4 replies to this topic

[spacks13]

I can not access many .exe's on my laptop and receive this message' "Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item." I have also already followed the instructions for removing it on this page; http://www.2-spyware...ivirus-pro.html. Unfortunately, I cannot run Malwarebytes or HiJackThis. From reading some of the posts they have been recommending ComboFix. Here is the log... Please advise.

ComboFix 09-08-20.01 - tmcilhenney 08/20/2009 20:53.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2543 [GMT -4:00]
Running from: c:\documents and settings\tmcilhenney\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-3438605536-4105128146-2857893889-500
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\svchast.exe
c:\windows\system32\bennuar.old
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\dddesot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\kbiwkmjsaowpjn.sys
c:\windows\system32\kbiwkmdpulqjns.dat
c:\windows\system32\kbiwkmrkumilmm.dll
c:\windows\system32\kbiwkmtjwajckx.dat
c:\windows\system32\kbiwkmveqoyxxy.dll
c:\windows\system32\kbiwkmxoelviyo.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat

----- BITS: Possible infected sites -----

hxxp://megatron
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmtumnkjdv
-------\Legacy_kbiwkmtumnkjdv
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-21 01:06 . 2009-08-21 01:06 -------- d-sh--w- C:\found.000
2009-08-21 00:29 . 2009-08-21 00:29 574 ----a-w- C:\cleanup.bat
2009-08-21 00:29 . 2009-08-21 00:29 135168 ----a-w- C:\zip.exe
2009-08-20 23:49 . 2009-08-20 23:49 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Lavasoft
2009-08-20 23:48 . 2009-08-20 23:48 -------- d-----w- c:\program files\Lavasoft
2009-08-20 22:43 . 2009-08-20 22:43 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Malwarebytes
2009-08-20 22:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 22:43 . 2009-08-21 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 22:43 . 2009-08-20 22:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-20 22:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 19:40 . 2009-08-20 19:40 -------- dc----w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-20 19:21 . 2009-08-20 19:21 54784 ----a-w- c:\windows\system32\drivers\UACrjelxrspne.sys
2009-08-20 19:21 . 2009-08-20 19:21 -------- d-sh--we c:\windows\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-08-20 19:21 . 2009-08-20 19:21 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-08-20 14:55 . 2009-08-20 14:55 -------- d-----w- c:\documents and settings\tmcilhenney\Local Settings\Application Data\Installer2408
2009-08-20 14:47 . 2009-08-20 14:47 -------- d-----w- c:\documents and settings\tmcilhenney\Local Settings\Application Data\Installer3404
2009-08-20 14:31 . 2007-03-20 18:49 2781184 ----a-w- c:\documents and settings\tmcilhenney\Application Data\Adobe\Dreamweaver 9\Configuration\Flash Player\authplay.dll
2009-08-20 14:28 . 2009-08-20 14:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-08-20 14:12 . 2007-02-20 20:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-08-20 14:12 . 2007-02-20 20:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2009-08-20 14:02 . 2009-08-20 14:02 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-19 19:19 . 2009-08-19 19:19 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-19 19:19 . 2009-08-19 19:19 -------- d-----w- c:\program files\Common Files\HP
2009-08-19 19:17 . 2009-08-19 19:20 174469 ----a-w- c:\windows\hppins12.dat
2009-08-19 19:17 . 2008-07-31 23:33 8239 ------w- c:\windows\hppmdl12.dat
2009-08-19 18:54 . 2009-08-19 18:54 71168 ----a-w- c:\windows\system32\drivers\vtpetixgqfuymbcj.sys
2009-08-18 13:02 . 2009-08-18 13:02 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-13 17:22 . 2009-08-13 18:49 -------- d-----w- c:\program files\Citrix
2009-08-12 21:53 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 21:53 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 21:53 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 21:53 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 21:53 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-08-12 21:53 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 21:52 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 21:52 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 21:52 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-12 21:52 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 21:52 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-08 20:33 . 2009-08-08 20:41 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Apple Computer
2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-08-04 18:21 . 2009-06-29 16:12 17408 ------w- c:\windows\system32\dllcache\corpol.dll
2009-08-04 18:18 . 2009-06-16 14:36 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2009-08-04 18:18 . 2009-06-16 14:36 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 22:46 . 2008-11-15 00:01 256 ----a-w- c:\windows\system32\pool.bin
2009-08-20 22:46 . 2008-12-22 13:20 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\FileZilla
2009-08-20 19:54 . 2008-09-30 12:21 -------- d-----w- c:\program files\RegScrubXP
2009-08-20 14:21 . 2008-08-29 15:21 84680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-20 14:17 . 2008-08-29 15:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 19:19 . 2008-12-12 17:49 -------- d-----w- c:\program files\HP
2009-08-18 13:02 . 2009-03-05 13:26 -------- d-----w- c:\program files\DivX
2009-08-18 12:46 . 2009-06-22 12:54 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-15 12:04 . 2008-09-30 12:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-15 12:04 . 2008-09-30 12:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 12:04 . 2008-09-30 12:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 07:03 . 2008-08-29 15:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-11 01:50 . 2009-01-27 16:36 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\.purple
2009-08-09 11:12 . 2009-04-13 13:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\VMware
2009-08-09 11:06 . 2009-04-13 13:40 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\VMware
2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\iTunes
2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\iPod
2009-08-08 20:33 . 2009-08-08 20:32 -------- d-----w- c:\program files\Common Files\Apple
2009-08-08 20:33 . 2009-08-08 20:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple Computer
2009-08-08 20:33 . 2009-08-08 20:33 -------- d-----w- c:\program files\Bonjour
2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\program files\QuickTime
2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\program files\Apple Software Update
2009-08-08 20:26 . 2009-04-13 13:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-08-08 15:18 . 2009-04-13 13:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-08-05 12:40 . 2008-10-29 21:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2006-04-30 06:55 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:28 . 2009-07-16 17:11 -------- d-----w- c:\program files\Microsoft Works
2009-07-23 19:03 . 2009-01-26 21:00 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\gtk-2.0
2009-07-21 20:32 . 2009-07-21 18:06 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Download Manager
2009-07-21 13:55 . 2009-07-21 13:55 -------- d-----w- c:\program files\FLV Player
2009-07-17 19:01 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 18:24 . 2009-06-05 17:31 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\FuskerClient
2009-07-16 17:11 . 2008-09-30 12:00 -------- d-----w- c:\program files\MSBuild
2009-07-16 17:11 . 2009-07-16 17:11 -------- d-----w- c:\program files\Microsoft.NET
2009-07-16 17:09 . 2009-07-16 17:09 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-14 03:43 . 2006-04-30 06:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 18:23 . 2009-07-13 18:23 16608 ------w- c:\windows\gdrv.sys
2009-07-10 16:05 . 2009-07-14 12:53 765952 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\bgd.dll
2009-07-10 16:05 . 2009-07-14 12:53 74240 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\zlib1.dll
2009-07-10 16:05 . 2009-07-14 12:53 51200 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\mtn.exe
2009-07-10 16:05 . 2009-07-14 12:53 343040 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avformat-51.dll
2009-07-10 16:05 . 2009-07-14 12:53 31232 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avutil-49.dll
2009-07-10 16:05 . 2009-07-14 12:53 150528 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\swscale-0.dll
2009-07-10 16:05 . 2009-07-14 12:53 2358784 ------w- c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\mtn\avcodec-51.dll
2009-07-09 16:16 . 2009-08-08 20:32 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-08-08 20:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-29 16:12 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-04-30 06:55 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 13:58 . 2008-08-29 15:00 -------- d-----w- c:\program files\Common Files\Lenovo
2009-06-26 13:58 . 2008-08-29 15:11 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys
2009-06-26 13:43 . 2009-06-26 13:43 -------- d-----w- c:\program files\Web CEO
2009-06-25 08:25 . 2006-04-30 06:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-04-30 06:55 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-04-30 06:55 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-04-30 06:55 730112 ------w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-04-30 06:55 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-04-30 06:55 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-23 19:34 . 2009-01-30 19:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PCDr
2009-06-23 19:30 . 2009-06-23 19:30 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Leadertech
2009-06-23 17:52 . 2009-06-23 17:52 -------- d-----w- c:\program files\Common Files\Intel
2009-06-23 17:52 . 2008-08-29 14:49 -------- d-----w- c:\program files\Intel
2009-06-23 17:37 . 2008-08-29 15:05 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lenovo
2009-06-23 17:37 . 2009-01-30 19:01 -------- d-----w- c:\documents and settings\tmcilhenney\Application Data\Downloaded Installations
2009-06-23 17:36 . 2008-08-29 14:50 -------- d-----w- c:\program files\Lenovo
2009-06-16 14:36 . 2006-04-30 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-30 06:55 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-04-30 06:56 80896 ------w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-04-30 06:55 76288 ------w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-04-30 06:55 84992 ------w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-04-30 07:09 2066432 ------w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-04-30 06:56 132096 ------w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2006-04-30 06:55 1291264 ------w- c:\windows\system32\quartz.dll
2009-05-31 22:01 . 2009-05-31 22:01 664 ------w- c:\windows\system32\d3d9caps.dat
2009-05-25 04:24 . 2008-05-27 05:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-04-10 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-10 524288]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\LVOSDSVC.exe" [2008-03-24 64368]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-04 150040]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-04 141848]
"LCONTROL"="c:\program files\Lenovo\ATK Hotkey\LCONTROL.exe" [2008-03-20 77824]
"LFKA"="c:\program files\Lenovo\ATK Hotkey\LFKA.exe" [2008-04-16 315392]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-15 2007832]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2009-02-03 181536]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RecycleBinSize"= 3 (0x3)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2008-06-25 00:31 95496 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-09 00:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2009-04-17 18:15 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 12:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [1/28/2009 5:58 PM 117800]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/30/2008 8:37 AM 335240]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/29/2008 11:09 AM 4442]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/30/2008 8:37 AM 297752]
R2 LFKAS;Service of LFKA;c:\program files\Lenovo\ATK Hotkey\LFKAS.exe [8/29/2008 11:06 AM 208896]
R2 PDSched;PDScheduler;c:\program files\RAXCO\PerfectDisk\PDSched.exe [11/29/2005 2:16 PM 241731]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/29/2008 11:09 AM 53248]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [6/24/2008 8:07 PM 12560]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/29/2008 10:55 AM 108032]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [6/5/2006 1:00 AM 35824]
S3 ESISp50;ESISp50 NDIS Protocol Driver;c:\windows\system32\drivers\ESISp50.sys [11/29/2006 4:46 AM 27072]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A2025525-F6F4-42E8-9B06-11F908BE2DBD} = 10.21.113.11,10.21.113.1
FF - ProfilePath - c:\docume~1\TMCILH~1\APPLIC~1\Mozilla\Firefox\Profiles\362rxgax.default\
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\itunesplugin.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\quicktime_plugin.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\mediaplayers@zeevee.com\platform\WINNT\components\UnboxPlugin.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zvcore@zeevee.com\platform\WINNT\components\applauncher.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zvcore@zeevee.com\platform\WINNT\components\mozilla_remote.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\filefinder.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\filewatcher.dll
FF - component: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT\components\mediainfo_plugin.dll
FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT_x86-msvc\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\tmcilhenney\Application Data\Mozilla\Firefox\Profiles\362rxgax.default\extensions\zviewer@zeevee.com\platform\WINNT_x86-msvc\plugins\npzvgui.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\vti.dll

- - - - - - - > 'lsass.exe'(1228)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

- - - - - - - > 'explorer.exe'(5584)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Lenovo\ATK Hotkey\GFNEXSrv.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\notepad.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-08-21 21:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 01:14

Pre-Run: 86,182,854,656 bytes free
Post-Run: 86,052,233,216 bytes free

406 --- E O F --- 2009-08-13 07:03

[spacks13]

*UPDATE*

I just got Malwarebytes to run and it is currently checking the system by renaming the mbam.exe. I'll keep this thread posted on my findings and if anyone has any suggestions in the meantime, I would love to hear them.

Also, I have been able to run procexp.exe and RootRepeal but don't seem to see anything suspicious. Maybe I'm not looking for the right things?

[spacks13]

OK...I think the crisis has been adverted. I have attached the logs of what Malwarebytes found and removed. After Malwarebytes finished I had to do repair installations of all of my programs that were effected. The virus seems to have corrupted the section of the registry for Windows Installer. Everything seems to be back to normal accept for Adobe Reader 9.0 and MS Office 2007. I cannot remove/install those programs through Add/Remove Programs and any file associated with those programs lost their icons. However, the programs still seem to work.

Attached Files

•  mbam_log_2009_08_20__23_40_50_.txt   928bytes   30 downloads
•  mbam_log_2009_08_20__23_03_44_.txt   2.62K   31 downloads

[screen317]

What happens when you try to uninstall Adobe and Office through Add or Remove Programs? You could try using Microsoft's Windows Installer Cleanup Tool to remove them.

Please update MBAM, run a Quick Scan, and post its log.

Don't attach logs please. Post them in the forum instead.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!