Malwarebytes blocks incoming/outgoing traffic, but no virus detected

Atilla · Jul 24, 2011

Hi,

THANK YOU for your generous help to everyone. It's too bad more people don't Pay It Forward like yourselves. I hope I have followed the instructions from spyware-asylum correctly, I would hate to waste your valuable time.

I've been fighting various viruses for over a year. I'm hoping this might be the last stand. After running ComboFix/Malawarebytes/HiJackThis, the computer is faster, but Malaware is still blocking malicious traffic.

Thank you, Csaba

----------------SIDE NOTE-------------------
I initially found Tech-forums and then the Spyware-Asylum instructions sent me to BleepingComputer to download the Combofix. I got confused (ADHD and all) and ended up posting there, only to realize that their average time to initial reply for malware was about 8-12 days! Realizing my mistake, and that your time to reply seems to be usually less than a day!! I came back. It's very interesting to note the difference in tools and techniques used and between the two sites.

----------COMPUTER-------------------------
IBM Laptop T-42 (from 2004!)
Windows XP Service Pack 3
Version 5.1 (Build 2600.xpsp_sp3_gdr.101209-1647)
Windows updates: has always been on. The only updates remaining to install (per Microsoft website) are 10 optional ones. I didn't install those because the system got so slow, especially with Internet Explorer. After using Combofix, Malawarebytes and HiJackThis, the system is speedy again and I could install them. But I haven't downloaded them yet.

---------DESCRIPTION OF THE PROBLEM------------
The system would slow to a crawl at random for 30-60 minutes and then eventually "recover" all by itself. Launching anything connecting to the internet also triggered the slow down. Several months ago, based on a different website I used Avast, AVG, Avira, and Malawarebytes to (sort of) successfully eliminate several viruses. Life was good.

The slow downs started again 3-4 weeks ago, but with a new symptom. Malawarebytes (trial of the paid product version, not the free version) keeps blocking incoming and outgoing communications (see below) to "potentially malicious website"s. These coincide with spikes in network activity (both incoming and outgoing) as displayed in mini icon for NewPerSec. The slow down (and corresponding spikes in network activity) happen at random, in other words, I may be using the computer actively or not at all.

Before I found your site, a full scan by Malawarebytes unfortunately only identified/deletes cookies, nothing else suspicious. Ad-Aware also did not identify anything. I purchased Webroot, on the advice of a (former) friend, and it also has not identified anything.

Now I admit I need help. The log files requested are posted below. But first here's a brief snapshot of the Malawarebytes Protection log for today. You'll see the activity it was blocking before and after it was turned off. Activity to and from Moldova/Korea does not make me feel safe.

...
11:13:49 Csaba.Nagy IP-BLOCK 222.70.98.99 (Type: outgoing)
11:25:59 Csaba.Nagy IP-BLOCK 89.28.112.81 (Type: incoming)
11:43:35 Csaba.Nagy IP-BLOCK 222.70.98.99 (Type: outgoing)
11:59:05 Csaba.Nagy IP-BLOCK 222.70.98.99 (Type: outgoing)
11:59:36 Csaba.Nagy IP-BLOCK 89.28.93.61 (Type: outgoing)
12:14:02 Csaba.Nagy IP-BLOCK 121.10.120.143 (Type: incoming)
12:29:29 Csaba.Nagy IP-BLOCK 79.135.130.25 (Type: outgoing)
12:29:31 Csaba.Nagy IP-BLOCK 79.135.130.25 (Type: outgoing)
12:29:38 Csaba.Nagy IP-BLOCK 83.128.105.173 (Type: outgoing)
12:38:35 Csaba.Nagy IP-BLOCK 121.10.120.182 (Type: incoming)
12:45:58 Csaba.Nagy IP-BLOCK 213.231.5.113 (Type: incoming)
13:30:42 Csaba.Nagy IP-BLOCK 222.70.148.146 (Type: outgoing)
13:33:31 Csaba.Nagy IP-BLOCK 77.78.240.233 (Type: incoming)
13:34:26 Csaba.Nagy IP-BLOCK 194.165.0.3 (Type: incoming)
13:47:53 Csaba.Nagy IP-BLOCK 89.28.22.19 (Type: incoming)
14:01:41 Csaba.Nagy IP-BLOCK 85.234.175.141 (Type: outgoing)
14:18:14 Csaba.Nagy IP-BLOCK 89.28.74.218 (Type: incoming)
14:46:47 Csaba.Nagy IP-BLOCK 62.45.65.12 (Type: outgoing)
15:00:14 Csaba.Nagy IP-BLOCK 213.231.5.113 (Type: incoming)
19:55:01 Csaba.Nagy MESSAGE Protection started successfully
19:55:08 Csaba.Nagy MESSAGE IP Protection started successfully
19:55:08 Csaba.Nagy MESSAGE IP Protection stopped
19:55:15 Csaba.Nagy MESSAGE Database updated successfully
19:55:19 Csaba.Nagy MESSAGE IP Protection started successfully
20:02:18 Csaba.Nagy IP-BLOCK 62.45.147.227 (Type: outgoing)
20:03:01 Csaba.Nagy IP-BLOCK 89.28.101.9 (Type: outgoing)
20:03:10 Csaba.Nagy IP-BLOCK 121.125.131.91 (Type: outgoing)
20:31:06 Csaba.Nagy IP-BLOCK 89.28.69.167 (Type: outgoing)

-------COMBOFIX, AVG 2011, and WINDOWS FIREWALL------------------

I disabled all active protections (WebRoot, AdAware, Malawarebytes), but Combofix complained that AVG 2011 was installed.

I was sure I had uninstalled it months ago, and log file from avg_remover_stf_x86_2011_1322.exe (ran today) includes pages and pages of "not installed", "empty", "not found", etc. (I could post the log, it's a 208kb text file.)

HOWEVER, Control Panel Security Center still says that AVG firewall is protecting the system, and Windows Firewall is off. So I turned Windows Firewall on and kept it on despite Security Center's caution that it might not be a good idea to have two firewalls on at once. (I was worried Windows was being tricked into thinking AVG was there.) Interestingly, Window Firewall was turned off without my intervention a few hours later. Suspicious.

-----------------RUNNING COMBOFIX ISSUE------------------
In any case, no matter what I did, Combofix kept complaining that AVG was there. Despite the risks I ran Combofix anyway.

It took 16 minutes to get to Stage 4 (which apparently is very slow), and then while I was in a different room the computer went to blue screen with "Plug and Play detected an error most likely caused by a faulty driver". After I re-started it it was much faster and made it all the way through.

-------------CURRENT STATUS------------------
After running all three programs, the computer is faster and does not slow down as much. But MalawareBytes still blocks suspicious activity (see log above).

Here are the three log files requested. (I also have the AVG remover log file available.)
Thanks again. Csaba

-------------------------------
ComboFix 11-07-24.01 - Csaba.Nagy 07/24/2011 16:57:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.528 [GMT -4:00]
Running from: c:\documents and settings\Csaba.Nagy.TUCKNT\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Csaba.Nagy.TUCKNT\WINDOWS
c:\documents and settings\Csaba.Nagy\WINDOWS
c:\documents and settings\Default User\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_uacFlt
-------\Service_uacFlt
.
.
((((((((((((((((((((((((( Files Created from 2011-06-24 to 2011-07-24 )))))))))))))))))))))))))))))))
.
.
2011-07-24 02:13 . 2011-07-24 02:13 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\Webroot
2011-07-24 02:12 . 2011-07-24 02:12 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\webroot
2011-07-23 20:28 . 2011-07-22 12:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 12:19 . 2011-07-22 12:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 04:23 . 2011-07-22 04:23 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-22 04:23 . 2011-06-20 14:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 04:22 . 2011-07-22 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-19 02:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-19 02:58 . 2011-07-19 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-19 02:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 21:32 . 2011-05-23 17:09 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-17 21:32 . 2011-05-23 17:09 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-17 21:32 . 2011-05-23 17:09 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-17 21:31 . 2011-05-26 15:22 122696 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-07-17 21:30 . 2011-07-17 21:30 6202608 ----a-w- c:\program files\Common Files\wruninstall.exe
2011-07-17 21:29 . 2011-07-18 03:34 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-17 21:16 . 2011-07-17 21:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-17 21:07 . 2011-07-17 21:07 -------- d-----w- c:\program files\Webroot
2011-07-17 21:05 . 2011-07-24 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-17 21:05 . 2011-07-17 21:05 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\PackageAware
2011-06-27 12:15 . 2011-06-27 12:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 12:15 . 2011-06-27 12:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 12:13 . 2011-05-30 20:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-06-23 12:14 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-06-23 12:14 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-06-23 12:14 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-06-23 12:14 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2004-06-23 12:13 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-06-27 12:15 . 2011-05-29 16:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
[HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
[HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
[HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
[HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-15 323392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 14:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-20 45632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"VerizonServicepoint.exe"="c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-07-17 1383496]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install Webroot FF RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
Install Webroot IE RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-6-23 192512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 20:09 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SideCar\\SideCar.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 EFlashAssist;EFlashAssist;c:\windows\system32\drivers\EFLASHAS.SYS [10/20/2005 2:41 PM 8476]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:23 AM 64512]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/17/2011 5:31 PM 122696]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/19/2004 5:05 AM 16384]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [9/3/2004 12:31 PM 35693]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/18/2011 10:59 PM 366640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [7/17/2011 5:32 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [7/17/2011 5:16 PM 3363168]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [9/3/2004 12:31 PM 1915837]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/18/2011 10:58 PM 22712]
S2 AutoExNT;ERU Autobackup;c:\windows\system32\AUTOEXNT.EXE [5/23/2005 2:25 PM 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151640]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 11:19]
.
2011-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 18:21]
.
2007-01-31 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-06-19 05:38]
.
2011-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
2011-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.stillriversystems.c...bmail.stillriversystems.com/exchange&reason=0
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\Mozilla\Firefox\Profiles\3x5xzgap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.techist.com/pc/f51/virus-204611/|Google News
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{2665e909-eb55-446c-9417-26c0ccf71961} - c:\windows\system32\yudegoku.dll
AddRemove-Active Ports - c:\windows\unvise32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-24 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
- - - - - - - > 'explorer.exe'(9160)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Webroot\Security\current\plugins\sync\WebRootShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\lenovo\system update\suservice.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\progra~1\Webroot\Security\Current\plugins\cleanup\WRCLEA~1.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\TpShocks.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-24 19:10:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-24 23:10
.
Pre-Run: 18,342,543,360 bytes free
Post-Run: 18,264,252,416 bytes free
.
- - End Of File - - 3600B7061DC96B92AC281E644D548429

-----------------------------------
Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7266

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2011 7:38:18 PM
mbam-log-2011-07-24 (19-38-18).txt

Scan type: Quick scan
Objects scanned: 187825
Time elapsed: 12 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:51:01 PM, on 7/24/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Csaba.Nagy.TUCKNT\My Documents\Downloads\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.stillriversystems.c...bmail.stillriversystems.com/exchange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - C:\Program Files\Webroot\Security\current\plugins\browserextension\WebrootBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Webroot Browser Helper Object - {e08861fe-8847-4b2a-8ec2-08edb20e4020} - C:\Program Files\Webroot\Security\current\products\WISE\toolbar\LPBar.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Webroot Toolbar - {d84a64a0-f2b2-4975-b264-3a3bce8d57d6} - C:\Program Files\Webroot\Security\current\products\WISE\toolbar\LPBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"
O4 - HKLM\..\Run: [TpShocks] "TpShocks.exe"
O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper
O4 - HKLM\..\Run: [TPKBDLED] "C:\WINDOWS\system32\TpScrLk.exe"
O4 - HKLM\..\Run: [TPHOTKEY] "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"
O4 - HKLM\..\Run: [TP4EX] "tp4ex.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [S3TRAY2] "S3Tray2.exe"
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\WINDOWS\system32\LVCOMSX.EXE"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] "C:\Program Files\Logitech\Video\InstallHelper.exe" /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] "C:\WINDOWS\system32\ElkCtrl.exe" /automation
O4 - HKLM\..\Run: [LogitechCameraAssistant] "C:\Program Files\Logitech\Video\CameraAssistant.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IBMPRC] "C:\IBMTOOLS\UTILS\ibmprc.exe"
O4 - HKLM\..\Run: [EZEJMNAP] "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [CoolSwitch] "C:\WINDOWS\System32\taskswitch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] "rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [dvd43] "C:\Program Files\dvd43\dvd43_tray.exe"
O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306708158673
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ERU Autobackup (AutoExNT) - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (Antivirus Software, Antispyware & Internet Security | Webroot) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

--
End of file - 16434 bytes

KSoD · Jul 24, 2011

Hello and welcome to Tech-Forums.

Thank you for the compliments about our site and how we try our best to have speedy responses. With my schedule it can be difficult to get back to people in a timely manner, but I try my best.

From what I see the items that MBAM (Malwarebytes) was blocking was due to an infection that Combofix removed. Combofix also removed a couple of other items as well from the system. I have reviewed your HiJack This log and everything looks great on there.

As of right now I would say that combofix found the troublesome items and removed them for you. You should not see those items popping up anymore from MBAM. If you do then we might have to make some further steps to try and remove the items in question.

If you have any other questions please feel free to ask. We are here to help. You should notice a bit of a speed increase.

Atilla · Jul 24, 2011

KSoD,

You are fast!

It is definitely speedier. Much better, thank you.

MBAM still blocked some outgoing activity after I finished with HiJackThis at 19:55. I included below the IP addresses that were blocked immediately before and after I did the virus hunting/destroying activities this afternoon.

14:01:41 Csaba.Nagy IP-BLOCK 85.234.175.141 (Type: outgoing)
14:18:14 Csaba.Nagy IP-BLOCK 89.28.74.218 (Type: incoming)
14:46:47 Csaba.Nagy IP-BLOCK 62.45.65.12 (Type: outgoing)
15:00:14 Csaba.Nagy IP-BLOCK 213.231.5.113 (Type: incoming)
19:55:01 Csaba.Nagy MESSAGE Protection started successfully
19:55:08 Csaba.Nagy MESSAGE IP Protection started successfully
19:55:08 Csaba.Nagy MESSAGE IP Protection stopped
19:55:15 Csaba.Nagy MESSAGE Database updated successfully
19:55:19 Csaba.Nagy MESSAGE IP Protection started successfully
20:02:18 Csaba.Nagy IP-BLOCK 62.45.147.227 (Type: outgoing)
20:03:01 Csaba.Nagy IP-BLOCK 89.28.101.9 (Type: outgoing)
20:03:10 Csaba.Nagy IP-BLOCK 121.125.131.91 (Type: outgoing)
20:31:06 Csaba.Nagy IP-BLOCK 89.28.69.167 (Type: outgoing)

a) You said there might be a few more things to try regarding this continued activity.

Also,
b) any suggestions on the issue with AVG? (Security Center says the AVG Firewall is on, but no one can find it on the computer. See previous post about AVG Remover.)

c) After reading a lot, there seems to be a strong consensus that more than one anti virus product at a time is a bad thing. Everyone seems to like MBAM, however, my impression is that no one wants to pay for the additional real time protection version because, um, it costs money. (Or maybe it's performance and they just don't talk about it.) I'm just confused as to what products can be used together/at the same time, and what can't. (Should I keep Adaware and MBAM and Webroot? etc) I don't mind paying reasonable/appropriate money to protect my system. Are you able to enlighten me?

Best,
Csaba

Thank you,
Csaba

carnageX · Jul 25, 2011

Atilla said:
c) After reading a lot, there seems to be a strong consensus that more than one anti virus product at a time is a bad thing. Everyone seems to like MBAM, however, my impression is that no one wants to pay for the additional real time protection version because, um, it costs money. (Or maybe it's performance and they just don't talk about it.) I'm just confused as to what products can be used together/at the same time, and what can't. (Should I keep Adaware and MBAM and Webroot? etc) I don't mind paying reasonable/appropriate money to protect my system. Are you able to enlighten me?

Best,
Csaba

Thank you,
Csaba

MBAM is more a virus removal tool, and not a virus prevention tool (it can be somewhat of a prevention tool if you purchase it yes, but there's also free AV's out there).

Microsoft Security Essentials has worked well for me, and is free. It just requires you to validate your Windows to make sure its genuine.

If you want to pay for one though, I really like Eset's Nod32. Very lightweight antivirus, and very good detection rates.

And it looks like most of those IP's are communicating with European countries (Moldova, Ukraine, and the Netherlands). So there must be something still left on your computer.

Trotter · Jul 25, 2011

MBAM is anti-malware, not anti-virus.

Atilla · Jul 25, 2011

Thanks to all for reading my posts and helping with your replies.

CarnageX:
>>And it looks like most of those IP's are communicating with European countries (Moldova, Ukraine, and the Netherlands). So there must be something still left on your computer.

Thank you. I don't remember Moldova from geography class. (Not surprising, they declared independence from the Soviet Union only in 1991.) ANY HELP eradicating whatever is trying to communicate outward is much appreciated!! Who knows what it is trying to send/receive. (Will the incoming requests ever go away?)

--thanks, Csaba

Trotter:
>>MBAM is anti-malware, not anti-virus.

Thank you for clarifying. If I understand correctly, I should have:
a) ONE anti-virus, whether free or paid, such as Avast OR Eset's Nod32 OR Norton OR Windows Security Essentials, etc,

AND I should also have,

b) ONE OR MORE anti-malware, whether free or paid, such as MBAM (free version), ComboFix, others?

The distinction being that the anti-virus programs can conflict with one another because they are actively trying to protect the system and may think another anti-virus is actually a virus. On the other hand, the anti-malware is run only at designated times and is not running constantly so it shouldn't conflict.

That doesn't sound quite right, but it's the most I understand it at the moment.

EDIT: I forgot the firewalls. I read we are only supposed to have one at a time. But some products come with and others don't. That makes it confusing. (And in my situation Security Center thinks I have AVG Firewall running, whereas AVG remover doesn't think I have AVG installed at all!)

--thanks, Csaba

carnageX · Jul 26, 2011

Atilla said:
Thanks to all for reading my posts and helping with your replies.

CarnageX:
>>And it looks like most of those IP's are communicating with European countries (Moldova, Ukraine, and the Netherlands). So there must be something still left on your computer.

Thank you. I don't remember Moldova from geography class. (Not surprising, they declared independence from the Soviet Union only in 1991.) ANY HELP eradicating whatever is trying to communicate outward is much appreciated!! Who knows what it is trying to send/receive. (Will the incoming requests ever go away?)

--thanks, Csaba

All the scans still come up clean, right?

Trotter:
>>MBAM is anti-malware, not anti-virus.

Thank you for clarifying. If I understand correctly, I should have:
a) ONE anti-virus, whether free or paid, such as Avast OR Eset's Nod32 OR Norton OR Windows Security Essentials, etc,

AND I should also have,

b) ONE OR MORE anti-malware, whether free or paid, such as MBAM (free version), ComboFix, others?

The distinction being that the anti-virus programs can conflict with one another because they are actively trying to protect the system and may think another anti-virus is actually a virus. On the other hand, the anti-malware is run only at designated times and is not running constantly so it shouldn't conflict.

That doesn't sound quite right, but it's the most I understand it at the moment.

That's pretty much the gist of it. You want an antivirus for preventative measures as well as removal. But a dedicated malware removal tool (MBAM, CF, HJT, etc.) are good to have as well in case you do get infected and need reactive measures.

EDIT: I forgot the firewalls. I read we are only supposed to have one at a time. But some products come with and others don't. That makes it confusing. (And in my situation Security Center thinks I have AVG Firewall running, whereas AVG remover doesn't think I have AVG installed at all!)

--thanks, Csaba

Yes, you would only want 1 software firewall installed at a time, otherwise they may conflict with each other, similar to antiviruses.

That's why I don't like AVG anymore... IMO they're beginning to become Norton-ish. I've always had trouble completely removing AVG recently, which becomes a pain. You could try reinstalling the latest version, and then running Revo Uninstaller, and then running the removal tool to see if you can get rid of it that way.

KSoD · Jul 26, 2011

Yes the scans all come up clean, to boot there is nothing in the Registry at all that accounts for why these IP's are trying to send or receive traffic.

Try these couple of items:

BitDefender TDSS/TDL4 Removal Tool v1.0.0.1 free download - Software reviews, downloads, news, free trials, freeware and full commercial software - Downloadcrew
Webroot AntiPopureb 0.1 free download - Software reviews, downloads, news, free trials, freeware and full commercial software - Downloadcrew
ESET SysInspector 1.2.026 (32-bit) free download - Software reviews, downloads, news, free trials, freeware and full commercial software - Downloadcrew
Bleeping Computer Downloads: RKill

Download the last one (RKill) then run combofix and MBAM again after making sure you have the updated version.

Atilla · Jul 27, 2011

Thank you CarnageX and KSoD,

I ran through all the utilities that were suggested. (BitDefender TDSS removal tool, Antipopured, SpyInspector, RKill, ComboFix, and then MBAM.) I've put all of the log files at the bottom in that order. With the exception Spy Inspector, whose report includes a few potential threats, there wasn't anything that I noticed.

SpyInspector is certainly an interesting tool. I would imagine hard-core virus hunters would use that one a lot. (I couldn't figure out the log file though, so I manually copied and pasted the sections it highlighted as having the highest risk.)

Once again ComboFix complained about AVG even though it is (apparently) not installed. Is now a good time to try and properly eradicate AVG from the computer? (CarnageX had suggested two methods.)

I noticed the IP addresses that MBAM is blocking keep changing (see snippet of report below). Do you think MBAM is only blocking some of the "attempted" IP communications? and that some communication requests and some are getting out/in? Or it's just the way viruses try to limit detection.

Thanks again,
Csaba

*****************************
MBAM Protection Report
JULY 25
04:16:58 Csaba.Nagy MESSAGE Protection started successfully
04:17:06 Csaba.Nagy MESSAGE IP Protection started successfully
04:17:26 Csaba.Nagy IP-BLOCK 212.113.33.188 (Type: outgoing)
04:18:32 Csaba.Nagy IP-BLOCK 89.28.44.126 (Type: outgoing)
04:18:35 Csaba.Nagy IP-BLOCK 220.248.186.204 (Type: outgoing)
08:36:36 Csaba.Nagy IP-BLOCK 77.78.252.56 (Type: outgoing)
08:36:58 Csaba.Nagy IP-BLOCK 89.28.99.227 (Type: outgoing)

JULY 26
03:21:37 Csaba.Nagy MESSAGE IP Protection stopped
03:22:04 Csaba.Nagy MESSAGE Database updated successfully
03:22:08 Csaba.Nagy MESSAGE IP Protection started successfully
03:50:01 Csaba.Nagy IP-BLOCK 218.7.97.190 (Type: outgoing)
04:18:59 Csaba.Nagy IP-BLOCK 89.28.118.134 (Type: incoming)
04:23:56 Csaba.Nagy IP-BLOCK 121.10.120.182 (Type: incoming)
04:23:56 Csaba.Nagy IP-BLOCK 121.10.120.182 (Type: incoming)
04:23:58 Csaba.Nagy IP-BLOCK 121.10.120.182 (Type: incoming)
04:35:28 Csaba.Nagy IP-BLOCK 222.64.47.119 (Type: incoming)
22:46:51 Csaba.Nagy IP-BLOCK 94.100.18.226 (Type: outgoing)
22:56:30 Csaba.Nagy MESSAGE IP Protection stopped
22:56:52 Csaba.Nagy MESSAGE Database updated successfully
22:56:59 Csaba.Nagy MESSAGE IP Protection started successfully
23:14:46 Csaba.Nagy IP-BLOCK 89.149.194.253 (Type: outgoing)
23:14:54 Csaba.Nagy IP-BLOCK 222.70.194.215 (Type: outgoing)
23:30:09 Csaba.Nagy IP-BLOCK 109.230.246.55 (Type: outgoing)
23:30:12 Csaba.Nagy IP-BLOCK 222.65.244.52 (Type: outgoing)
23:59:30 Csaba.Nagy IP-BLOCK 222.70.100.106 (Type: outgoing)
23:59:34 Csaba.Nagy IP-BLOCK 89.248.166.203 (Type: outgoing)
23:59:36 Csaba.Nagy IP-BLOCK 219.146.253.172 (Type: outgoing)

*************************
BitDefender Removal Tool
BDRemovalTool_TDSS_TDL4__x86.exe
1.0.0.1
Ran 7/26/2011 11:16PM

Result:
0 files cleaned from 0 infected files.

***********************************
Webroot AntiPopureb 0.1 Log File
Execution time: 26/07/2011 - 23:20
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
23:20:48 - CheckSystem - System MBR is not infected.
23:20:48 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\WebrootPopureb.sys".
23:20:49 - InstallAndStartDriver - Main driver was installed and now is running.
23:20:49 - CheckSystem - Disk port driver is clean.
23:20:49 - StopAndRemoveDriver - AntiPopureb Driver is stopped and removed.
23:20:49 - StopAndRemoveDriver - File "WebrootPopureb.sys" was deleted!
23:20:49 - Execution Ended!

**********************************

ESET SpyInspector
Version 1.2.026.0

About 20,000 items were listed as fine (levels 1-2)
6427 items were listed as unknown (level 5)
82 items were listed as unknown (level 6), which is awfully close to the risky section.
There were no items for levels 7-9 which are rated risky.

The following is focused on those 82 that are at the highest level (6).

RUNNING PROCESSES (LEVEL 6)

***
tphkmgr.exe
"Module" = "c:\progra~1\thinkpad\pkgmgr\hotkey\tphkmgr.exe" ( 6: Unknown ) ; ; ;
"SHA1" = "63C399114A51FF4CB5E7307497DF24311A2559B0" ( 6: Unknown ) ;
"Last Write Time" = "2006/05/10 15:03" ( 6: Unknown ) ;
"Creation Time" = "1980/01/01 02:00" ( 6: Unknown ) ;
"File Size" = "94208" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Running Processes -> tphkmgr.exe"
"Linked to" = "Running Processes -> tphkmgr.exe -> c:\progra~1\thinkpad\pkgmgr\hotkey\tphkmgr.exe"
"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe""

***
taskswitch.exe
"Process" = "taskswitch.exe" 644 ; ; ( 6: Unknown ) ; ; ;
"SHA1" = "83983E05D20F06153B2274B6CB680B3FC68394A3" ( 6: Unknown ) ;
"Last Write Time" = "2002/03/19 19:30" ( 6: Unknown ) ;
"Creation Time" = "2002/03/19 19:30" ( 6: Unknown ) ;
"File Size" = "45632" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Running Processes -> taskswitch.exe"
"Linked to" = "Running Processes -> taskswitch.exe -> c:\windows\system32\taskswitch.exe"
"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "C:\WINDOWS\System32\taskswitch.exe""

IMPORTANT REGISTRY ENTRIES
"SUBSECTION" = "Standard Autostart" ( 6: Unknown ) ;
"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 6: Unknown ) ;

***
"TPHOTKEY" = ""C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"" ( 6: Unknown ) ; ; ;
"SHA1" = "63C399114A51FF4CB5E7307497DF24311A2559B0" ( 6: Unknown ) ;
"Last Write Time" = "2006/05/10 15:03" ( 6: Unknown ) ;
"Creation Time" = "1980/01/01 02:00" ( 6: Unknown ) ;
"File Size" = "94208" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Running Processes -> tphkmgr.exe"
"Linked to" = "Running Processes -> tphkmgr.exe -> c:\progra~1\thinkpad\pkgmgr\hotkey\tphkmgr.exe"
"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe""

***
"CoolSwitch" = ""C:\WINDOWS\System32\taskswitch.exe"" ( 6: Unknown ) ; ; ;
"SHA1" = "83983E05D20F06153B2274B6CB680B3FC68394A3" ( 6: Unknown ) ;
"Last Write Time" = "2002/03/19 19:30" ( 6: Unknown ) ;
"Creation Time" = "2002/03/19 19:30" ( 6: Unknown ) ;
"File Size" = "45632" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Running Processes -> taskswitch.exe"
"Linked to" = "Running Processes -> taskswitch.exe -> c:\windows\system32\taskswitch.exe"
"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "C:\WINDOWS\System32\taskswitch.exe""

SERVICES

***
"ERU Autobackup" = "c:\windows\system32\autoexnt.exe" Automatic ; Stopped ; ( 6: Unknown ) ; ; ;
"SHA1" = "2153D83307183888A18175B6E07878F924D6529F" ( 6: Unknown ) ;
"Last Write Time" = "2005/04/27 08:34" ( 6: Unknown ) ;
"Creation Time" = "2005/05/23 14:25" ( 6: Unknown ) ;
"File Size" = "22528" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Services -> c:\windows\system32\autoexnt.exe"

***
"IBM PSA Access Driver Control" = "c:\windows\system32\psasrv.exe" Manual ; Stopped ; ( 6: Unknown ) ; ; ;
"SHA1" = "9879B62D47F7D4A4E45C6426BE102686678B5420" ( 6: Unknown ) ;
"Last Write Time" = "2006/07/11 16:52" ( 6: Unknown ) ;
"Creation Time" = "2006/07/11 16:52" ( 6: Unknown ) ;
"File Size" = "23552" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Services -> c:\windows\system32\psasrv.exe"

DRIVERS
***
"Logitech Machine Vision Engine Loader" = "c:\windows\system32\drivers\lvmvdrv.sys" Manual ; Stopped ; ( 6: Unknown ) ; ; ;
"SHA1" = "A331B929C3CAAD9E27043FCE949184CB47E962CD" ( 6: Unknown ) ;
"Last Write Time" = "2005/12/09 14:37" ( 6: Unknown ) ;
"Creation Time" = "2005/12/09 14:37" ( 6: Unknown ) ;
"File Size" = "2400256" ( 6: Unknown ) ;
"File Description" = "" ( 6: Unknown ) ;
"Company Name" = "" ( 6: Unknown ) ;
"File Version" = "" ( 6: Unknown ) ;
"Product Name" = "" ( 6: Unknown ) ;
"Internal Name" = "" ( 6: Unknown ) ;
"Linked to" = "Drivers -> c:\windows\system32\drivers\lvmvdrv.sys"

***
"Cisco Media Termination" = "c:\windows\system32\drivers\cpmt.sys" Manual ; Running ; ( 6: Unknown ) ; Cpmt.sys ; Cisco Systems, Inc. ;
"SHA1" = "297FD65F6CC75DA77AA8EDD41D63982CA6E87647" ( 6: Unknown ) ;
"Last Write Time" = "2004/09/03 12:31" ( 6: Unknown ) ;
"Creation Time" = "2004/09/03 12:31" ( 6: Unknown ) ;
"File Size" = "1915837" ( 6: Unknown ) ;
"File Description" = "Cpmt.sys" ( 6: Unknown ) ;
"Company Name" = "Cisco Systems, Inc." ( 6: Unknown ) ;
"File Version" = "1.0.0.86" ( 6: Unknown ) ;
"Product Name" = "Cisco IP Communicator" ( 6: Unknown ) ;
"Internal Name" = "Cpmt.sys" ( 6: Unknown ) ;
"Linked to" = "Drivers -> c:\windows\system32\drivers\cpmt.sys"

SYSTEM INFORMATION (does not have level 6 items)

FILE DETAILS (LEVEL 6)
***
tphkmgr.exe -> c:\progra~1\thinkpad\pkgmgr\hotkey\tphkmgr.exe"
"Linked to" = "Important Registry Entries -> Standard Autostart -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe""

***
c:\windows\system32\drivers\cpmt.sys"
"Company Name" = "Cisco Systems, Inc." ( 6: Unknown ) ;
"File Version" = "1.0.0.86" ( 6: Unknown ) ;

***
c:\windows\system32\drivers\lvmvdrv.sys"
c:\windows\system32\taskswitch.exe"
c:\windows\system32\autoexnt.exe"
c:\windows\system32\psasrv.exe"

**************************

Rkill was run on 07/27/2011 at 0:33:41.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

Rkill completed on 07/27/2011 at 0:33:51.

*******************************

-----COMBOFIX-------------------------

ComboFix 11-07-24.01 - Csaba.Nagy 07/27/2011 0:50.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.497 [GMT -4:00]
Running from: c:\documents and settings\Csaba.Nagy.TUCKNT\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-27 02:57 . 2011-07-27 02:57 -------- d-----w- c:\windows\LastGood
2011-07-27 02:57 . 2011-07-27 02:57 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-07-24 02:13 . 2011-07-24 02:13 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\Webroot
2011-07-24 02:12 . 2011-07-24 02:12 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\webroot
2011-07-23 20:28 . 2011-07-22 12:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 12:19 . 2011-07-22 12:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 04:23 . 2011-07-22 04:23 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-22 04:23 . 2011-06-20 14:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 04:22 . 2011-07-22 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-19 02:59 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-19 02:58 . 2011-07-19 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-19 02:58 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-17 21:32 . 2011-05-23 17:09 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-07-17 21:32 . 2011-05-23 17:09 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-17 21:32 . 2011-05-23 17:09 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-17 21:31 . 2011-05-26 15:22 122696 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-07-17 21:30 . 2011-07-17 21:30 6202608 ----a-w- c:\program files\Common Files\wruninstall.exe
2011-07-17 21:29 . 2011-07-18 03:34 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-17 21:16 . 2011-07-17 21:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}
2011-07-17 21:07 . 2011-07-17 21:07 -------- d-----w- c:\program files\Webroot
2011-07-17 21:05 . 2011-07-26 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-07-17 21:05 . 2011-07-17 21:05 -------- d-----w- c:\documents and settings\Csaba.Nagy.TUCKNT\Local Settings\Application Data\PackageAware
2011-06-27 12:15 . 2011-06-27 12:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 12:15 . 2011-06-27 12:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-26 08:24 . 2011-05-30 20:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-06-23 12:14 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-06-07 18:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-06-23 12:14 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-06-23 12:14 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-27 12:15 . 2011-05-29 16:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{6B78A880-15CA-468f-8422-A7960AD6FBB9}"
[HKEY_CLASSES_ROOT\CLSID\{6B78A880-15CA-468f-8422-A7960AD6FBB9}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{4EE7A346-5845-471e-9FAB-002EAF83F8B0}"
[HKEY_CLASSES_ROOT\CLSID\{4EE7A346-5845-471e-9FAB-002EAF83F8B0}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}"
[HKEY_CLASSES_ROOT\CLSID\{53DABC15-4F29-44ad-B09A-E0D0F9A3D075}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{493FC96E-B938-4924-9B38-C4088E9B8AC2}"
[HKEY_CLASSES_ROOT\CLSID\{493FC96E-B938-4924-9B38-C4088E9B8AC2}]
2011-05-26 15:51 326928 ----a-w- c:\program files\Webroot\Security\Current\plugins\sync\WebRootShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-22 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-15 323392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-03-28 503808]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 14:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-20 45632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"VerizonServicepoint.exe"="c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-07-17 1383496]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Install Webroot FF RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
Install Webroot IE RunOnce.lnk - c:\program files\Common Files\wruninstall.exe [2011-7-17 6202608]
.
c:\documents and settings\Csaba.Nagy.TUCKNT\Start Menu\Programs\Startup\
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-6-23 192512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-6-23 192512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-02-01 20:09 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SideCar\\SideCar.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 EFlashAssist;EFlashAssist;c:\windows\system32\drivers\EFLASHAS.SYS [10/20/2005 2:41 PM 8476]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:23 AM 64512]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [7/17/2011 5:31 PM 122696]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/19/2004 5:05 AM 16384]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [9/3/2004 12:31 PM 35693]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/18/2011 10:59 PM 366640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [7/17/2011 5:32 PM 45584]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [7/17/2011 5:16 PM 3363168]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [9/3/2004 12:31 PM 1915837]
R3 esihdrv;esihdrv;\??\c:\docume~1\CSABAN~1.TUC\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\CSABAN~1.TUC\LOCALS~1\Temp\esihdrv.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/18/2011 10:58 PM 22712]
S2 AutoExNT;ERU Autobackup;c:\windows\system32\AUTOEXNT.EXE [5/23/2005 2:25 PM 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2010 2:52 AM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ESIHDRV
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 11:19]
.
2011-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 18:21]
.
2007-01-31 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-06-19 05:38]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 06:51]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.stillriversystems.c...bmail.stillriversystems.com/exchange&reason=0
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Csaba.Nagy.TUCKNT\Application Data\Mozilla\Firefox\Profiles\3x5xzgap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.techist.com/pc/f51/virus-204611/|Google News
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-27 01:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1336)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
.
- - - - - - - > 'explorer.exe'(4924)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Webroot\Security\current\plugins\sync\WebRootShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-07-27 01:16:31
ComboFix-quarantined-files.txt 2011-07-27 05:16
.
Pre-Run: 17,827,442,688 bytes free
Post-Run: 17,812,951,040 bytes free
.
- - End Of File - - B6E2E9CF6C8E3AC70DDB77CBD55F873D

***********************************

*************************************
Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7291

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/27/2011 4:03:42 AM
mbam-log-2011-07-27 (04-03-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 295118
Time elapsed: 2 hour(s), 35 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

KSoD · Jul 27, 2011

c:\program files\Common Files\wruninstall.exe

That is literally the only thing I can find anywhere that comes up with any questions to it. I would go to that directory and delete that file, in Safe Mode if you must and see what happens. Funny thing is, they say WebRoot should delete it.

After that lets try this:

First try this to finally get rid of AVG.
Next Please download Security Check by screen317 from here or here.
Next download TDDSKiller from here. Right click on it and select Extract here. Then run the program.
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Run these last 2 in Safe Mode Please. Lets see if we can try and kill this bugger one last time.

Malwarebytes blocks incoming/outgoing traffic, but no virus detected

Atilla

Beta member

KSoD

Call me Mak or K, Mod Emeritus

Atilla

Beta member

carnageX

Private Joker,

Trotter

Grandfather of Techist, ¯\_(ツ)_/¯

Atilla

Beta member

carnageX

Private Joker,

KSoD

Call me Mak or K, Mod Emeritus

Atilla

Beta member

KSoD

Call me Mak or K, Mod Emeritus

Similar threads