PDA

View Full Version : Gen:TDss.Patched.1



sisik
2010-05-19, 02:04
Hey guys I did a f-secure online scan and it came up with this spyware: Gen:TDss.Patched.1 and said it could not be cleaned. I've tried installing Spybot but it won't even let me do that and I keep getting random websites popping up and alerts saying "Ztl.exe has stopped working". It's also impossible for me to download attachments from my email so my whole system seems to be a bit crazy! Can you please help me fix things up?

I followed the preliminary instructions (except I couldn't install Spybot) and here is my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by sisi at 8:52:38.83 on Wed 19/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2006.704 [GMT 10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
\\?\globalroot\systemroot\system32\msihost.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\emoit.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WerCon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\sisi\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ninemsn.com.au/
uDefault_Page_URL = hxxp://www.ninemsn.com.au
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: TBSB07286 Class: {c23d0d6a-8cba-4b33-9735-47d81f5b2b85} - c:\program files\ecobar\tbcore3.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ecobar: {10000000-1000-1000-1000-100000000000} - c:\program files\ecobar\tbcore3.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Bhuxocefu] rundll32.exe "c:\users\sisi\appdata\local\dSmgerae.dll",Startup
uRun: [M5T8QL3YW3] c:\users\sisi\appdata\local\temp\Ztl.exe
uRun: [Gnagolasiwi] rundll32.exe "c:\users\sisi\appdata\local\azedumokabadebi.dll",Startup
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [wanActivate] c:\program files\lenovo\activatewan\WanActivate.exe -check
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [cftmon] c:\windows\system32\emoit.exe
mRun: [Gnagolasiwi] rundll32.exe "c:\users\sisi\appdata\local\azedumokabadebi.dll",Startup
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\sisi\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\sisi\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
StartupFolder: c:\users\sisi\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pdf-pr~1.lnk - c:\program files\epapyrus\pdf-pro 4\pdfpro4svc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.179,93.188.166.239
TCP: {135FD73C-394F-4712-ACC8-FEC9E6FB4516} = 93.188.163.179,93.188.166.239
TCP: {7EAC1D83-6B2D-4B86-9BC4-08D7F195FA83} = 93.188.163.179,93.188.166.239
TCP: {9662122B-AC0E-4878-AC22-F7DB37E4D4DD} = 93.188.163.179,93.188.166.239
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\sisi\appdata\roaming\mozilla\firefox\profiles\ppr5gxb6.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15087&l=dis
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {2E43AB9E-DBD5-4952-ABF3-350532C24C2A} - c:\users\sisi\appdata\local\{2E43AB9E-DBD5-4952-ABF3-350532C24C2A}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R?2 Windows MSI;Windows MSI;\\?\globalroot\systemroot\system32\msihost.exe [2010-5-17 136704]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-29 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2008-3-4 35616]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-30 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-9 569344]
R3 SWNC8U01;Sierra Wireless MUX NDIS Driver (UMTS01);c:\windows\system32\drivers\SWNC8U01.sys [2007-1-13 102144]
R3 SWUMX01;Sierra Wireless USB MUX Driver (UMTS01);c:\windows\system32\drivers\swumx01.sys [2007-1-13 70656]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-5-11 22568]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-23 30336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-12 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-05-18 08:06:51 0 d-----w- C:\A
2010-05-17 05:06:17 0 d-----w- c:\programdata\F-Secure
2010-05-17 03:50:28 0 d-----w- c:\users\sisi\appdata\roaming\PeerNetworking
2010-05-17 03:49:26 0 d-----w- c:\program files\Ecobar
2010-05-17 03:49:00 0 d-----w- C:\sysmon
2010-05-17 03:26:52 178688 ----a-w- c:\windows\Zmihaa.exe
2010-05-17 03:26:29 373248 ----a-w- c:\windows\system32\emoit.exe
2010-05-17 03:26:24 136704 ----a-w- c:\windows\system32\msihost.exe
2010-05-17 03:26:23 213 ----a-w- c:\windows\system32\winset.ini
2010-05-17 03:25:22 57856 ----a-w- c:\windows\iwcdc8684.exe
2010-05-12 03:31:11 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-28 04:14:45 0 d-----w- c:\program files\iPod
2010-04-28 04:14:39 0 d-----w- c:\program files\iTunes
2010-04-28 04:09:13 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-06 00:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-28 04:10:57 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-28 04:10:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-09 20:06:40 36068 ----a-w- c:\windows\fonts\SNIPER SHOT.ttf
2010-04-08 06:27:49 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 03:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 03:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-18 14:49:31 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:49:31 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:11:41 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2008-06-17 12:50:54 174 --sh--w- c:\program files\desktop.ini
2008-06-17 12:29:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-04 22:57:13 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-02-04 22:57:13 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-02-04 22:57:13 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-17 08:40:17 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-12-22 12:33:10 8192 --sh--w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:55:13.00 ===============

And my Attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 22/12/2007 11:45:07 PM
System Uptime: 18/05/2010 6:08:28 PM (14 hours ago)

Motherboard: LENOVO | | 7676A11
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | None | 800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 19.59 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP856: 15/05/2010 10:41:13 AM - Scheduled Checkpoint
RP857: 16/05/2010 7:05:08 AM - Scheduled Checkpoint
RP858: 17/05/2010 8:43:32 AM - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office system
32 Bit HP CIO Components Installer
Access Help
Acrobat.com
Activate Wireless Wan
Adobe AIR
Adobe Color Common Settings
Adobe Digital Editions
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop 7.0
Adobe Reader 9.3.2
Adobe Setup
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
Canon MP270 series MP Drivers
Chinese Traditional Fonts Support For Adobe Reader 9
Choice Guard
Client Security Solution
CutePDF Writer 2.8
Diskeeper Home
e-Sword
e-tax 2008
e-tax 2009
Ecobar
EPSON Scan
ERUNT 1.1j
ffdshow [rev 1723] [2007-12-24]
Help Center
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Update
HPSSupply
iDisk Utility for Windows
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iPhone Configuration Utility
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Junk Mail filter update
Lenovo Registration
Lenovo System Interface Driver
LimeWire 5.5.8
LiveUpdate Notice (Symantec Corporation)
Logitech Legacy USB Camera Driver Package
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Maintenance Manager
Message Center
Message Center Plus
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
ninemsn Toolbar
OGA Notifier 1.7.0105.35.0
On Screen Display
PC-Doctor 5 for Windows
PDF-Pro 4
Picasa 2
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Shop for HP Supplies
Sibelius Scorch (ActiveX Only)
Sierra Wireless HSDPA MiniCard
Skype™ 4.0
SoundMAX
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Fingerprint Software 5.6
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981726)
VLC media player 1.0.3
Wallpapers
Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
WinZip 12.1
Yahoo! Software Update
Yahoo!7 Messenger

==== Event Viewer Messages From Past Week ========

18/05/2010 6:09:07 PM, Error: EventLog [6008] - The previous system shutdown at 6:07:07 PM on 18/05/2010 was unexpected.
18/05/2010 5:29:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "230" attempting to start the service wercplsupport with arguments "" in order to run the server: {0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
17/05/2010 7:08:11 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
17/05/2010 3:23:58 PM, Error: Service Control Manager [7000] - The F-Secure BlackLight Engine Driver service failed to start due to the following error: A device attached to the system is not functioning.
17/05/2010 1:57:42 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user sisi-PC\sisi SID (S-1-5-21-1586580956-2770508073-3903648373-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
16/05/2010 5:35:38 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
16/05/2010 5:35:38 AM, Error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
16/05/2010 5:35:38 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
15/05/2010 9:59:48 AM, Error: TPM [13] - The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.
15/05/2010 9:59:48 AM, Error: Microsoft-Windows-TBS [516] - An error occurred while communicating with the TPM. The driver returned 0x8007045d.
12/05/2010 7:40:46 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
12/05/2010 7:40:16 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.
12/05/2010 7:37:43 AM, Error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
12/05/2010 7:37:43 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
12/05/2010 7:37:43 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/05/2010 10:19:57 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
12/05/2010 10:19:57 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/05/2010 10:19:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

==== End Of File ===========================

Thanks for what you guys are doing on these forums, it really helps poor clueless souls like me! :)

ken545
2010-05-19, 14:53
Hello

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

You have a real mess going on, besides a Rootkit , your computer is being hijacked by the lovely people in the uKraine




Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

sisik
2010-05-20, 23:21
Thanks so much for the advice! Unfortunately, every time I try to run Combo-Fix, it comes up with a little window that says: "GSAR.cfxxe has stopped working" :(

ken545
2010-05-21, 02:12
Hi,

Try this, right click on Combofix and select rename and rename it sisik.exe.

Then try to run one of these programs first

Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)

RKill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
RKill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
RKill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
RKill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)


There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
You will know one ran when a box opens up with a report





Now try running Combofix

sisik
2010-05-22, 05:22
Thanks for that - I did exactly as you said...renamed it, ran RKill.exe but it came up with the same message as before when I tried to run ComboFix :( sorry my laptop is such a pain!

ken545
2010-05-22, 13:41
Take Combofix you renamed and drag it to the trash and download via my previous links a fresh copy as its updated daily.



Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

Go to http://www.techsupportforum.com/sectools/tetonbob/StartBtn.gif -> Run -> copy/paste in the following single line command & click OK


"%userprofile%\desktop\combofix.exe" /killall

http://www.techsupportforum.com/sectools/tetonbob/killall.JPG

Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply .

sisik
2010-05-23, 00:29
That didn't work either, it still comes up with the same "GSAR..." message as before! I'm getting a little worried :( but I do really appreciate your patience with this problem :)

ken545
2010-05-23, 03:47
A rootkit is most likely responsible for this, they are designed to block most programs from running, there is away around it we just have not hit it yet. I am going to give you a few options to follow, if one won't work just move on to the other.


Like before, drag Combofix to the trash and download a fresh copy to your desktop, then rename it to sisik.exe


Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then try Combofix again, if you have not done so before, right click on sisik.exe and select RUN AS ADMINISTRATOR.




If Combofix still wont run, try running it in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





If it still wont run, then run this program.


Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

sisik
2010-05-23, 12:22
That's so fabulous! I've been worried about the ComboFix thing but it finally worked in Safe Mode, thanks so much Ken.

Here is the exehelperlog:

exeHelper by Raktor
Build 20100414
Run at 17:11:00 on 05/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

And the ComboFix log:
ComboFix 10-05-22.03 - sisi 23/05/2010 17:39:09.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2006.1694 [GMT 10:00]
Running from: c:\users\sisi\Desktop\sisik.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ecobar
c:\program files\ecobar\basis.xml
c:\program files\ecobar\ecobar.dll
c:\program files\ecobar\icons.bmp
c:\program files\ecobar\info.txt
c:\program files\ecobar\tbcore3.dll
c:\program files\ecobar\tbcore3.inf
c:\program files\ecobar\tbhelper.dll
c:\program files\ecobar\uninstall.exe
c:\program files\ecobar\update.exe
c:\program files\ecobar\version.txt
c:\program files\ecobar\your_logo.png
C:\sysmon
c:\sysmon\flvdirect\flvsetup.exe
c:\sysmon\idmi3522\aikl7085.exe
c:\sysmon\idmi3522\opta46148.exe
c:\sysmon\idmi3522\sshw0050.exe
c:\sysmon\mgqlh74318\bqasu7082.exe
c:\sysmon\mgqlh74318\cnlbb01316.exe
c:\sysmon\mgqlh74318\tvwsg30671.exe
c:\sysmon\mgqlh74318\ubwmt5875.exe
c:\users\sisi\AppData\Local\azedumokabadebi.dll
c:\users\sisi\AppData\Local\dSmgerae.dll
c:\users\sisi\AppData\Roaming\Microsoft\HTML Help\hh.dat
c:\windows\system32\msihost.exe
c:\windows\system32\win.ini
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Zmihaa.exe
c:\windows\Zmihab.exe
c:\windows\Zmihac.exe
c:\windows\Zmihad.exe

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows MSI


((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 07:49 . 2010-05-23 08:59 -------- d-----w- c:\users\sisi\AppData\Local\temp
2010-05-23 07:49 . 2010-05-23 07:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-23 07:28 . 2010-05-23 07:29 -------- d-----w- C:\32788R22FWJFW
2010-05-23 07:22 . 2010-05-23 07:22 -------- d-----w- C:\B
2010-05-22 21:21 . 2010-05-22 21:25 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-05-18 22:50 . 2010-05-18 22:50 -------- d-----w- c:\program files\ERUNT
2010-05-18 08:06 . 2010-05-18 08:06 -------- d-----w- C:\A
2010-05-17 05:06 . 2010-05-17 05:06 -------- d-----w- c:\programdata\F-Secure
2010-05-17 03:57 . 2010-05-17 03:57 -------- d-----w- c:\windows\BDOSCAN8
2010-05-17 03:50 . 2010-05-17 03:50 -------- d-----w- c:\users\sisi\AppData\Roaming\PeerNetworking
2010-05-17 03:27 . 2010-05-22 20:46 0 ----a-w- c:\users\sisi\AppData\Local\Jliva.bin
2010-05-17 03:27 . 2010-05-23 07:07 120 ----a-w- c:\users\sisi\AppData\Local\Omahevifohahuro.dat
2010-05-17 03:27 . 2010-05-17 03:27 -------- d-----w- c:\users\sisi\AppData\Local\{2E43AB9E-DBD5-4952-ABF3-350532C24C2A}
2010-05-17 03:27 . 2010-05-17 03:26 74240 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00006749.dll
2010-05-17 03:26 . 2010-05-22 07:32 374272 ----a-w- c:\windows\system32\emoit.exe
2010-05-17 03:25 . 2010-05-17 03:25 57856 ----a-w- c:\windows\iwcdc8684.exe
2010-05-12 03:31 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-28 04:14 . 2010-04-28 04:14 -------- d-----w- c:\program files\iPod
2010-04-28 04:14 . 2010-04-28 04:16 -------- d-----w- c:\program files\iTunes
2010-04-28 04:09 . 2010-04-28 04:09 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 09:01 . 2009-04-01 05:53 -------- d-----w- c:\users\sisi\AppData\Roaming\Skype
2010-05-23 07:25 . 2007-12-22 12:44 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-17 03:52 . 2008-01-30 09:22 -------- d-----w- c:\users\sisi\AppData\Roaming\LimeWire
2010-05-12 12:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 12:21 . 2007-12-22 14:01 -------- d-----w- c:\programdata\Microsoft Help
2010-05-06 00:36 . 2009-10-03 02:07 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-28 04:14 . 2008-02-11 10:56 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 04:06 . 2010-04-28 04:06 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-19 10:49 . 2010-04-19 10:49 117427 ----a-w- c:\users\sisi\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-04-19 00:37 . 2008-01-29 12:53 116112 ----a-w- c:\users\sisi\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-18 06:23 . 2010-04-18 06:23 -------- d-----w- c:\programdata\ePapyrus
2010-04-13 11:30 . 2008-01-29 12:49 1356 ----a-w- c:\users\sisi\AppData\Local\d3d9caps.dat
2010-04-09 01:10 . 2008-01-30 09:22 -------- d-----w- c:\program files\LimeWire
2010-04-08 06:43 . 2010-04-08 06:43 -------- d-----w- c:\users\sisi\AppData\Roaming\PDF-Pro 4
2010-04-08 06:28 . 2010-04-08 06:28 -------- d--h--w- c:\programdata\CanonBJ
2010-04-08 06:21 . 2010-04-08 06:21 -------- d--h--w- c:\program files\CanonBJ
2010-04-08 06:14 . 2010-04-08 06:14 -------- d-----w- c:\program files\ePapyrus
2010-04-08 06:14 . 2007-12-22 12:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 03:20 . 2010-04-08 03:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 03:20 . 2010-04-08 03:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 06:05 . 2010-04-07 06:04 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 05:59 . 2010-04-07 05:58 -------- d-----w- c:\program files\QuickTime
2010-03-31 01:05 . 2010-03-31 01:05 -------- d-----w- c:\users\sisi\AppData\Roaming\EPSON
2010-03-31 00:50 . 2010-03-31 00:50 -------- d-----w- c:\program files\epson
2010-03-13 21:51 . 2010-03-13 21:51 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-05 14:01 . 2010-04-13 20:29 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 11:32 . 2010-04-13 20:29 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-04-13 20:29 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-04-13 20:29 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-30 20:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 20:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-30 20:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-30 20:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-12-22 12:33 . 2007-12-22 12:29 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 05:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\Vid.exe" [2010-02-12 5933912]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-19 192000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-09-05 319488]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-09-05 214576]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"wanActivate"="c:\program files\lenovo\ActivateWan\WanActivate.exe" [2007-11-02 466944]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-12 47392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

c:\users\sisi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-2-19 113664]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-3-30 719664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-22 50688]
PDF-Pro 4 Service.lnk - c:\program files\ePapyrus\PDF-Pro 4\pdfpro4svc.exe [2010-4-8 311296]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 06:17 89600 ------w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-09-29 19504]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-15 11152]
S2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\TP4SERVINST.EXE [2008-03-03 35616]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-09 569344]
S3 SWNC8U01;Sierra Wireless MUX NDIS Driver (UMTS01);c:\windows\system32\DRIVERS\SWNC8U01.sys [2007-01-12 102144]
S3 SWUMX01;Sierra Wireless USB MUX Driver (UMTS01);c:\windows\system32\DRIVERS\swumx01.sys [2007-01-12 70656]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2008-03-03 22568]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\sisi\AppData\Roaming\Mozilla\Firefox\Profiles\ppr5gxb6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15087&l=dis
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {2E43AB9E-DBD5-4952-ABF3-350532C24C2A} - c:\users\sisi\AppData\Local\{2E43AB9E-DBD5-4952-ABF3-350532C24C2A}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Bhuxocefu - c:\users\sisi\AppData\Local\dSmgerae.dll
HKCU-Run-Gnagolasiwi - c:\users\sisi\AppData\Local\azedumokabadebi.dll
HKLM-Run-Gnagolasiwi - c:\users\sisi\AppData\Local\azedumokabadebi.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 18:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'Explorer.exe'(3164)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\TrackPoint\tp4serv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\TpShocks.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2010-05-23 19:07:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-23 09:07

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 21,401,853,952 bytes free

- - End Of File - - A6D9EB1BD7396E7A564BD7A68CB0E5E6

ken545
2010-05-23, 12:57
Great :bigthumb:

Malware will infect anything it can, in the first part of your CF log

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p

pci.sys <-- PCI Bus Driver, this was infected


CF also removed a rootkit and some other misc bad files, i need to check a few over but before I do lets do this and see if there removed.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.




Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please




Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)



Post the Malwarebytes log and the DDS log please

sisik
2010-05-24, 05:18
Thanks Ken. :)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4132

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

24/05/2010 6:32:40 AM
mbam-log-2010-05-24 (06-32-40).txt

Scan type: Quick scan
Objects scanned: 127639
Time elapsed: 11 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07286.TBSB07286Toolbar (Adware.Ecobar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\spool\prtprocs\w32x86\b00006749.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.


DDS (Ver_10-03-17.01) - NTFSx86
Run by sisi at 11:26:42.51 on Mon 24/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2006.634 [GMT 10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\sisi\Desktop\dds.scr
C:\Windows\system32\DllHost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [wanActivate] c:\program files\lenovo\activatewan\WanActivate.exe -check
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\sisi\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\sisi\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pdf-pr~1.lnk - c:\program files\epapyrus\pdf-pro 4\pdfpro4svc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\sisi\appdata\roaming\mozilla\firefox\profiles\ppr5gxb6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15087&l=dis
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {2E43AB9E-DBD5-4952-ABF3-350532C24C2A} - c:\users\sisi\appdata\local\{2E43AB9E-DBD5-4952-ABF3-350532C24C2A}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-29 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
R2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2008-3-4 35616]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-30 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-9 569344]
R3 SWNC8U01;Sierra Wireless MUX NDIS Driver (UMTS01);c:\windows\system32\drivers\SWNC8U01.sys [2007-1-13 102144]
R3 SWUMX01;Sierra Wireless USB MUX Driver (UMTS01);c:\windows\system32\drivers\swumx01.sys [2007-1-13 70656]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-5-11 22568]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-23 30336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-12 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2010-05-23 14:32:08 0 d-----w- c:\users\sisi\appdata\roaming\Malwarebytes
2010-05-23 14:31:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 14:31:55 0 d-----w- c:\programdata\Malwarebytes
2010-05-23 14:31:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 14:31:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 08:58:41 0 d-----w- C:\$RECYCLE.BIN
2010-05-23 07:29:30 98816 ----a-w- c:\windows\sed.exe
2010-05-23 07:29:30 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 07:29:30 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 07:29:30 161792 ----a-w- c:\windows\SWREG.exe
2010-05-23 07:22:47 0 d-----w- C:\B
2010-05-22 21:21:29 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-05-18 08:06:51 0 d-----w- C:\A
2010-05-17 05:06:17 0 d-----w- c:\programdata\F-Secure
2010-05-17 03:50:28 0 d-----w- c:\users\sisi\appdata\roaming\PeerNetworking
2010-05-17 03:26:29 374272 ----a-w- c:\windows\system32\emoit.exe
2010-05-17 03:25:22 57856 ----a-w- c:\windows\iwcdc8684.exe
2010-05-12 03:31:11 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-28 04:14:45 0 d-----w- c:\program files\iPod
2010-04-28 04:14:39 0 d-----w- c:\program files\iTunes
2010-04-28 04:09:13 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-06 00:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-28 04:10:57 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-28 04:10:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-09 20:06:40 36068 ----a-w- c:\windows\fonts\SNIPER SHOT.ttf
2010-04-08 06:27:49 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 03:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 03:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-06-17 12:50:54 174 --sh--w- c:\program files\desktop.ini
2008-06-17 12:29:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-04 22:57:13 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2010-02-04 22:57:13 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2010-02-04 22:57:13 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-10-17 08:40:17 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-12-22 12:33:10 8192 --sh--w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:28:28.13 ===============

ken545
2010-05-24, 11:47
Hi,

Looking better all the time.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\iwcdc8684.exe
c:\windows\system32\emoit.exe
C:\32788R22FWJFW.1.tmp

If the site is busy you can try this one

http://virusscan.jotti.org/en



c:\users\sisi\AppData\Local\Omahevifohahuro.dat <--Right click on this file and delete it

sisik
2010-05-25, 07:04
Hi Ken, that sounds very positive yay!

c:\windows\iwcdc8684.exe VirusTotal report:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Trojan.Win32.Hiloti!IK
AhnLab-V3 2010.05.25.00 2010.05.25 -
AntiVir 8.2.1.242 2010.05.24 -
Antiy-AVL 2.0.3.7 2010.05.24 -
Authentium 5.2.0.5 2010.05.25 W32/Hiloti.I.gen!Eldorado
Avast 4.8.1351.0 2010.05.24 Win32:Malware-gen
Avast5 5.0.332.0 2010.05.24 Win32:SuspBehav-C
AVG 9.0.0.787 2010.05.24 Agent2.ATBA
BitDefender 7.2 2010.05.25 Gen:Variant.Hiloti.1
CAT-QuickHeal 10.00 2010.05.24 -
ClamAV 0.96.0.3-git 2010.05.25 -
Comodo 4936 2010.05.25 -
DrWeb 5.0.2.03300 2010.05.25 -
eSafe 7.0.17.0 2010.05.24 -
eTrust-Vet 35.2.7507 2010.05.24 Win32/Hiloti.C!generic
F-Prot 4.6.0.103 2010.05.24 W32/Hiloti.I.gen!Eldorado
F-Secure 9.0.15370.0 2010.05.25 Gen:Variant.Hiloti.1
Fortinet 4.1.133.0 2010.05.23 -
GData 21 2010.05.25 Gen:Variant.Hiloti.1
Ikarus T3.1.1.84.0 2010.05.25 Trojan.Win32.Hiloti
Jiangmin 13.0.900 2010.05.24 -
Kaspersky 7.0.0.125 2010.05.25 -
McAfee 5.400.0.1158 2010.05.25 -
McAfee-GW-Edition 2010.1 2010.05.24 Heuristic.LooksLike.Trojan.Dldr.Mufanom.I
Microsoft 1.5802 2010.05.24 Trojan:Win32/Hiloti.gen!D
NOD32 5142 2010.05.24 a variant of Win32/Cimag.CL
Norman 6.04.12 2010.05.24 -
nProtect 2010-05-24.01 2010.05.24 Gen:Variant.Hiloti.1
Panda 10.0.2.7 2010.05.24 -
PCTools 7.0.3.5 2010.05.25 -
Rising 22.49.01.01 2010.05.25 -
Sophos 4.53.0 2010.05.25 Mal/Hiloti-D
Sunbelt 6351 2010.05.25 Trojan.Win32.Hiloti.gen.e (v)
Symantec 20101.1.0.89 2010.05.25 -
TheHacker 6.5.2.0.286 2010.05.24 -
TrendMicro 9.120.0.1004 2010.05.24 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.25 -
VBA32 3.12.12.5 2010.05.22 BScope.Trojan.TDSL.0423
ViRobot 2010.5.20.2326 2010.05.24 -
VirusBuster 5.0.27.0 2010.05.24 -
Additional information
File size: 57856 bytes
MD5...: 4d65c73caaad63be9dbf4114a1c0e7d4
SHA1..: 21b38264d11438021db6fe8d33a924f1121f93af
SHA256: 48b3fb2ac213dee8445a677ed92a64f47a976a76180be108ca7261f473372e14
ssdeep: 1536:KD3K3LIjkebmeqxUkhsZFACyPvBTu2v441ntDr62vqo8v6:KOakq2xZCy3k
2RHLay

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7c1c
timedatestamp.....: 0x4a82222e (Wed Aug 12 02:00:14 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb000 0xac00 6.93 5ff9edc75e1e71a67d08c701d12bba2e
.data 0xc000 0x3000 0x2c00 5.41 607d46d9f91b357a4a2832df0643c279
.rsrc 0xf000 0x1000 0x400 3.00 88ef5d152a50cb20413bbae4c16859e9
.reloc 0x10000 0x1000 0x200 5.96 4e6db74b7949ac65c2eb61bab81309f0

( 4 imports )
> KERNEL32.dll: CloseHandle, ExitProcess, ExitThread, FlushFileBuffers, GetACP, GetCommandLineA, GetCommandLineW, GetConsoleOutputCP, GetCurrentDirectoryA, GetCurrentThreadId, GetModuleHandleA, GetOEMCP, GetStartupInfoA, GetVersion, GlobalMemoryStatus, GlobalUnlock, HeapAlloc, HeapCreate, HeapReAlloc, IsDebuggerPresent, IsValidCodePage, LCMapStringA, LeaveCriticalSection, MultiByteToWideChar, PulseEvent, RtlUnwind, SetEndOfFile, SetLastError, SetUnhandledExceptionFilter, TlsSetValue, lstrcmpA, lstrcpynA, lstrlenA
> user32.dll: IntersectRect, OffsetRect, ExitWindowsEx, SendMessageTimeoutA, CheckMenuRadioItem, EnumWindows, EnableMenuItem, DeferWindowPos, PostMessageA
> ole32.dll: CoCreateGuid, CoTaskMemAlloc, CoFileTimeNow, CoCreateInstance
> winmm.dll: joyGetPosEx, joyGetThreshold, sndPlaySoundA, timeGetTime, joyGetNumDevs

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck:
publisher....: CyberLink Corp.
copyright....: (c) 2006 CyberLink Corp. All rights reserved.
product......: CyberLink GoldenEye
description..: CyberLink Tzan Library
original name: libTzan.dll
internal name: CLTzan
file version.: 3.5.2704
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

File emoit.exe received on 2010.05.25 03:50:30 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/40 (5%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 63 and 90 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.25.00 2010.05.25 -
AntiVir 8.2.1.242 2010.05.24 -
Antiy-AVL 2.0.3.7 2010.05.24 -
Authentium 5.2.0.5 2010.05.25 -
Avast 4.8.1351.0 2010.05.24 -
Avast5 5.0.332.0 2010.05.24 -
AVG 9.0.0.787 2010.05.24 Downloader.Delf.DXW
BitDefender 7.2 2010.05.25 -
CAT-QuickHeal 10.00 2010.05.24 -
ClamAV 0.96.0.3-git 2010.05.25 -
Comodo 4936 2010.05.25 -
DrWeb 5.0.2.03300 2010.05.25 -
eSafe 7.0.17.0 2010.05.24 -
eTrust-Vet 35.2.7507 2010.05.24 -
F-Prot 4.6.0.103 2010.05.24 -
F-Secure 9.0.15370.0 2010.05.25 -
Fortinet 4.1.133.0 2010.05.23 -
GData 21 2010.05.25 -
Ikarus T3.1.1.84.0 2010.05.25 -
Jiangmin 13.0.900 2010.05.24 -
Kaspersky 7.0.0.125 2010.05.25 -
McAfee 5.400.0.1158 2010.05.25 -
McAfee-GW-Edition 2010.1 2010.05.24 -
Microsoft 1.5802 2010.05.24 -
NOD32 5142 2010.05.24 -
Norman 6.04.12 2010.05.24 -
nProtect 2010-05-24.01 2010.05.24 -
Panda 10.0.2.7 2010.05.24 Suspicious file
PCTools 7.0.3.5 2010.05.25 -
Rising 22.49.01.01 2010.05.25 -
Sophos 4.53.0 2010.05.25 -
Sunbelt 6351 2010.05.25 -
Symantec 20101.1.0.89 2010.05.25 -
TheHacker 6.5.2.0.286 2010.05.24 -
TrendMicro 9.120.0.1004 2010.05.24 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.25 -
VBA32 3.12.12.5 2010.05.22 -
ViRobot 2010.5.20.2326 2010.05.24 -
VirusBuster 5.0.27.0 2010.05.24 -
Additional information
File size: 374272 bytes
MD5...: de86e1680f3e4b935deebd45b0530939
SHA1..: 1da84e7bdcaedafdabcb5f4557d18e54041743f3
SHA256: 346ea374a15d98350ff00401200579d9e341e1695a4135da415976a5a77e548e
ssdeep: 6144:hh4D/UFgkrT/AgWi4e0MedWuBtlOT92A01qVW+9bAAYbzLHA5C:W/UFgc/j
Wi3cngT9L01q9cAYbzLHAC

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x92b8
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x9e88 0xa000 6.26 28dc6b53d09a81fe3b301d8492c5ec61
DATA 0xb000 0x174 0x200 3.48 b02de232a1f1c2cb5813ce3b6df5c3e9
BSS 0xc000 0x3241 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x10000 0x5a8 0x600 4.47 4c2f3bef0f3f5d0b28581954e29f3c5a
.tls 0x11000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x12000 0x18 0x200 0.21 b3f2f4dc9ac2ac13a4f9f380b99bcf3a
.reloc 0x13000 0xbe0 0xc00 6.71 56da47f4ac4575d84c20e6a59a5c7009
.rsrc 0x14000 0x10 0x200 2.88 89ed230ccbb9e8bed2cf0692654d8633
INFO 0x15000 0x3000 0x2a00 0.03 3566030c910161beadab58892b65d552

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, MultiByteToWideChar, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> kernel32.dll: Sleep, SetFileAttributesA, SetErrorMode, LoadLibraryExA, LoadLibraryA, GetVolumeInformationA, GetLastError, GetCurrentProcessId, DeleteFileA, CreateFileA, CloseHandle
> user32.dll: LoadCursorA, FindWindowA
> shell32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99

C:\32788R22FWJFW.1.tmp was actually a folder...not sure which file you wanted me to scan?

ken545
2010-05-25, 11:20
Hi,

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:dir
xxxxxxxxxxx

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

sisik
2010-05-25, 14:57
I hope it's good news. Thanks so much!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:56 on 25/05/2010 by sisi (Administrator - Elevation successful)

========== dir ==========

Edit: Content removed.

ken545
2010-05-25, 15:19
Hi,

I need to have someone else take a peak at that file, it looks ok but really not sure.

These have to go


Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".


:Processes
explorer.exe

:Files
c:\windows\iwcdc8684.exe
c:\windows\system32\emoit.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

ken545
2010-05-26, 03:31
Still looking into that file

ken545
2010-05-26, 11:07
That file should be removed

C:\32788R22FWJFW.1.tmp <--Just right click on it and delete it

sisik
2010-05-26, 15:51
Hi brilliant boy. I am so grateful for all your help! Here is the log you asked for:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\windows\iwcdc8684.exe moved successfully.
c:\windows\system32\emoit.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: sisi
->Temp folder emptied: 797250 bytes
->Temporary Internet Files folder emptied: 660569988 bytes
->Java cache emptied: 100604849 bytes
->FireFox cache emptied: 77004970 bytes
->Apple Safari cache emptied: 103525 bytes
->Flash cache emptied: 701758 bytes

%systemdrive% .tmp files removed: 4433780 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 111293 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 9162293 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 12876370 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 826.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05262010_222844

Files moved on Reboot...
File C:\Users\sisi\AppData\Local\Temp\~DF7547.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF754C.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7592.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7597.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF75BD.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF75C2.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF75E7.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF75EC.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7611.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7616.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF763B.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7641.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7666.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF766B.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7690.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF7695.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF76B9.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF76BE.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF76E3.tmp not found!
File C:\Users\sisi\AppData\Local\Temp\~DF76E8.tmp not found!
C:\Users\sisi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ALWKDRMS\showthread[1].htm moved successfully.
C:\Users\sisi\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

sisik
2010-05-26, 15:53
P.S. That "C:\32788R22FWJFW.1.tmp" folder isn't there anymore, though there is a "C:\32788R22FWJFW" folder...do I need to delete that?

ken545
2010-05-26, 15:58
Yes, long story , you can just delete it
C:\32788R22FWJFW

How are things running now ?

sisik
2010-05-27, 02:27
So much better thanks! I don't remember when my laptop used to run as fast as it does now! And no more crazy pop-up ads! Love your work :)

ken545
2010-05-27, 03:14
Great :bigthumb:




ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

sisik
2010-05-27, 12:50
You are awesome, thanks!

I actually just ran a Spybot Search & Destroy scan and it came up with this:

Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

Fraud.Sysguard: [SBI $F3B45CE7] Settings (Registry key, fixed)
HKEY_USERS\.DEFAULT\Software\avsoft

Fraud.Sysguard: [SBI $F3B45CE7] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\avsoft

Fraud.Sysguard: [SBI $F4F42B59] Settings (Registry key, fixed)
HKEY_USERS\.DEFAULT\Software\avsuite

Fraud.Sysguard: [SBI $F4F42B59] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\avsuite

MediaPlex: Tracking cookie (Internet Explorer: sisi) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: sisi) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: sisi) (Cookie, fixed)


Right Media: Tracking cookie (Internet Explorer: sisi) (Cookie, fixed)


Statcounter: Tracking cookie (Internet Explorer: sisi) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: sisi (default)) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-05-27 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi (*)
2010-05-25 Includes\AdwareC.sbi (*)
2010-01-26 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-05-25 Includes\DialerC.sbi (*)
2010-01-26 Includes\HeavyDuty.sbi (*)
2009-05-27 Includes\Hijackers.sbi (*)
2010-05-25 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-05-25 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-05-25 Includes\Malware.sbi (*)
2010-05-25 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-05-18 Includes\PUPSC.sbi (*)
2010-01-26 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-05-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-05-25 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-05-26 Includes\Trojans.sbi (*)
2010-05-25 Includes\TrojansC-02.sbi (*)
2010-05-25 Includes\TrojansC-03.sbi (*)
2010-05-25 Includes\TrojansC-04.sbi (*)
2010-05-25 Includes\TrojansC-05.sbi (*)
2010-05-25 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

One of the registry values couldn't be fixed or something?

ken545
2010-05-27, 14:25
Reboot and run it again. Looks like just some leftover registry entries plus some tracking cookies

sisik
2010-05-31, 23:13
Just did another scan and all is fine :) thanks so much for all your help Ken, you have been amazing! All the best in your endeavours :D:thanks:

ken545
2010-06-01, 00:04
Your very welcome,

ken :)