I've been infected, Internet access and installation of new software is blocked.

[superfly75]

Hello,

It seems that my computer as been infected by a nasty virus/malware since 3 days. I have tried to eradicate it with ComboFix but it keeps resuming its activities.

The initial symptoms was no access to Web in Chrome: Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error

However I had web access via IE and Firefox.

Also HTML content was not anymore displayed in Outlook (images displaying red cross).

Then I could not install any new software, seems like the access to Registry was blocked somehow.

I managed to install MBAM but it won't update it's 68 days old signature file.

Even to start the GMER I had to go back to safe mode because it would not start.

Below are the following logs:

1. The defogger log

2. The HIJACK THIS log

3. The DDS log (plus the Attach)

4. The GMER log (I had to run it in safe mode because in normal mode I have the error: LoadDriver ("C:\Document and Settings\Alex\Locals~1\Temp\kwlorpod.sys" ) error 0xC0000034: The system cannot find the file specified.

Thanks in advance for your help.

Alex

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 21:57:15, on 26/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

C:\Program Files\DU Meter\DUMeterSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\svchost.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

C:\Program Files\ThinkVantage\AMSG\Amsg.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe

C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\DUMETE~1\DUMeter.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lenovo\Client Security Solution\password_manager.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www-307.ibm.com/pc/support/si...igr-67971.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe"

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [statusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.12.6.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1295875073413

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU Meter\DUMeterSvc.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--

End of file - 22997 bytes

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 21:33 on 23/02/2011 (Alex)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

HKCUAEMON Tools Lite -> Removed

Checking for services/drivers...

DDS (Ver_10-12-12.02) - NTFSx86

Run by Alex at 21:35:05.40 on 23/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.921 [GMT 6:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

C:\Program Files\DU Meter\DUMeterSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\igfxext.exe

C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

C:\Program Files\ThinkVantage\AMSG\Amsg.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMLCHK.exe

C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\PROGRA~1\DUMETE~1\DUMeter.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Lenovo\Client Security Solution\password_manager.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www-307.ibm.com/pc/support/site.wss/migr-67971.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.12.6.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll

BHO: Java

Attach.txt

[Maniac]

Hello superfly75! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  
• Keep me informed about any changes.
  
• Post all of your log files, don't attach them.

I have tried to eradicate it with ComboFix but it keeps resuming its activities.

But you shouldn't!

http://www.bleepingcomputer.com/forums/topic273628.html

Step 1

Going over your logs I noticed that you have BitComet installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  
• They are a security risk which can make your computer susceptible to a smorgasbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall BitComet , however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Step 2

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 3

Please download and install the following application:

http://data.mbamupdates.com/tools/mbam-rules.exe

mbam-rules.exe contains the newer updates for Malwarebytes' Anti-Malware.

Step 4

• Launch Malwarebytes' Anti-Malware
  
• Go to Update" tab and select Check for Updates.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

1. Malwarebytes' Anti-Malware log
   
2. a new fresh DDS log only
   

[superfly75]

Hi Borislav,

Thanks for your help and fast response.

I have followed your steps:

1. I have removed BitComet. I am quite cautious with P2P and Internet in general, and as an IT project manager, I think I am quite computer litterate. I have been using BitComet and other P2P for years without any major hassle. It seems that this time the virus has been more clever and quite nasty... I was in the process of setting up a new computer and perhaps all the defence I usually use were not yet set up or adequate anymore. Appreciate if you could refer me to an updated page of best defence programs (I am lost will all the programs on the market and not sure which one to use anymore). Apparently SpywareGuard and McAfee did not detect the threat...

2. I have removed SpyBot. I could not untick the box Resident SD Helper, so I uninstalled everything. Is this program still usefull nowadays?

3. I have downladed and installed MBAM rules.

4. When I run MBAM, it starts, when I check updates it says the database is outdated by 14 days. Would you like to update now. When I click yes, it says An error has occured.Please report this error code to our support team. PROGRAM_ERROR_UPDATING(12029, 0, WinHttpSendRequest). Note that my internet connection seems up, as I am able to browse websites with Firefox. Chrome is still not connection... Most programs are not able to connect. Skype is connecting.

Anyway, I have opted to run a full scan. It's running now, will let you know the outcome.

Thanks again,

Alex

[Maniac]

Appreciate if you could refer me to an updated page of best defence programs (I am lost will all the programs on the market and not sure which one to use anymore). Apparently SpywareGuard and McAfee did not detect the threat...

In my last steps for you I'll send you some useful information about that and the other aspects of security too.

2. I have removed SpyBot. I could not untick the box Resident SD Helper, so I uninstalled everything. Is this program still usefull nowadays?

I'm sorry to say it, but in my opinion - it's not anymore.

Anyway, I have opted to run a full scan. It's running now, will let you know the outcome.

Check my instructions:

Go to Scanner tab and select Perform Quick Scan, then click Scan.

[superfly75]

Hi Borislav,

Thanks,

Here is the result of the scan:

It seems that if found and delete some dll related to QVOD... however after reboot the problem is still there (MBAM wont update, chrome cant connect to internet, etc...)

What should I do next?

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5750

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/02/2011 14:56:17

mbam-log-2011-02-27 (14-56-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 230011

Time elapsed: 1 hour(s), 46 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QvodPlayer (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\qvodplayer\qvoduninst.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

[Maniac]

Your database is still very old. Are you sure you have follow my instructions right? Your scan was full, but my suggestion was quick.

I'm not sure that you follow my instructions strictly.

[superfly75]

Hi Borislav,

Thanks a lot for your help. I am following all your steps, but as I said, the database update doesn't work:

PROGRAM_ERROR_UPDATING(12029, 0, WinHttpSendRequest)

I downloaded the file mbam-rules.exe and install it and after it says my DB version is 5750...

Here is the log for quick scan and screenshot:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5750

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/02/2011 17:30:02

mbam-log-2011-02-27 (17-30-02).txt

Scan type: Quick scan

Objects scanned: 157258

Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Let's try this way:

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Finally, try to update your MBAM again.

[superfly75]

Let's try this way:

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Finally, try to update your MBAM again.

Hi Borislav,

In IE Options, the box is not checked "Use a proxy server for your LAN"

In Firefox, the box "No proxy" is checked

However , I still have the same error: PROGRAM_ERROR_UPDATING(12029, 0, WinHttpSendRequest)

Note that I can browse the internet normally with IE and Firefox. Chrome is not connecting.

Thanks again, I hope I can fix this soon.

Alex

[superfly75]

Hi Borislav,

I have another computer which is running MBAM database 5898.

Is it possible to transfer the database to the infected computer?

I don't understand why the manual update mbam-rules.exe contains an old database 5850 dated 02 FEB 2011... why not download the latest one?

Thanks for your help anyway.

Alex

[Maniac]

mbam-rules.exe is updated periodically but not regularly.

Please follow the instructions here:

http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162098entry162098

Let me know.

[superfly75]

Hi Borislav,

Thanks. I have disabled McAfee Access Protection and reinstalled MBAM. However, I could not update to the latest version... still the same error PROGRAM_ERROR_UPDATING(12029, 0, WinHttpSendRequest).

I have used mbam-rules.exe and install it and after it says my DB version is 5750... but still cannot update to the latest version.

Any idea?

Thanks,

Alex

[Maniac]

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  ----------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

• Double click on Combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the C:\Combo-Fix.txt for further review.
  

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[superfly75]

Hi Borislav,

Thanks for your kind help.

Here is the report from Combo-Fix:

ComboFix 11-02-28.01 - Alex 28/02/2011 23:51:47.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1083 [GMT 6:00]

Running from: c:\documents and settings\Alex\My Documents\Downloads\Combo-Fix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))

.

2011-02-28 17:10 . 2011-02-28 17:10 -------- d-----w- c:\windows\LastGood

2011-02-26 15:55 . 2011-02-26 15:55 388096 ----a-r- c:\documents and settings\Alex\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-02-26 15:55 . 2011-02-26 15:55 -------- d-----w- c:\program files\Trend Micro

2011-02-26 15:34 . 2011-02-26 15:34 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes

2011-02-26 15:34 . 2010-12-20 12:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-26 15:34 . 2011-02-26 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-26 15:34 . 2011-02-28 08:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-26 15:34 . 2010-12-20 12:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-23 11:58 . 2011-02-27 05:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-23 11:58 . 2011-02-27 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-02-22 09:48 . 2011-02-23 13:30 -------- d-----w- c:\program files\Windows Defender

2011-02-22 07:24 . 2011-02-22 09:13 78848 ----a-w- c:\windows\KMSEmulator.exe

2011-02-22 07:06 . 2011-02-22 07:06 -------- d-----w- C:\share

2011-02-21 16:35 . 2011-02-21 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek

2011-02-21 14:40 . 2011-02-21 14:40 -------- d-----w- c:\program files\SoulseekNS

2011-02-18 07:06 . 2011-02-18 07:07 -------- d-----w- c:\documents and settings\Alex\Application Data\Update

2011-02-17 11:10 . 2011-02-17 11:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2011-02-17 06:09 . 2011-02-17 06:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-02-16 08:55 . 2011-02-16 08:55 -------- d-----w- c:\program files\WebGear

2011-02-16 06:42 . 2011-02-16 08:48 -------- d-----w- C:\My Movies

2011-02-16 06:27 . 2011-02-16 06:30 -------- d-----w- C:\Alex

2011-02-16 06:10 . 2011-02-21 08:26 -------- d-----w- C:\MP3

2011-02-15 22:15 . 2011-02-15 22:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-02-12 11:58 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-02-12 11:58 . 2008-04-13 21:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-02-12 11:58 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-02-12 11:58 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2011-02-10 17:22 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

2011-02-08 22:34 . 2011-02-08 22:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-02-08 21:32 . 2011-02-08 21:32 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

2011-02-08 21:26 . 2011-02-27 14:38 -------- d-----w- c:\program files\CoreCodec

2011-02-08 21:22 . 2011-02-22 07:24 -------- d-----w- C:\Downloads

2011-02-08 21:21 . 2011-02-22 08:23 -------- d-----w- c:\documents and settings\Alex\Application Data\BitComet

2011-02-08 16:37 . 2011-02-08 16:37 -------- d--h--w- c:\windows\PIF

2011-02-08 14:34 . 2011-02-08 18:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-02-08 02:47 . 2011-02-08 02:47 -------- d-----w- c:\program files\iPod

2011-02-08 02:41 . 2010-04-19 12:29 18432 ----a-w- c:\windows\system32\drivers\netaapl.sys

2011-02-08 02:41 . 2010-09-28 07:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-08 02:41 . 2010-09-28 07:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-07 17:02 . 2008-04-13 16:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2011-02-07 17:02 . 2008-04-13 16:09 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys

2011-02-07 17:02 . 2008-04-13 16:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-02-07 17:02 . 2008-04-13 16:16 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys

2011-02-07 13:51 . 2011-02-16 06:47 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer

2011-02-07 13:50 . 2009-05-18 05:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-02-07 13:50 . 2008-04-17 04:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-02-07 13:48 . 2011-02-08 02:50 -------- d-----w- c:\program files\iTunes

2011-02-07 13:48 . 2011-02-07 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-02-07 13:46 . 2011-02-07 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2011-02-07 13:46 . 2011-02-07 13:46 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Apple

2011-02-07 13:46 . 2011-02-07 13:46 -------- d-----w- c:\program files\Apple Software Update

2011-02-07 13:34 . 2011-02-07 13:34 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Identities

2011-02-07 13:34 . 2011-02-07 13:34 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Desktop Search

2011-02-07 13:29 . 2011-02-08 14:27 -------- d-----w- c:\program files\Windows Desktop Search

2011-02-07 13:29 . 2011-02-07 13:29 -------- d-----w- c:\windows\system32\GroupPolicy

2011-02-07 13:28 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll

2011-02-07 13:28 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll

2011-02-07 13:28 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll

2011-02-07 13:19 . 2011-02-07 13:20 -------- d-----w- c:\program files\Bonjour

2011-02-07 13:19 . 2011-02-12 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2011-02-07 13:19 . 2011-02-08 02:47 -------- d-----w- c:\program files\Common Files\Apple

2011-02-07 13:12 . 2011-02-28 17:07 -------- d-----w- c:\documents and settings\Alex\Application Data\skypePM

2011-02-07 13:12 . 2011-02-08 02:37 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Apple Computer

2011-02-02 04:34 . 2011-02-02 04:34 -------- d-----w- c:\program files\Roadkil.Net

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-26 01:57 . 2011-01-25 18:29 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-01-25 18:03 . 2011-01-25 18:03 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-01-25 18:03 . 2011-01-25 18:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-25 14:42 . 2011-01-25 14:42 319488 ------w- c:\windows\system32\AegisI5Installer.exe

2011-01-25 13:46 . 2011-01-25 01:47 33088 ------w- c:\windows\system32\drivers\psadd.sys

2011-01-25 12:59 . 2011-01-25 12:59 45056 ------r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{90B5E602-1867-449D-86FD-FC9DEA4434BF}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe

2011-01-25 05:52 . 2011-01-25 05:52 391792 ------w- c:\windows\qfe8.tmp

2011-01-25 01:56 . 2011-01-25 01:56 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys

2011-01-25 01:56 . 2011-01-25 01:57 129784 ------w- c:\windows\system32\pxafs.dll

2011-01-25 01:56 . 2011-01-25 01:57 118520 ------w- c:\windows\system32\pxinsi64.exe

2011-01-25 01:56 . 2011-01-25 01:57 115960 ------w- c:\windows\system32\pxcpyi64.exe

2011-01-25 01:56 . 2006-09-27 21:53 36624 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-01-25 01:55 . 2011-01-25 01:55 7012 ------w- c:\windows\system32\drivers\pmemnt.sys

2011-01-21 14:44 . 2006-04-30 06:56 439296 ------w- c:\windows\system32\shimgvw.dll

2011-01-14 05:13 . 2011-01-14 05:13 337256 ------w- c:\windows\system32\TpShocks.exe

2011-01-14 05:13 . 2011-01-14 05:13 279912 ------w- c:\windows\system32\TpShEvUI.exe

2011-01-14 05:13 . 2011-01-14 05:13 492904 ------w- c:\windows\system32\TpShCPL.dll

2011-01-14 05:13 . 2011-01-14 05:13 386408 ------w- c:\windows\system32\TpShCPL.cpl

2011-01-13 06:06 . 2011-01-13 06:06 20328 ------w- c:\windows\system32\Sensor.DLL

2011-01-13 06:05 . 2011-01-13 06:05 40048 ------w- c:\windows\system32\TPHDEXLG.exe

2011-01-13 06:04 . 2011-01-13 06:04 122992 ------w- c:\windows\system32\drivers\ApsX86.sys

2011-01-13 06:02 . 2011-01-13 06:02 20592 ------w- c:\windows\system32\drivers\ApsHM86.sys

2011-01-07 14:09 . 2006-04-30 06:55 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-04-30 06:55 1854976 ------w- c:\windows\system32\win32k.sys

2010-12-29 08:19 . 2010-12-29 08:19 734520 ------w- c:\windows\system32\tcsrpc.dll

2010-12-29 08:19 . 2010-12-29 08:19 427320 ------w- c:\windows\system32\tvttsp.dll

2010-12-22 12:34 . 2006-04-30 06:55 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-04-30 06:55 43520 ------w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-04-30 06:55 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2006-04-30 06:55 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-04-30 06:55 385024 ------w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-04-30 06:55 718336 ------w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-04-30 06:55 33280 ------w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2006-04-30 06:55 2148864 ------w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-03 22:59 2027008 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-02-23_11.51.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-02-28 08:00 . 2011-02-28 08:00 16384 c:\windows\temp\Perflib_Perfdata_bc8.dat

+ 2006-04-30 06:55 . 2011-02-28 08:06 79360 c:\windows\system32\perfc009.dat

- 2006-04-30 06:55 . 2011-02-23 11:23 79360 c:\windows\system32\perfc009.dat

+ 2011-02-21 17:11 . 2011-02-26 15:48 3987 c:\windows\system32\config\systemprofile\Application Data\Intel\Wireless\Settings\AlertHistory.bin

+ 2006-04-30 06:55 . 2011-02-28 08:06 465640 c:\windows\system32\perfh009.dat

- 2006-04-30 06:55 . 2011-02-23 11:23 465640 c:\windows\system32\perfh009.dat

+ 2011-02-26 15:55 . 2011-02-26 15:55 1094656 c:\windows\Installer\11541b.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-03-13 1118720]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

"Google Update"="c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-11-04 517480]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2010-11-04 208896]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-25 62312]

"TpShocks"="TpShocks.exe" [2011-01-14 337256]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-11-30 256576]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]

"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]

"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2010-07-21 55120]

"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-05 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-05 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-05 142360]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Alex\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-9-22 607584]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-25 50688]

Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2010-7-27 546360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2010-07-21 09:28 100176 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\WINDOWS\\KMSEmulator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16654:TCP"= 16654:TCP:BitComet 16654 TCP

"16654:UDP"= 16654:UDP:BitComet 16654 UDP

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [25/01/2011 15:42 24304]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [13/01/2011 12:02 20592]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [26/01/2011 00:29 218688]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [25/01/2011 20:10 13680]

R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [25/01/2011 15:42 132456]

R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [25/01/2011 23:09 513536]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [22/10/2010 18:07 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [25/01/2011 23:01 69192]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 10:07 503080]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [25/01/2011 15:42 53248]

R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [13/03/2009 12:47 12560]

R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [25/01/2011 20:10 99328]

R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [30/03/2007 14:39 64440]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [09/02/2007 03:11 569344]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [25/01/2011 20:43 6609920]

R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [25/01/2011 07:29 23152]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [14/09/2006 02:42 38336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2011 04:15 136176]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [25/01/2011 20:10 45496]

S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [26/01/2011 11:33 44368]

S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUM_XP32.sys [25/01/2011 23:09 14992]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [25/01/2011 23:01 66536]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 08:25 30969208]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [08/02/2011 08:41 18432]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 19:37 4640000]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 14:06 11520]

.

Contents of the 'Scheduled Tasks' folder

2011-02-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 14:57]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 14:57]

2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238128139-3701080661-2959468671-1005Core.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 14:57]

2011-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238128139-3701080661-2959468671-1005UA.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 14:57]

2011-02-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2011-01-27 22:29]

2011-02-28 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-01-25 17:29]

2011-02-27 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2011-01-27 22:29]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www-307.ibm.com/pc/support/site.wss/migr-67971.html

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\ycilvo5k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.lemonde.fr

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-28 23:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]

"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)

c:\windows\system32\vrlogon.dll

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

c:\program files\ThinkVantage Fingerprint Software\homepass.dll

c:\program files\ThinkVantage Fingerprint Software\bio.dll

c:\program files\ThinkVantage Fingerprint Software\qlbase.dll

c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1448)

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

- - - - - - - > 'explorer.exe'(3340)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-03-01 00:02:14

ComboFix-quarantined-files.txt 2011-02-28 18:01

ComboFix2.txt 2011-02-23 14:48

ComboFix3.txt 2011-02-23 11:53

ComboFix4.txt 2011-02-23 11:30

Pre-Run: 9,468,481,536 bytes free

Post-Run: 9,458,384,896 bytes free

- - End Of File - - 424D7FC083C8FAD94D347CB47D30F3EC

[Maniac]

Please visit www.virustotal.com and upload the following file:

c:\windows\KMSEmulator.exe

Post the results in your next reply.

[superfly75]

Hi Borislav,

Here is the result:

VT Community Sign in ? My account ? Sign out Signing out... Languages ?

VirusTotal's website has changed, we need new translations, do you feel like helping the community?

info@virustotal.com

Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.

email

password

Keep me logged in

Sign in

Signing in, please wait...

Login failed, please try again

Forgot your password? Create an account

Edit my profile

View my profile

Inbox

Virus Total

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

5 VT Community user(s) with a total of 5 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

KMSEmulator.exe

Submission date:

2011-02-27 22:21:49 (UTC)

Current status:

finished

Result:

26 /42 (61.9%)

VT Community

goodware

Safety score: 100.0%

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.02.28.00 2011.02.27 Trojan/Win32.Gen

AntiVir 7.11.3.241 2011.02.27 SPR/Tool.Keygen.BI.38

Antiy-AVL 2.0.3.7 2011.02.27 -

Avast 4.8.1351.0 2011.02.23 Win32:Malware-gen

Avast5 5.0.677.0 2011.02.23 Win32:Malware-gen

AVG 10.0.0.1190 2011.02.27 BackDoor.Hackdoor.R

BitDefender 7.2 2011.02.27 -

CAT-QuickHeal 11.00 2011.02.27 HackTool.Keygen.a (Not a Virus)

ClamAV 0.96.4.0 2011.02.27 -

Commtouch 5.2.11.5 2011.02.27 W32/MalwareF.RBHI

Comodo 7823 2011.02.27 UnclassifiedMalware

DrWeb 5.0.2.03300 2011.02.27 -

Emsisoft 5.1.0.2 2011.02.27 possible-Threat.Crack.MSO!IK

eSafe 7.0.17.0 2011.02.27 Win32.SPRTool.Keygen

eTrust-Vet 36.1.8184 2011.02.25 -

F-Prot 4.6.2.117 2011.02.27 W32/MalwareF.RBHI

F-Secure 9.0.16160.0 2011.02.27 -

Fortinet 4.2.254.0 2011.02.27 W32/Keygen.DX!tr

GData 21 2011.02.27 Win32:Malware-gen

Ikarus T3.1.1.97.0 2011.02.27 possible-Threat.Crack.MSO

Jiangmin 13.0.900 2011.02.27 -

K7AntiVirus 9.90.3967 2011.02.25 Riskware

Kaspersky 7.0.0.125 2011.02.27 -

McAfee 5.400.0.1158 2011.02.27 Generic.dx!uqo

McAfee-GW-Edition 2010.1C 2011.02.27 Heuristic.LooksLike.Win32.Suspicious.C!89

Microsoft 1.6603 2011.02.27 HackTool:Win32/Keygen

NOD32 5912 2011.02.27 a variant of Win32/HackKMS.A

Norman 6.07.03 2011.02.27 W32/Suspicious_Gen2.FAHTA

nProtect 2011-02-10.01 2011.02.15 -

PCTools 7.0.3.5 2011.02.25 Trojan.Gen

Prevx 3.0 2011.02.27 -

Rising 23.46.05.03 2011.02.26 -

Sophos 4.61.0 2011.02.27 Troj/Keygen-DX

SUPERAntiSpyware 4.40.0.1006 2011.02.27 -

Symantec 20101.3.0.103 2011.02.27 Trojan.Gen.2

TheHacker 6.7.0.1.140 2011.02.27 -

TrendMicro 9.200.0.1012 2011.02.27 TROJ_GEN.R47C3LC

TrendMicro-HouseCall 9.200.0.1012 2011.02.27 TROJ_GEN.R47C3LC

VBA32 3.12.14.3 2011.02.25 -

VIPRE 8557 2011.02.27 HackTool.Win32.Keygen

ViRobot 2011.2.26.4331 2011.02.27 -

VirusBuster 13.6.225.2 2011.02.27 -

Additional information

Show all

MD5 : cf7498ada4ac2f50e5ca72205865d7ce

SHA1 : b97d98cd50ea1c8d1d471043bc21bd95ff73b6d3

SHA256: a2ffd0bc5e055e519fd3006bfdae422327d8e01310eae528267014c54293bfa4

ssdeep: 1536:AmO/4ZLqopD6C+ZHGslB7MuNp+eudFew7WgPEXKOtnjuSGedEO:ABkLdpD6C+ZHGu7MuX+

eudHlPEaOJuSg

File size : 78848 bytes

First seen: 2010-11-12 03:27:22

Last seen : 2011-02-27 22:21:49

Magic: PE32 executable for MS Windows (console) Intel 80386 32-bit

TrID:

Win32 EXE Yoda's Crypter (56.9%)

Win32 Executable Generic (18.2%)

Win32 Dynamic Link Library (generic) (16.2%)

Generic Win/DOS Executable (4.2%)

DOS Executable Generic (4.2%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: localhost

description..: Local KMS Host

original name: localhost.dll

internal name: localhost

file version.: 6.0

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD: -

packers (F-Prot): UPX

packers (Kaspersky): UPX

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x28620

timedatestamp....: 0x4A7C1F70 (Fri Aug 07 12:34:56 2009)

machinetype......: 0x14C (Intel I386)

[[ 3 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

, 0x1000, 0x15000, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e

, 0x16000, 0x13000, 0x12800, 7.89, 2e83b76bbd4a03aa25824cb48c82fbcd

.rsrc, 0x29000, 0x1000, 0x800, 4.84, e33a59a2f399b3862d15c19f9185c8fb

[[ 3 import(s) ]]

kernel32.dll: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

rpcrt4.dll: NdrServerCall2

user32.dll: wsprintfA

ThreatExpert:

http://www.threatexpert.com/report.aspx?md5=cf7498ada4ac2f50e5ca72205865d7ce

ExifTool:

-

Symantec reputation:Suspicious.Insight

VT Community

5

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-10 17:47:01 (UTC)

This is just the file that reactivates office, if you happened to get office off your "friend". heh heh.

Tags: Goodware,

Was this comment helpful? Yes (4) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-12 00:41:41 (UTC)

Tags: Goodware, keygen, application, crack

Was this comment helpful? Yes (3) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-28 02:03:20 (UTC)

Yep it's just used to activate Office, I didn't give it internet, but no harm so far.

Tags: Goodware, keygen, application, crack

Was this comment helpful? Yes (3) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2011-01-19 17:02:47 (UTC)

Tags: Goodware,

Was this comment helpful? Yes (2) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2011-02-27 19:40:27 (UTC)

Tags: Goodware,

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-10 17:47:01 (UTC)

This is just the file that reactivates office, if you happened to get office off your "friend". heh heh.

Tags: Goodware,

Was this comment helpful? Yes (4) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-12 00:41:41 (UTC)

Tags: Goodware, keygen, application, crack

Was this comment helpful? Yes (3) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2010-12-28 02:03:20 (UTC)

Yep it's just used to activate Office, I didn't give it internet, but no harm so far.

Tags: Goodware, keygen, application, crack

Was this comment helpful? Yes (3) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2011-01-19 17:02:47 (UTC)

Tags: Goodware,

Was this comment helpful? Yes (2) | No (0) | Report abuse Reported as abuseful

User:

Anonymous

Reputation:

1 credits

Comment date:

2011-02-27 19:40:27 (UTC)

Tags: Goodware,

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

Loading...

Prev1Next

Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?

You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold

text -- italics

text -- underline

text -- strikethrough

text

- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware

Malware

Spam attachment/link

P2P download

Propagating via IM

Network worm

Drive-by-download

Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.

Preview comment Edit comment

Post comment

Posting comment...

Comment successfully posted

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal

[Maniac]

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=76447

Collect::[8]
c:\windows\KMSEmulator.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[superfly75]

Hi,

Here is the reports:

ComboFix 11-02-28.07 - Alex 02/03/2011 0:18.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1184 [GMT 6:00]

Running from: c:\documents and settings\Alex\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Alex\Desktop\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Created a new restore point

file zipped: c:\windows\KMSEmulator.exe

.

((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))

.

2011-03-01 17:49 . 2011-03-01 18:08 -------- d-----w- C:\Combo-Fix

2011-02-26 15:55 . 2011-02-26 15:55 388096 ----a-r- c:\documents and settings\Alex\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-02-26 15:55 . 2011-02-26 15:55 -------- d-----w- c:\program files\Trend Micro

2011-02-26 15:34 . 2011-02-26 15:34 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes

2011-02-26 15:34 . 2010-12-20 12:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-26 15:34 . 2011-02-26 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-26 15:34 . 2011-02-28 08:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-26 15:34 . 2010-12-20 12:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-23 11:58 . 2011-02-27 05:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-23 11:58 . 2011-02-27 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-02-22 09:48 . 2011-02-23 13:30 -------- d-----w- c:\program files\Windows Defender

2011-02-22 07:24 . 2011-02-22 09:13 78848 ----a-w- c:\windows\KMSEmulator.exe

2011-02-22 07:06 . 2011-02-22 07:06 -------- d-----w- C:\share

2011-02-21 16:35 . 2011-02-21 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek

2011-02-21 14:40 . 2011-02-21 14:40 -------- d-----w- c:\program files\SoulseekNS

2011-02-18 07:06 . 2011-02-18 07:07 -------- d-----w- c:\documents and settings\Alex\Application Data\Update

2011-02-17 11:10 . 2011-02-17 11:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

2011-02-17 06:09 . 2011-02-17 06:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2011-02-16 08:55 . 2011-02-16 08:55 -------- d-----w- c:\program files\WebGear

2011-02-16 06:42 . 2011-02-16 08:48 -------- d-----w- C:\My Movies

2011-02-16 06:27 . 2011-02-16 06:30 -------- d-----w- C:\Alex

2011-02-16 06:10 . 2011-02-21 08:26 -------- d-----w- C:\MP3

2011-02-15 22:15 . 2011-02-15 22:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-02-12 11:58 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-02-12 11:58 . 2008-04-13 21:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-02-12 11:58 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-02-12 11:58 . 2008-04-13 16:15 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys

2011-02-10 17:22 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

2011-02-08 22:34 . 2011-02-08 22:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-02-08 21:32 . 2011-02-08 21:32 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

2011-02-08 21:26 . 2011-02-27 14:38 -------- d-----w- c:\program files\CoreCodec

2011-02-08 21:22 . 2011-02-22 07:24 -------- d-----w- C:\Downloads

2011-02-08 21:21 . 2011-02-22 08:23 -------- d-----w- c:\documents and settings\Alex\Application Data\BitComet

2011-02-08 16:37 . 2011-02-08 16:37 -------- d--h--w- c:\windows\PIF

2011-02-08 14:34 . 2011-02-08 18:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-02-08 02:47 . 2011-02-08 02:47 -------- d-----w- c:\program files\iPod

2011-02-08 02:41 . 2010-04-19 12:29 18432 ----a-w- c:\windows\system32\drivers\netaapl.sys

2011-02-08 02:41 . 2010-09-28 07:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-08 02:41 . 2010-09-28 07:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-07 17:02 . 2008-04-13 16:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2011-02-07 17:02 . 2008-04-13 16:09 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys

2011-02-07 17:02 . 2008-04-13 16:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-02-07 17:02 . 2008-04-13 16:16 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys

2011-02-07 13:51 . 2011-02-16 06:47 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer

2011-02-07 13:50 . 2009-05-18 05:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-02-07 13:50 . 2008-04-17 04:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-02-07 13:48 . 2011-02-08 02:50 -------- d-----w- c:\program files\iTunes

2011-02-07 13:48 . 2011-02-07 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-02-07 13:46 . 2011-02-07 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2011-02-07 13:46 . 2011-02-07 13:46 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Apple

2011-02-07 13:46 . 2011-02-07 13:46 -------- d-----w- c:\program files\Apple Software Update

2011-02-07 13:34 . 2011-02-07 13:34 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Identities

2011-02-07 13:34 . 2011-02-07 13:34 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Desktop Search

2011-02-07 13:29 . 2011-02-08 14:27 -------- d-----w- c:\program files\Windows Desktop Search

2011-02-07 13:29 . 2011-02-07 13:29 -------- d-----w- c:\windows\system32\GroupPolicy

2011-02-07 13:28 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll

2011-02-07 13:28 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll

2011-02-07 13:28 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll

2011-02-07 13:19 . 2011-02-07 13:20 -------- d-----w- c:\program files\Bonjour

2011-02-07 13:19 . 2011-02-12 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2011-02-07 13:19 . 2011-02-08 02:47 -------- d-----w- c:\program files\Common Files\Apple

2011-02-07 13:12 . 2011-03-01 16:50 -------- d-----w- c:\documents and settings\Alex\Application Data\skypePM

2011-02-07 13:12 . 2011-02-08 02:37 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Apple Computer

2011-02-02 04:34 . 2011-02-02 04:34 -------- d-----w- c:\program files\Roadkil.Net

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-26 01:57 . 2011-01-25 18:29 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-01-25 18:03 . 2011-01-25 18:03 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-01-25 18:03 . 2011-01-25 18:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-25 14:42 . 2011-01-25 14:42 319488 ------w- c:\windows\system32\AegisI5Installer.exe

2011-01-25 13:46 . 2011-01-25 01:47 33088 ------w- c:\windows\system32\drivers\psadd.sys

2011-01-25 05:52 . 2011-01-25 05:52 391792 ------w- c:\windows\qfe8.tmp

2011-01-25 01:56 . 2011-01-25 01:56 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys

2011-01-25 01:56 . 2011-01-25 01:57 129784 ------w- c:\windows\system32\pxafs.dll

2011-01-25 01:56 . 2011-01-25 01:57 118520 ------w- c:\windows\system32\pxinsi64.exe

2011-01-25 01:56 . 2011-01-25 01:57 115960 ------w- c:\windows\system32\pxcpyi64.exe

2011-01-25 01:56 . 2006-09-27 21:53 36624 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-01-25 01:55 . 2011-01-25 01:55 7012 ------w- c:\windows\system32\drivers\pmemnt.sys

2011-01-21 14:44 . 2006-04-30 06:56 439296 ------w- c:\windows\system32\shimgvw.dll

2011-01-14 05:13 . 2011-01-14 05:13 337256 ------w- c:\windows\system32\TpShocks.exe

2011-01-14 05:13 . 2011-01-14 05:13 279912 ------w- c:\windows\system32\TpShEvUI.exe

2011-01-14 05:13 . 2011-01-14 05:13 492904 ------w- c:\windows\system32\TpShCPL.dll

2011-01-14 05:13 . 2011-01-14 05:13 386408 ------w- c:\windows\system32\TpShCPL.cpl

2011-01-13 06:06 . 2011-01-13 06:06 20328 ------w- c:\windows\system32\Sensor.DLL

2011-01-13 06:05 . 2011-01-13 06:05 40048 ------w- c:\windows\system32\TPHDEXLG.exe

2011-01-13 06:04 . 2011-01-13 06:04 122992 ------w- c:\windows\system32\drivers\ApsX86.sys

2011-01-13 06:02 . 2011-01-13 06:02 20592 ------w- c:\windows\system32\drivers\ApsHM86.sys

2011-01-07 14:09 . 2006-04-30 06:55 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-04-30 06:55 1854976 ------w- c:\windows\system32\win32k.sys

2010-12-29 08:19 . 2010-12-29 08:19 734520 ------w- c:\windows\system32\tcsrpc.dll

2010-12-29 08:19 . 2010-12-29 08:19 427320 ------w- c:\windows\system32\tvttsp.dll

2010-12-22 12:34 . 2006-04-30 06:55 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-04-30 06:55 43520 ------w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-04-30 06:55 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2006-04-30 06:55 730112 ------w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-04-30 06:55 385024 ------w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-04-30 06:55 718336 ------w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-04-30 06:55 33280 ------w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2006-04-30 06:55 2148864 ------w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-03 22:59 2027008 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-02-23_11.51.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-03-01 16:49 . 2011-03-01 16:49 16384 c:\windows\temp\Perflib_Perfdata_cc4.dat

+ 2006-04-30 06:55 . 2011-03-01 16:58 79360 c:\windows\system32\perfc009.dat

- 2006-04-30 06:55 . 2011-02-23 11:23 79360 c:\windows\system32\perfc009.dat

+ 2011-02-21 17:11 . 2011-02-26 15:48 3987 c:\windows\system32\config\systemprofile\Application Data\Intel\Wireless\Settings\AlertHistory.bin

+ 2006-04-30 06:55 . 2011-03-01 16:58 465640 c:\windows\system32\perfh009.dat

- 2006-04-30 06:55 . 2011-02-23 11:23 465640 c:\windows\system32\perfh009.dat

+ 2011-02-26 15:55 . 2011-02-26 15:55 1094656 c:\windows\Installer\11541b.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-03-13 1118720]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

"Google Update"="c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-11-04 517480]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2010-11-04 208896]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-25 62312]

"TpShocks"="TpShocks.exe" [2011-01-14 337256]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-11-30 256576]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]

"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-24 1036288]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]

"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2010-07-21 55120]

"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-05 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-05 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-05 142360]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Alex\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-9-22 607584]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-1-25 50688]

Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2010-7-27 546360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2010-07-21 09:28 100176 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\WINDOWS\\KMSEmulator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16654:TCP"= 16654:TCP:BitComet 16654 TCP

"16654:UDP"= 16654:UDP:BitComet 16654 UDP

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [25/01/2011 15:42 24304]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [13/01/2011 12:02 20592]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [26/01/2011 00:29 218688]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [25/01/2011 20:10 13680]

R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [25/01/2011 15:42 132456]

R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [25/01/2011 23:09 513536]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [22/10/2010 18:07 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [25/01/2011 23:01 69192]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 10:07 503080]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [25/01/2011 15:42 53248]

R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [13/03/2009 12:47 12560]

R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [25/01/2011 20:10 99328]

R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [30/03/2007 14:39 64440]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [09/02/2007 03:11 569344]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [25/01/2011 20:43 6609920]

R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [25/01/2011 07:29 23152]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [14/09/2006 02:42 38336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/02/2011 04:15 136176]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [25/01/2011 20:10 45496]

S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [26/01/2011 11:33 44368]

S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUM_XP32.sys [25/01/2011 23:09 14992]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [25/01/2011 23:01 66536]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 08:25 30969208]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [08/02/2011 08:41 18432]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 19:37 4640000]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 14:06 11520]

.

Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 14:57]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-15 14:57]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238128139-3701080661-2959468671-1005Core.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 14:57]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2238128139-3701080661-2959468671-1005UA.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 14:57]

2011-02-18 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2011-01-27 22:29]

2011-03-01 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-01-25 17:29]

2011-03-01 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2011-01-27 22:29]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www-307.ibm.com/pc/support/site.wss/migr-67971.html

uInternet Settings,ProxyOverride = *.local

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\ycilvo5k.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.lemonde.fr

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-03-02 00:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]

"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)

c:\windows\system32\vrlogon.dll

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

c:\program files\ThinkVantage Fingerprint Software\homepass.dll

c:\program files\ThinkVantage Fingerprint Software\bio.dll

c:\program files\ThinkVantage Fingerprint Software\qlbase.dll

c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1448)

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

- - - - - - - > 'explorer.exe'(5556)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-03-02 00:33:58

ComboFix-quarantined-files.txt 2011-03-01 18:33

ComboFix2.txt 2011-02-28 18:02

ComboFix3.txt 2011-02-23 14:48

ComboFix4.txt 2011-02-23 11:53

ComboFix5.txt 2011-03-01 18:15

Pre-Run: 9,431,678,976 bytes free

Post-Run: 9,412,591,616 bytes free

- - End Of File - - F108B9B702EF3364255E1B6CCBBC8AA8

CF-Submit.htm

[Maniac]

1. Please visit this website: Submit Malware Sample
   
2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic.
   
3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
   
4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
   
5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:

   Sent at the request of Borislav.

6. Once you're ready, click the Send File button.

[superfly75]

Hi Borislav,

Thanks for your help. I have submitted the file.

Cheers,

Alex

[Maniac]

Thanks, Alex!

• Launch Malwarebytes' Anti-Malware
  
• Go to Update" tab and select Check for Updates.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[superfly75]

Hi Borislav,

Update went well. Here is the report:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5919

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

02/03/2011 01:16:46

mbam-log-2011-03-02 (01-16-46).txt

Scan type: Quick scan

Objects scanned: 159306

Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

How are things running now?

[superfly75]

Hi Borislav,

It seems OK now. Chrome is working and McAfee and MBAM are up to date.

Do you know what was the issue? What kind of virus? Any chance that personal information has been compromised?

Can you advise some tools for better protection?

Thanks a lot for your help,

Alex

[Maniac]

Do you know what was the issue? What kind of virus?

Virus not, but malware, different types of malware.

Any chance that personal information has been compromised?

Absolutely! Two of the infections that we detected and removed collect passwords, so I suggest you to change all of them.

Can you advise some tools for better protection?

My advise is to change your AV. McAfee is really poor solution. You can choose a better solution from the article in my last step.

Last steps for you

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

• Uninstall ComboFix
  
• Delete its related folders and files
  
• Reset your clock settings
  
• Hide file extensions
  
• Hide the system/hidden files
  
• Resets System Restore again
  

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please enable Defogger and then manually delete it and the following tools too: DDS and mbam-rules.

Step 3

Please uninstall HiJackThis.

Step 4

Keep your software up-to-date:

www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing, Alex!