:00]

Running from: c:\documents and settings\tmcilhenney\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\cleanup.exe

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat

c:\recycler\S-1-5-21-3438605536-4105128146-2857893889-500

c:\windows\msa.exe

c:\windows\ppp3.dat

c:\windows\ppp4.dat

c:\windows\run.log

c:\windows\svchast.exe

c:\windows\system32\bennuar.old

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\dddesot.dll

c:\windows\system32\desot.exe

c:\windows\system32\drivers\kbiwkmjsaowpjn.sys

c:\windows\system32\kbiwkmdpulqjns.dat

c:\windows\system32\kbiwkmrkumilmm.dll

c:\windows\system32\kbiwkmtjwajckx.dat

c:\windows\system32\kbiwkmveqoyxxy.dll

c:\windows\system32\kbiwkmxoelviyo.dat

c:\windows\system32\sonhelp.htm

c:\windows\system32\sysnet.dat

----- BITS: Possible infected sites -----

hxxp://megatron

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_kbiwkmtumnkjdv

-------\Legacy_kbiwkmtumnkjdv

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))

.

2009-08-21 01:06 . 2009-08-21 01:06 -------- d-sh--w- C:\found.000

2009-08-21 00:29 . 2009-08-21 00:29 574 ----a-w- C:\cleanup.bat

2009-08-21 00:29 . 2009-08-21 00:29 135168 ----a-w- C:\zip.exe

2009-08-20 23:49 . 2009-08-20 23:49 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Lavasoft

2009-08-20 23:48 . 2009-08-20 23:48 -------- d-----w- c:\program files\Lavasoft

2009-08-20 22:43 . 2009-08-20 22:43 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Malwarebytes

2009-08-20 22:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-20 22:43 . 2009-08-21 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-20 22:43 . 2009-08-20 22:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-08-20 22:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-20 19:40 . 2009-08-20 19:40 -------- dc----w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-20 19:21 . 2009-08-20 19:21 54784 ----a-w- c:\windows\system32\drivers\UACrjelxrspne.sys

2009-08-20 19:21 . 2009-08-20 19:21 -------- d-sh--we c:\windows\system32\GroupPolicy\User\Scripts\Logoff\Logoff

2009-08-20 19:21 . 2009-08-20 19:21 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

2009-08-20 14:55 . 2009-08-20 14:55 -------- d-----w- c:\documents and settings\tmcilhenney\Local Settings\Application Data\Installer2408

2009-08-20 14:47 . 2009-08-20 14:47 -------- d-----w- c:\documents and settings\tmcilhenney\Local Settings\Application Data\Installer3404

2009-08-20 14:31 . 2007-03-20 18:49 2781184 ----a-w- c:\documents and settings\tmcilhenney\Application Data\Adobe\Dreamweaver 9\Configuration\Flash Player\authplay.dll

2009-08-20 14:28 . 2009-08-20 14:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet

2009-08-20 14:12 . 2007-02-20 20:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe

2009-08-20 14:12 . 2007-02-20 20:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

2009-08-20 14:02 . 2009-08-20 14:02 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-08-19 19:19 . 2009-08-19 19:19 -------- d-----w- c:\program files\Hewlett-Packard

2009-08-19 19:19 . 2009-08-19 19:19 -------- d-----w- c:\program files\Common Files\HP

2009-08-19 19:17 . 2009-08-19 19:20 174469 ----a-w- c:\windows\hppins12.dat

2009-08-19 19:17 . 2008-07-31 23:33 8239 ------w- c:\windows\hppmdl12.dat

2009-08-19 18:54 . 2009-08-19 18:54 71168 ----a-w- c:\windows\system32\drivers\vtpetixgqfuymbcj.sys

2009-08-18 13:02 . 2009-08-18 13:02 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-08-13 17:22 . 2009-08-13 18:49 -------- d-----w- c:\program files\Citrix

2009-08-12 21:53 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-12 21:53 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe

2009-08-12 21:53 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll

2009-08-12 21:53 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-08-12 21:53 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

2009-08-12 21:53 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-12 21:52 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-12 21:52 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll

2009-08-12 21:52 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll

2009-08-12 21:52 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-08-12 21:52 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys

2009-08-08 20:33 . 2009-08-08 20:41 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Apple Computer

2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple

2009-08-04 18:21 . 2009-06-29 16:12 17408 ------w- c:\windows\system32\dllcache\corpol.dll

2009-08-04 18:18 . 2009-06-16 14:36 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2009-08-04 18:18 . 2009-06-16 14:36 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-20 22:46 . 2008-11-15 00:01 256 ----a-w- c:\windows\system32\pool.bin

2009-08-20 22:46 . 2008-12-22 13:20 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\FileZilla

2009-08-20 19:54 . 2008-09-30 12:21 -------- d-----w- c:\program files\RegScrubXP

2009-08-20 14:21 . 2008-08-29 15:21 84680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-20 14:17 . 2008-08-29 15:01 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-19 19:19 . 2008-12-12 17:49 -------- d-----w- c:\program files\HP

2009-08-18 13:02 . 2009-03-05 13:26 -------- d-----w- c:\program files\DivX

2009-08-18 12:46 . 2009-06-22 12:54 -------- d-----w- c:\program files\FileZilla FTP Client

2009-08-15 12:04 . 2008-09-30 12:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-15 12:04 . 2008-09-30 12:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-15 12:04 . 2008-09-30 12:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-13 07:03 . 2008-08-29 15:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help

2009-08-11 01:50 . 2009-01-27 16:36 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\.purple

2009-08-09 11:12 . 2009-04-13 13:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\VMware

2009-08-09 11:06 . 2009-04-13 13:40 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\VMware

2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\iTunes

2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\iPod

2009-08-08 20:33 . 2009-08-08 20:32 -------- d-----w- c:\program files\Common Files\Apple

2009-08-08 20:33 . 2009-08-08 20:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer

2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\Bonjour

2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\program files\QuickTime

2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\program files\Apple Software Update

2009-08-08 20:26 . 2009-04-13 13:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware

2009-08-08 15:18 . 2009-04-13 13:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2009-08-05 12:40 . 2008-10-29 21:41 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-05 09:01 . 2006-04-30 06:55 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-08-04 19:28 . 2009-07-16 17:11 -------- d-----w- c:\program files\Microsoft Works

2009-07-23 19:03 . 2009-01-26 21:00 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\gtk-2.0

2009-07-21 20:32 . 2009-07-21 18:06 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Download Manager

2009-07-21 13:55 . 2009-07-21 13:55 -------- d-----w- c:\program files\FLV Player

2009-07-17 19:01 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 18:24 . 2009-06-05 17:31 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\FuskerClient

2009-07-16 17:11 . 2008-09-30 12:00 -------- d-----w- c:\program files\MSBuild

2009-07-16 17:11 . 2009-07-16 17:11 -------- d-----w- c:\program files\Microsoft.NET

2009-07-16 17:09 . 2009-07-16 17:09 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-07-14 03:43 . 2006-04-30 06:56 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-13 18:23 . 2009-07-13 18:23 16608 ------w- c:\windows\gdrv.sys

2009-07-10 16:05 . 2009-07-14 12:53 765952 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\bgd.dll

2009-07-10 16:05 . 2009-07-14 12:53 74240 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\zlib1.dll

2009-07-10 16:05 . 2009-07-14 12:53 51200 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\mtn.exe

2009-07-10 16:05 . 2009-07-14 12:53 343040 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avformat-51.dll

2009-07-10 16:05 . 2009-07-14 12:53 31232 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avutil-49.dll

2009-07-10 16:05 . 2009-07-14 12:53 150528 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\swscale-0.dll

2009-07-10 16:05 . 2009-07-14 12:53 2358784 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avcodec-51.dll

2009-07-09 16:16 . 2009-08-08 20:32 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-09 16:16 . 2009-08-08 20:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-29 16:12 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2006-04-30 06:55 78336 ------w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll

2009-06-26 13:58 . 2008-08-29 15:00 -------- d-----w- c:\program files\Common Files\Lenovo

2009-06-26 13:58 . 2008-08-29 15:11 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys

2009-06-26 13:43 . 2009-06-26 13:43 -------- d-----w- c:\program files\Web CEO

2009-06-25 08:25 . 2006-04-30 06:56 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2006-04-30 06:55 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2006-04-30 06:55 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2006-04-30 06:55 730112 ------w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2006-04-30 06:55 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2006-04-30 06:55 92928 ------w- c:\windows\system32\drivers\ksecdd.sys

2009-06-23 19:34 . 2009-01-30 19:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PCDr

2009-06-23 19:30 . 2009-06-23 19:30 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Leadertech

2009-06-23 17:52 . 2009-06-23 17:52 -------- d-----w- c:\program files\Common Files\Intel

2009-06-23 17:52 . 2008-08-29 14:49 -------- d-----w- c:\program files\Intel

2009-06-23 17:37 . 2008-08-29 15:05 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lenovo

2009-06-23 17:37 . 2009-01-30 19:01 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Downloaded Installations

2009-06-23 17:36 . 2008-08-29 14:50 -------- d-----w- c:\program files\Lenovo

2009-06-16 14:36 . 2006-04-30 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2006-04-30 06:55 81920 ------w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2006-04-30 06:56 80896 ------w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2006-04-30 06:55 76288 ------w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2006-04-30 06:55 84992 ------w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2006-04-30 07:09 2066432 ------w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2006-04-30 06:56 132096 ------w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2006-04-30 06:55 1291264 ------w- c:\windows\system32\quartz.dll

2009-05-31 22:01 . 2009-05-31 22:01 664 ------w- c:\windows\system32\d3d9caps.dat

2009-05-25 04:24 . 2008-05-27 05:18 350208 ------w- c:\windows\system32\mssph.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-04-10 122880]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 524288]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2008-03-24 64368]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-04 150040]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-04 141848]

"LCONTROL"="c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe" [2008-03-20 77824]

"LFKA"="c:\program files\Lenovo\ATK Hotkey\LFKA.exe" [2008-04-16 315392]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]

"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2009-02-03 181536]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RecycleBinSize"= 3 (0x3)

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2008-06-25 00:31 95496 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2008-08-09 00:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]

2009-04-17 18:15 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-15 12:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [1/28/2009 5:58 PM 117800]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/30/2008 8:37 AM 335240]

R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/29/2008 11:09 AM 4442]

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/30/2008 8:37 AM 297752]

R2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [8/29/2008 11:06 AM 208896]

R2 PDSched;PDScheduler;c:\program files\RAXCO\PerfectDisk\PDSched.exe [11/29/2005 2:16 PM 241731]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/29/2008 11:09 AM 53248]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 8:07 PM 12560]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/29/2008 10:55 AM 108032]

S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]

S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [6/5/2006 1:00 AM 35824]

S3 ESISp50;ESISp50 NDIS Protocol Driver;c:\windows\system32\drivers\ESISp50.sys [11/29/2006 4:46 AM 27072]

S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {A2025525-F6F4-42E8-9B06-11F908BE2DBD} = 10.21.113.11,10.21.113.1

FF - ProfilePath - c:\docume~1\TMCILH~1\APPLIC~1\Mozilla\Firefox\Profiles\362rxgax.default\

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\itunesplugin.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\quicktime_plugin.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\UnboxPlugin.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zvcore@zeevee.com\platform\WINNT\components\applauncher.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zvcore@zeevee.com\platform\WINNT\components\mozilla_remote.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\filefinder.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\filewatcher.dll

FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\mediainfo_plugin.dll

FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll

FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT_x86-msvc\plugins\np-mswmp.dll

FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT_x86-msvc\plugins\npzvgui.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll

FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-20 21:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)

c:\windows\system32\vrlogon.dll

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

c:\program files\ThinkVantage Fingerprint Software\homepass.dll

c:\program files\ThinkVantage Fingerprint Software\bio.dll

c:\program files\ThinkVantage Fingerprint Software\qlbase.dll

c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

c:\program files\Lenovo\HOTKEY\tphklock.dll

c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

c:\program files\ThinkVantage Fingerprint Software\vti.dll

- - - - - - - > 'lsass.exe'(1228)

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

c:\program files\ThinkPad\ConnectUtilities\ACGina.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACON.dll

c:\windows\system32\WININET.dll

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll

c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll

c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll

c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

- - - - - - - > 'explorer.exe'(5584)

c:\windows\system32\WININET.dll

c:\program files\RocketDock\RocketDock.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Lenovo\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\ZOOM\TpScrex.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\system32\TPHDEXLG.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\windows\system32\searchindexer.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\notepad.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-08-21 21:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-21 01:14

Pre-Run: 86,182,854,656 bytes free

Post-Run: 86,052,233,216 bytes free

406 --- E O F --- 2009-08-13 07:03

Link to post
Share on other sites

*UPDATE*

I just got Malwarebytes to run and it is currently checking the system by renaming the mbam.exe. I'll keep this thread posted on my findings and if anyone has any suggestions in the meantime, I would love to hear them.

Also, I have been able to run procexp.exe and RootRepeal but don't seem to see anything suspicious. Maybe I'm not looking for the right things?

Link to post
Share on other sites

OK...I think the crisis has been adverted. I have attached the logs of what Malwarebytes found and removed. After Malwarebytes finished I had to do repair installations of all of my programs that were effected. The virus seems to have corrupted the section of the registry for Windows Installer. Everything seems to be back to normal accept for Adobe Reader 9.0 and MS Office 2007. I cannot remove/install those programs through Add/Remove Programs and any file associated with those programs lost their icons. However, the programs still seem to work.

mbam_log_2009_08_20__23_40_50_.txt

mbam_log_2009_08_20__23_03_44_.txt

Link to post
Share on other sites

  • Staff

What happens when you try to uninstall Adobe and Office through Add or Remove Programs? You could try using Microsoft's Windows Installer Cleanup Tool to remove them.

Please update MBAM, run a Quick Scan, and post its log.

Don't attach logs please. Post them in the forum instead.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.