Thinkpoint has infected my laptop

View previous topic View next topic Go down

Thinkpoint has infected my laptop

Post by tlo3crp on Thu Oct 21, 2010 5:19 pm

I have tried to look at other sites but i'm still at a deadlock with this virus. I am in safe mode with network right now and am stuck at this point. I restarted my laptop and all it does is go to the thinkpoint startup and i can't get passed it. What should i do??? I don't want to mess up my computer than it already is and want to know what the next steps are. Please Help!!

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Thu Oct 21, 2010 11:56 pm

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Fri Oct 22, 2010 8:52 pm

i cant reply on here it wont let me put the code in

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Fri Oct 22, 2010 8:54 pm

idk why everytime i press send it says that the page cannot load

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Fri Oct 22, 2010 10:21 pm

i tried attaching them as a file

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Fri Oct 22, 2010 11:39 pm

Did it work? I don't see any attachments in your above posts.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Oct 23, 2010 2:39 pm

no nothing..it still isnt letting me attatch it either...its only when i try to post that code..other than that i can post whatever else

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Oct 23, 2010 2:41 pm

Internet Explorer cannot display the webpage

What you can try:
Diagnose Connection Problems


this is the message that keeps coming up when i try to put in that code


tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Oct 23, 2010 2:42 pm

OTL Extras logfile created on: 10/22/2010 3:28:58 PM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Administrator\My Documents
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 54.99 Gb Free Space | 73.78% Space Free | Partition Type: NTFS

Computer Name: GATEWAY-A5E587E | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 22
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F7177E9-2B54-48B4-AAFD-03FA1F87A542}" = Bing Bar Platform
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}" = ATI Parental Control & Encoder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A0829AA0-9EFD-4503-A074-5A925AC47FD2}" = ATI Catalyst Control Center
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B95B1BA9-F887-4B3C-8D3A-CCD4C4675120}" = Microsoft Default Manager
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"ATI Display Driver" = ATI Display Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"FrostWire" = FrostWire 4.20.7
"gtw_logo" = gtw_logo
"ie8" = Windows Internet Explorer 8
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSC" = McAfee SecurityCenter
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"PROSet" = Intel(R) PRO Network Connections Drivers
"SMSERIAL" = Motorola SM56 Data Fax Modem
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"The Weather Channel Toolbar" = The Weather Channel Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/22/2010 1:26:39 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4172

Error - 10/22/2010 1:26:39 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4172

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2140

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2140

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4406

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4406

Error - 10/22/2010 3:55:14 PM | Computer Name = GATEWAY-A5E587E | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 10/22/2010 4:08:22 PM | Computer Name = GATEWAY-A5E587E | Source = Application Error | ID = 1001
Description = Fault bucket 1271752061.

[ Application Events ]
Error - 10/22/2010 1:26:39 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4172

Error - 10/22/2010 1:26:39 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4172

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2140

Error - 10/22/2010 1:38:32 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2140

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4406

Error - 10/22/2010 1:38:34 PM | Computer Name = GATEWAY-A5E587E | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4406

Error - 10/22/2010 3:55:14 PM | Computer Name = GATEWAY-A5E587E | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 10/22/2010 4:08:22 PM | Computer Name = GATEWAY-A5E587E | Source = Application Error | ID = 1001
Description = Fault bucket 1271752061.

[ System Events ]
Error - 10/21/2010 1:54:32 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 10/21/2010 2:03:53 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/21/2010 3:07:38 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 10/21/2010 3:21:31 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 10/21/2010 3:22:31 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 10/21/2010 3:23:01 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 10/21/2010 3:23:31 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/21/2010 3:24:01 PM | Computer Name = GATEWAY-A5E587E | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service netman with
arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error - 10/21/2010 9:17:02 PM | Computer Name = GATEWAY-A5E587E | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.104 for the Network Card with network
address 001B77406327 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 10/22/2010 1:15:26 PM | Computer Name = GATEWAY-A5E587E | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%5


< End of report >

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Oct 23, 2010 2:49 pm

still cant get the otl log up on here

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Sat Oct 23, 2010 11:51 pm

Can you attach it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Mon Oct 25, 2010 2:39 am

no still not letting me do that

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Mon Oct 25, 2010 3:03 am

ok i saved the otl to word and attached it

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Wed Oct 27, 2010 9:39 pm

were you able to read it????

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Thu Oct 28, 2010 12:19 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

combo fix log

Post by tlo3crp on Thu Oct 28, 2010 9:43 pm

ComboFix 10-10-27.A3 - Administrator 10/28/2010 10:59:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-27 23:44 . 2010-10-27 23:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-10-26 14:34 . 2010-10-26 14:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-22 02:49 . 2010-10-22 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-21 19:48 . 2010-10-21 19:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-21 18:13 . 2010-10-21 18:13 -------- d-----w- c:\program files\Common Files\Java
2010-10-21 18:12 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-21 15:51 . 2010-10-21 15:51 212 ----a-w- c:\documents and settings\Administrator\Application Data\42764.bat
2010-10-21 15:51 . 2010-10-21 15:51 212 ----a-w- c:\documents and settings\Administrator\Application Data\19540.bat
2010-10-13 13:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-12 22:33 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 22:33 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 22:33 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 07:29 . 2010-01-22 03:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-01-12 23:17 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-13 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/14/2010 7:36 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 5:35 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-01-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-10-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-10-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - (no file)
AddRemove-M2416447 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-M979906 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-10-28 11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89CA4566]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1801674531-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-28 11:17:32
ComboFix-quarantined-files.txt 2010-10-28 16:17

Pre-Run: 58,977,087,488 bytes free
Post-Run: 59,588,128,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D1908765B0B8642BF0C7FDB9DE282B2C

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Fri Oct 29, 2010 12:57 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    File::
    c:\documents and settings\Administrator\Application Data\42764.bat
    c:\documents and settings\Administrator\Application Data\19540.bat

    MBR::
    Reboot::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Fri Oct 29, 2010 2:30 pm

ComboFix 10-10-27.A3 - Administrator 10/29/2010 9:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\My Documents\cfscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active


FILE ::
"c:\documents and settings\Administrator\Application Data\19540.bat"
"c:\documents and settings\Administrator\Application Data\42764.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\19540.bat
c:\documents and settings\Administrator\Application Data\42764.bat

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
.

2010-10-27 23:44 . 2010-10-27 23:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-10-26 14:34 . 2010-10-26 14:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-22 02:49 . 2010-10-22 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-21 19:48 . 2010-10-21 19:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-21 18:13 . 2010-10-21 18:13 -------- d-----w- c:\program files\Common Files\Java
2010-10-21 18:12 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-13 13:41 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-12 22:33 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 22:33 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 22:33 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 07:29 . 2010-01-22 03:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-01-12 23:17 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-29 14:15 . 2010-10-29 14:15 16384 c:\windows\Temp\Perflib_Perfdata_318.dat
+ 2010-01-12 23:13 . 2010-10-29 12:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-12 23:13 . 2010-10-27 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-12 23:13 . 2010-10-29 12:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-01-12 23:13 . 2010-10-27 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-10-28 21:45 . 2010-10-29 12:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-13 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/14/2010 7:36 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 5:35 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-01-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-10-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-10-29 09:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5E9566]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1801674531-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\sm56hlpr.exe
c:\windows\stsystra.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-10-29 09:23:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-29 14:23
ComboFix2.txt 2010-10-28 16:17

Pre-Run: 59,532,607,488 bytes free
Post-Run: 59,599,183,872 bytes free

- - End Of File - - 9C4AB0CD020F6E050CD8841F34533D8A

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Fri Oct 29, 2010 5:16 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Mon Nov 01, 2010 2:52 pm

once i do that is that it??

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Tue Nov 02, 2010 12:23 am

No, please run this as well.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Thu Nov 11, 2010 2:15 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0x8A653000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4C0000 compbatt.sys
0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA4C8000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA0E8000 VolSnap.sys
0xB9F13000 atapi.sys
0xB9E3D000 iaStor.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E1D000 fltmgr.sys
0xB9E06000 KSecDD.sys
0xB9D79000 Ntfs.sys
0xB9D4C000 NDIS.sys
0xB9D32000 Mup.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9604000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB95F0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB95C8000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB959C000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xB943F000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA390000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB941B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA398000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB93F3000 \SystemRoot\system32\drivers\tifm21.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA308000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA318000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB93D0000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA6FB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA138000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB93B9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA148000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA158000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB93A8000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA168000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9378000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA178000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB92F2000 \SystemRoot\system32\DRIVERS\update.sys
0xB9CF6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9787000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB4B78000 \SystemRoot\system32\drivers\sthda.sys
0xA9D7B000 \SystemRoot\system32\drivers\portcls.sys
0xAB008000 \SystemRoot\system32\drivers\drmk.sys
0xA9CA8000 \SystemRoot\system32\DRIVERS\smserial.sys
0xB1D68000 \SystemRoot\System32\Drivers\Modem.SYS
0xAAFE8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA646000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAC9BB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA1BF000 \SystemRoot\System32\Drivers\Null.SYS
0xAC9B9000 \SystemRoot\System32\Drivers\Beep.SYS
0xB178E000 \SystemRoot\System32\drivers\vga.sys
0xAC9B7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xAC9B5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB1786000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3D0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAAD46000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9C55000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9BFC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9BD5000 \SystemRoot\System32\Drivers\Mpfp.sys
0xA9BAF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAAFB8000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xAAFA8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9B87000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA7DE000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9B65000 \SystemRoot\System32\drivers\afd.sys
0xAA7CE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9B3A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9ACA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9A97000 \SystemRoot\system32\drivers\mfehidk.sys
0xAA7BE000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA78E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA99C1000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8D45000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3D8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7AB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF094000 \SystemRoot\System32\atikvmag.dll
0xBF0CA000 \SystemRoot\System32\ati3duag.dll
0xBF355000 \SystemRoot\System32\ativvaxx.dll
0xAA16F000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAB0B2000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB3548000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA781C000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3D2F000 \SystemRoot\system32\drivers\sysaudio.sys
0xA72E9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA71A1000 \SystemRoot\system32\DRIVERS\srv.sys
0xA68F0000 \SystemRoot\System32\Drivers\HTTP.sys
0xB356C000 \SystemRoot\system32\drivers\mfebopk.sys
0xA67EE000 \SystemRoot\system32\drivers\mfeavfk.sys
0xA7496000 \SystemRoot\system32\drivers\mfesmfk.sys
0xA4DC2000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 63):
0 System Idle Process
4 System
776 C:\WINDOWS\system32\smss.exe
844 csrss.exe
872 C:\WINDOWS\system32\winlogon.exe
920 C:\WINDOWS\system32\services.exe
932 C:\WINDOWS\system32\lsass.exe
1128 C:\WINDOWS\system32\ati2evxx.exe
1148 C:\WINDOWS\system32\svchost.exe
1236 svchost.exe
1452 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1480 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1572 svchost.exe
1752 C:\WINDOWS\system32\svchost.exe
1812 svchost.exe
1860 C:\WINDOWS\system32\svchost.exe
348 C:\WINDOWS\system32\spoolsv.exe
424 C:\WINDOWS\system32\ati2evxx.exe
588 C:\WINDOWS\explorer.exe
1444 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
1540 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
1512 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
1628 C:\WINDOWS\sm56hlpr.exe
1624 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
1648 C:\WINDOWS\stsystra.exe
1660 C:\Program Files\McAfee.com\Agent\mcagent.exe
1672 C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
1728 C:\Program Files\iTunes\iTunesHelper.exe
1736 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1780 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1832 C:\WINDOWS\system32\ctfmon.exe
988 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
2208 svchost.exe
2244 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2264 C:\Program Files\Bonjour\mDNSResponder.exe
2420 C:\Program Files\Java\jre6\bin\jqs.exe
2516 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
2652 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2864 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
3020 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
3136 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
3256 C:\Program Files\McAfee\MPF\MpfSrv.exe
3384 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
3472 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
3528 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3788 wdfmgr.exe
4024 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2224 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3376 C:\Program Files\iPod\bin\iPodService.exe
1144 alg.exe
2840 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
2396 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
2464 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
440 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
4940 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
4656 C:\Program Files\Internet Explorer\iexplore.exe
5848 C:\WINDOWS\system32\svchost.exe
3300 C:\Program Files\Internet Explorer\iexplore.exe
5836 C:\Program Files\Internet Explorer\iexplore.exe
2060 C:\Program Files\Internet Explorer\iexplore.exe
5204 C:\Program Files\Internet Explorer\iexplore.exe
272 C:\Program Files\Internet Explorer\iexplore.exe
4812 C:\Documents and Settings\Administrator\My Documents\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541680J9SA00, Rev: SB2OC70P

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Fri Nov 12, 2010 12:06 am

Looks good, did you run the ESET online scan?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Fri Nov 12, 2010 11:55 pm

no i haven't..where do i do that at? o and I thought i fixed this problem but im still getting a message that shuts down my audio on my computer. It just popped up as i am writing this haha..it says "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." and then it gives me the option to send error report or dont send. It's really annoying!

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Sat Nov 13, 2010 1:03 am

Hello.

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Nov 13, 2010 2:55 am

2010/11/12 20:54:19.0468 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/12 20:54:19.0468 ================================================================================
2010/11/12 20:54:19.0468 SystemInfo:
2010/11/12 20:54:19.0468
2010/11/12 20:54:19.0468 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/12 20:54:19.0468 Product type: Workstation
2010/11/12 20:54:19.0468 ComputerName: GATEWAY-A5E587E
2010/11/12 20:54:19.0468 UserName: Administrator
2010/11/12 20:54:19.0468 Windows directory: C:\WINDOWS
2010/11/12 20:54:19.0468 System windows directory: C:\WINDOWS
2010/11/12 20:54:19.0468 Processor architecture: Intel x86
2010/11/12 20:54:19.0468 Number of processors: 2
2010/11/12 20:54:19.0468 Page size: 0x1000
2010/11/12 20:54:19.0468 Boot type: Normal boot
2010/11/12 20:54:19.0468 ================================================================================
2010/11/12 20:54:19.0781 Initialize success

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Sun Nov 14, 2010 12:04 am

hmm.

Please re-run Combofix and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by tlo3crp on Sat Nov 20, 2010 9:17 pm

ComboFix 10-11-20.03 - Administrator 11/20/2010 15:02:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1378 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\completescan
c:\documents and settings\Administrator\Application Data\install

.
((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
.

2010-11-04 01:16 . 2010-11-04 01:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-10-31 04:02 . 2010-10-31 04:02 -------- d-----w- c:\program files\ESET
2010-10-31 03:59 . 2010-10-31 03:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-10-27 23:44 . 2010-10-27 23:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-10-26 14:34 . 2010-10-26 14:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-22 02:49 . 2010-11-03 13:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-10-21 18:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-01-22 03:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-01-12 23:17 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-13 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-13 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/14/2010 6:36 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:35 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-01-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-15 18:22]

2010-11-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-11-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-20 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1801674531-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,14,94,2f,00,7e,5e,4a,85,3b,e1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-20 15:15:32
ComboFix-quarantined-files.txt 2010-11-20 21:15
ComboFix2.txt 2010-10-29 14:23

Pre-Run: 58,676,207,616 bytes free
Post-Run: 60,023,517,184 bytes free

- - End Of File - - B6A1E2BCB9245A94621C05E18336CD8C

tlo3crp
Novice
Novice

Status :
Online
Offline

Posts : 19
Joined : 2010-10-21
Gender : Male
OS : Windows XP

View user profile

Back to top Go down

Re: Thinkpoint has infected my laptop

Post by Belahzur on Sun Nov 21, 2010 12:15 am

Hello.

I see that you are running FrostWire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Helllo.
    Ask Toolbar
    FrostWire 4.20.7

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum