Jump to content

Thinkpoint Infection - Cannot access Microsoft or Windows Update

Recommended Posts

Greetings and Salutations!

My computer was just recently infected with the Thinkpoint virus, and though I have removed all visible physical components (as per instructions at http://www.2-viruses.com/remove-thinkpoint as repeated scans with Malwarebytes and AVAST! Antivirus did not turn up any results) my computer problems continue to persist.

Order of events:

1) After learning of the infection (I was at work at the time and someone else had control of the computer), I logged onto my own account (which had been unaffected) and ran several unsuccessful full scans and boot scans with AVAST! and MB.

2) After removing the components using the instructions at said site, I then attempted to run a couple more scans using both applications, only to realize that both MBs and AVAST! definitions were not up to date.

3) Attempts to update failed, and soon I realized I could no longer connect to the internet. I also learned at some point that Thinkpoint deleted all previous restore points.

4) Realized Thinkpoint had disabled nearly all computer services. Manually resorted services to default settings.

After this, I ran a couple scans again with both programs, coming up with a few trojans and quickly had removed. Since then, my computer had been acting slower than usual and when I would log on using an account with an account with Administrative privileges (the account that had been infected had then previously, but I removed them after removing the infection) I would getting a rather persistent pop from Windows that I now know is related to Automatic Updates.

Apparently my computer is no longer able to connect with neither the Microsoft nor Windows Updates sites. Doing so leads me to a page telling me to:

Internet Explorer cannot display the webpage

What you can try:

Diagnose Connection Problems

More information

This problem can be caused by a variety of issues, including:


Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.


If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Thank you Elise :D

Sorry for including my reports as attachments rather that copying and pasting. For some reason my computer is not allowing the full post to send. I had the same problem with the DDS report which is why it has not been included. I may have added more than you needed to the OTL scan... For some reason every time I hit the Quick Scan button the Extra Registry value would automatically change to None and I would not receive the Extra.Txt report.

As for my problem(s), as I have stated I am currently unable to access the Windows Update and Microsoft Updates sites. Internet Explorer tells me it cannot connect to the internet while trying to access these pages, though it will take me to any other page I try. Using the https:// protocal as opposed to http:// does get me onto both web pages, but when I do, I am greeted with [Error number: 0x80072EFF], which means my computer cannot access their servers. As a result, Automatic Updates is not working either.

This is all following a Thinkpoint infection my computer recieved earlier this month. I used the instructions here - http://www.2-viruses.com/remove-thinkpoint - to delete all visible components I can find and reset all my computer services to their default settings manually, but after making this discovery a few days back I now know for certain I didn't get everything.

Also something I forgot to mention; my computer has been experiencing some troubles shutting itself down. Most times I have to resort to using the power button to turn it off.




Link to post
Share on other sites

Hi, unfortunately you have a nasty rootkit on board. Rogues like ThinkPoint often come bundled with rootkits to protect them, which is why you had trouble removing it.

Please read the following first, before starting the cleanup process.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



Please download ComboFix from one of these locations:


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Yeah, I'll have to thank my mother for this later :D

Unfortunately a fresh install is not an option for me at this time (not sure where my OS disk is), so I'll have to just go with the cleanup for the time being. I do have a question though: Do I have to worry about my files being corrupt, or can I back them up and save them, then transfer them to a new computer without worry? I'm hoping to get a laptop by the end of the year, and I really don't want to loose the information I have on this computer if I don't have to.

Anyways, here is the new log from ComboFix: (Keeping fingers crossed it'll actually allow it to post this time)

ComboFix 10-11-23.05 - Crim_2 24/11/2010 9:42.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.240 [GMT -7:00]

Running from: c:\documents and settings\Crim_2\My Documents\Downloads\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}


ADS - WINDOWS: deleted 128 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\documents and settings\Mike\Application Data\inst.exe

c:\program files\winvi

c:\program files\winvi\dsktp\AC_RunActiveContent.js

c:\program files\winvi\dsktp\desktop.html

c:\program files\winvi\dsktp\internetDetection.swf

c:\program files\winvi\dsktp\settings.sol






































\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 )))))))))))))))))))))))))))))))


2010-11-19 22:07 . 2010-11-24 17:06 -------- d-----w- c:\windows\system32\CatRoot2

2010-11-19 20:35 . 2008-04-14 12:42 10752 ------w- c:\windows\system32\smtpapi.dll

2010-11-19 20:35 . 2008-04-14 12:42 9728 ------w- c:\windows\system32\rwnh.dll

2010-11-19 20:35 . 2008-04-14 12:41 81920 ------w- c:\windows\system32\ieencode.dll

2010-11-19 20:35 . 2007-04-03 07:12 1327320 ------w- c:\program files\MSN\msncorefiles\install\msnsusii.exe

2010-11-19 20:35 . 2007-04-03 07:04 884712 ------w- c:\program files\MSN\msncorefiles\install\msn9components\digcore.exe

2010-11-19 20:35 . 2007-04-03 07:09 11053008 ------w- c:\program files\MSN\msncorefiles\install\msn9components\msncli.exe

2010-11-19 20:35 . 2008-04-14 12:40 229376 ------w- c:\program files\MSN\msncorefiles\oobe\obelog.dll

2010-11-19 20:35 . 2008-04-14 12:40 966656 ------w- c:\program files\MSN\msncorefiles\oobe\obemetal.dll

2010-11-19 20:35 . 2008-04-14 12:40 86016 ------w- c:\program files\MSN\msncorefiles\oobe\obepopc.dll

2010-11-19 20:35 . 2007-04-03 07:14 77824 ------w- c:\program files\MSN\msncorefiles\oobe\obemtllc.dll

2010-11-19 20:32 . 2006-12-29 07:31 19569 ----a-w- c:\windows\000001_.tmp

2010-11-19 19:42 . 2010-11-19 19:42 -------- d-sh--w- c:\documents and settings\Crim_2\IECompatCache

2010-11-19 07:00 . 2010-11-19 07:00 -------- d-----w- c:\program files\Defraggler

2010-11-08 07:35 . 2010-11-08 07:35 -------- d-----w- c:\program files\yWriter5

2010-11-08 06:24 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-08 06:24 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-11-08 06:23 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-11-08 05:34 . 2010-11-08 05:38 -------- dc-h--w- c:\windows\ie8


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2001-08-18 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12 . 2010-07-15 22:10 38848 ----a-w- c:\windows\avastSS.scr

2010-09-07 15:11 . 2009-09-04 22:26 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-09-07 14:52 . 2009-09-04 22:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-09-07 14:52 . 2009-09-04 22:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-09-07 14:47 . 2009-09-04 22:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-09-07 14:47 . 2009-09-04 22:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-09-07 14:47 . 2009-09-04 22:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-09-07 14:47 . 2009-09-04 22:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-09-07 14:46 . 2009-09-04 22:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"Google Update"="c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-09 136176]


"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]


"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Mike\Start Menu\Programs\Startup\

YouTube Uploader.lnk - c:\documents and settings\Mike\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-9 71152]


SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk

backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Crim_2^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Crim_2\Start Menu\Programs\Startup\Xfire.lnk


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2010-03-18 17:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-05-16 16:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

2008-03-22 02:55 16384 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-04-29 21:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 21:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-09-06 21:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax]

2004-03-26 20:40 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-04-01 16:52 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

2005-03-08 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

2005-03-12 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]

2003-12-01 17:38 892928 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"xmlprov"=3 (0x3)

"WZCSVC"=2 (0x2)

"WudfSvc"=2 (0x2)

"WTouchService"=2 (0x2)

"wscsvc"=2 (0x2)

"WPFFontCache_v0400"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"WmiApSrv"=3 (0x3)

"Wmi"=3 (0x3)

"WinRM"=3 (0x3)

"winmgmt"=2 (0x2)

"WebClient"=2 (0x2)

"W32Time"=2 (0x2)

"VSS"=3 (0x3)

"Viewpoint Manager Service"=2 (0x2)

"UTSCSI"=2 (0x2)

"UPS"=3 (0x3)

"uCamMonitor"=2 (0x2)

"TermService"=3 (0x3)

"TapiSrv"=3 (0x3)

"TabletServicePen"=2 (0x2)

"SysmonLog"=3 (0x3)

"SwPrv"=3 (0x3)

"stisvc"=2 (0x2)

"SSDPSRV"=3 (0x3)

"srservice"=2 (0x2)

"Spooler"=2 (0x2)

"SoundMAX Agent Service (default)"=2 (0x2)

"ShellHWDetection"=2 (0x2)

"SharedAccess"=2 (0x2)

"SENS"=2 (0x2)

"Schedule"=2 (0x2)

"SCardSvr"=3 (0x3)

"SamSs"=2 (0x2)

"RSVP"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"ProtectedStorage"=2 (0x2)

"PolicyAgent"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"PlugPlay"=2 (0x2)

"Pixar Maitre-D Server 1.0.1"=2 (0x2)

"Pixar License Server 5.0.2"=2 (0x2)

"Pixar Alfred Server 13.5.2"=2 (0x2)

"ose"=3 (0x3)

"NtmsSvc"=3 (0x3)

"NtLmSsp"=3 (0x3)

"NMIndexingService"=3 (0x3)

"nlsX86cc"=2 (0x2)

"Nla"=3 (0x3)

"Netman"=3 (0x3)

"Netlogon"=3 (0x3)

"Net Driver HPZ12"=2 (0x2)

"NBService"=3 (0x3)

"napagent"=3 (0x3)

"MSIServer"=3 (0x3)

"MSDTC"=3 (0x3)

"MDM"=2 (0x2)

"MBAMService"=2 (0x2)

"maya70docserver"=2 (0x2)

"lanmanworkstation"=2 (0x2)

"lanmanserver"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"ImapiService"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"HTTPFilter"=3 (0x3)

"hpqddsvc"=2 (0x2)

"hpqcxs08"=3 (0x3)

"hkmsvc"=3 (0x3)

"helpsvc"=2 (0x2)

"FontCache3.0.0.0"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"EventSystem"=3 (0x3)

"Eventlog"=2 (0x2)

"ERSvc"=2 (0x2)

"EapHost"=3 (0x3)

"Dot3svc"=3 (0x3)

"Dnscache"=2 (0x2)

"dmserver"=2 (0x2)

"dmadmin"=3 (0x3)

"Dhcp"=2 (0x2)

"CryptSvc"=2 (0x2)

"COMSysApp"=3 (0x3)

"clr_optimization_v4.0.30319_32"=2 (0x2)

"cisvc"=3 (0x3)

"CCALib8"=2 (0x2)

"Browser"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=3 (0x3)

"avast! Web Scanner"=3 (0x3)

"avast! Mail Scanner"=3 (0x3)

"avast! Antivirus"=2 (0x2)

"AudioSrv"=2 (0x2)

"ATI Smart"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"aspnet_state"=3 (0x3)

"AppMgmt"=3 (0x3)

"aliasdocserver"=2 (0x2)

"ALG"=3 (0x3)

"Akamai"=2 (0x2)

"ACDaemon"=2 (0x2)



"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\Alias\\Maya6.0\\bin\\maya.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=



"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Kids Web Menu\\kidsmenu.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=


"5985:TCP"= 5985:TCP:Windows Remote Management

"1039:TCP"= 1039:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [24/02/2006 1:20 AM 21632]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/09/2009 3:27 PM 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/09/2009 3:27 PM 17744]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/01/2009 10:40 PM 304464]

R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [04/08/2010 10:50 AM 14336]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/01/2009 10:40 PM 20952]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [08/07/2010 5:52 PM 16168]

S3 cirrus;cirrus;c:\windows\system32\drivers\cirrus.sys [15/02/2007 8:13 PM 45696]

S3 GAGPDrv;GAGPDrv; [x]

S3 hercspud;Hercules ® WDM Audio Driver; [x]

S3 hercwdm;Hercules ® WDM Interface Driver; [x]

S3 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [08/07/2010 5:52 PM 4497704]

S3 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [04/08/2010 10:50 AM 104960]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [28/02/2008 8:17 PM 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [28/02/2008 8:15 PM 85696]

S3 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [08/07/2010 5:54 PM 113448]

S4 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [18/08/2001 5:00 AM 14336]

S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [04/09/2009 11:21 PM 110592]

S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384]

S4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [19/07/2010 2:48 PM 57344]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [18/12/2007 9:43 PM 24652]

S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 5:00 AM 14336]

S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai



Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-823518204-725345543-1008Core.job

- c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-09 01:53]

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-823518204-725345543-1008UA.job

- c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-09 01:53]



------- Supplementary Scan -------


uInternet Settings,ProxyOverride = *.local;localhost

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: windowsupdate.com\download

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Crim_2\Application Data\Mozilla\Firefox\Profiles\ydlni633.default\

FF - prefs.js: browser.startup.homepage - hxxp://s14.invisionfree.com/tripmydaisy/index.php

FF - component: c:\documents and settings\Crim_2\Application Data\Mozilla\Firefox\Profiles\ydlni633.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll

FF - plugin: c:\documents and settings\Crim_2\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\TabletPlugins\npwacom.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Vizzed\Vizzed Retro Game Room\NpVizzedRgr.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\


c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);


- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

MSConfigStartUp-Cognac - c:\docume~1\Crim_2\LOCALS~1\Temp\~tmpa.exe

MSConfigStartUp-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe

MSConfigStartUp-MSFox - c:\docume~1\Crim_2\LOCALS~1\Temp\a.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

AddRemove-Campaign Cartographer 2 - c:\documents and settings\mike\desktop\ad&d - campaign cartographer 2\Uninst.isu


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-24 10:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- LOCKED REGISTRY KEYS ---------------------


@Denied: (A 2) (Everyone)










@Denied: (A 2) (Everyone)








Link to post
Share on other sites

That did the trick for most of the malware apparently. -_-



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

Indeed! I am now able to access the Windows Updates sites with IE again :angry: I'm assuming Automatic Updates is working again too, but I disabled it for the time being until we finish the last of this off.

As for the new log:

Malwarebytes' Anti-Malware 1.46


Database version: 5184

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

24/11/2010 6:15:45 PM

mbam-log-2010-11-24 (18-15-45).txt

Scan type: Full scan (A:\|C:\|E:\|F:\|G:\|H:\|)

Objects scanned: 362030

Time elapsed: 3 hour(s), 54 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Mom and Celeana\My Documents\Downloads\MyWebFace.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Indeed! I am now able to access the Windows Updates sites with IE again :angry: I'm assuming Automatic Updates is working again too, but I disabled it for the time being until we finish the last of this off.

As for the new log:

Malwarebytes' Anti-Malware 1.46


Database version: 5184

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

24/11/2010 6:15:45 PM

mbam-log-2010-11-24 (18-15-45).txt

Scan type: Full scan (A:\|C:\|E:\|F:\|G:\|H:\|)

Objects scanned: 362030

Time elapsed: 3 hour(s), 54 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Mom and Celeana\My Documents\Downloads\MyWebFace.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi, you can turn on automatic updates and install anything found.

Do you have any problem left at this point?



I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\gfedNXyb.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\gfedNXyb.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\System Volume Information\_restore{0D2F6D49-DFE9-4670-A2D1-1B38D1C5EE9B}\RP23\A0021662.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\WINDOWS\system32\dkvoiseq.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\WINDOWS\system32\ondrbeba.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\WINDOWS\system32\rjmyruop.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\WINDOWS\system32\xsqhmtxg.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

Link to post
Share on other sites

Those were just some leftovers (mostly already quarantined), nothing to worry about. Which means you're all cleaned up. -_-



Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean -_-

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete Rootkit Unhooker and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Still going through that last bit of info, but I got the main stuff done at any rate.

A router was already in use (downloaded a software firewall anyways)... Checked the logs and nothing had been recorded since it was last set so hopefully no personal info got through. Admittedly though, the firmware was kept out of date because we were having problems with the wireless function - it would just shut itself off if my sis was downloading large files. I've since updated it, but I'm wondering... is the reason it would shut off because it detected a threat and went into internet lock down? Just making a guess based on the functions I'm seeing with the software firewall.

Anyways, thanks again Elise! This has been a huge help :) Everything's up to date and seems to be working fine at this point... Hopefully I won't need to open such a topic again.

Link to post
Share on other sites

Hi, I'm glad to hear everything is okay. :)

A router is really sufficient; the problem you describe can be caused by many things, depending also on the quality/strength of your connection.

If you have no other questions, I will request this topic to be closed.

Link to post
Share on other sites

Glad we could help. :D

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.