Please Help - Firefox is being redirected and Safe Mode is not working

[coreygk]

Hello all,

I've unfortunately encountered a redirect/hijack program that I can't seem to get rid of. In the past I've been able to take care of any problems with the use of Spybot and MBAM. However, when I try to boot into safe mode, it stops at the mup.sys driver and I get a BSOD with only a dash and a question mark before the computer restarts (it looks like a sideways "L" followed immediately by a question mark).

I'll try to give as much useful information as possible:

Initially a bogus antivirus program downloaded itself and changed my desktop background to an alert (green backround with a black box in the middle saying I was infected). The program also placed an icon in the taskbar (red circle with an "X") and would send constant popup warnings. I've encountered similar programs before and have had success removing them, so I didn't pay it much attention. I scanned my system and removed infections, but the problems continued. I was able to change my Desktop background image back, but I noticed that the "Folder Options" folder was missing from the Control Panel (just a empty space between the two adjacent folders) and that system restore was disabled. Also, the System Restore Tab was completely removed from System Properties. I was able to get the System Restore enabled after another scan, but all my restore points have seemingly been lost.

Now, any web searches I do are slow (as well as jerky cursor movement) and any link I click on redirects me to some random site, usually asking me to take a survey. Most of the time, the icon in the tab on my browser (Firefox 3) looks like a number 2. I ran MBAM and Spybot and they found several infections which it removed, and a subsequent search found a few more. The last time MBAM found any infections, when it tried to restart and complete the removal on reboot, is from and I got an error window saying that it had to close unexpectedly. My last few scans have revealed no infections but my web browsing is still being redirected.

Also, not sure if it's useful, but some of the icons on my desktop look a little funny, and have a black outline that looks slightly jagged, like you traced the outline in a Paint or a similar drawing application. Hmmm.

I'd also like to point out that I already have a few anti-virus and malware removal programs on my computer, but have noticed people suggesting to download and rename programs (I guess to avoid detection). If this is the case, and I should install fresh versions, please let me know.

I appreciate any help that would be available. Thanks.


Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:49:28, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Lenovo\Rescue and Recovery\launcheg.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Common Files\Lenovo\InvAgent\ia.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\UnHackMe\UnHackMe.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: SAC-Desktop-Alert.lnk = C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 13876 bytes


-Corey
Lenovo T61
Windows XP Pro

[shelf life]

hi,

Your log is a few days old, if you still need help simply reply to my post.

[coreygk]

Yes, I would certainly appreciate any assistance. Here's where I am at: I ran through a gamut of malware removal tools and nothing helped. Research I did online led me to believe that I was a victim of Tdss infection (browser hijack, system restore and safe mode disabled). I ran Tdss killer and it found 3 infections, one of which it couldn't remove and would recreate the other two on restart.

I was getting desperate and so I ran combofix (despite warnings to only use under supervision). I just let it run as defaulted, and it found and removed an infection at atapi.sys if I remember correctly. Afterward, Tdss killer came back clean and my browsing seems fine and safe mode works again. I did have to do some Lenovo updates as I think Combofix removed some functions but everything is appearing normal.

It would be helpful to have someone to look at the logs and offer any post cleanup advice. I don't necessarily trust my computer yet and there are those who would say reformat is the best option. I'm trying to learn more about this stuff so I don't have to overwhelm forums every time I have a problem, but I would certainly appreciate some help from somebody with more experience.

Thank you,

-Corey

[shelf life]

I was going to suggest running combofix. You had a rootkit. A pretty new variation of the TDSS rootkit. Combofix seems to have taken care of it.
A reformat/reinstall is good advice.
Here are two older MS articles that still apply:

http://technet.microsoft.com/en-us/l.../cc512587.aspx
http://technet.microsoft.com/en-us/l.../cc512642.aspx

You can post the Combofix log located at C:/combofix

[coreygk]

I've attached the Combofix log. Interesting articles you suggested. So basically, even though the original symptoms that were being caused by the Rootkit are gone, there could potentially be other vulnerabilities that it left without any indication of them being there.

I don't necessarily mind a reformat (it would be a hassle, but I think my computer would probably benefit from it ultimately) though I am unsure how to proceed. The Thinkpad I have didn't come with XP disks but has an area of the hard drive partitioned for that purpose. The options allow me to either replace the OS without affecting any of the personal documents that are on the computer, or to restore the computer to its factory state. I assume with the latter I would need to back everything up on data discs and carefully screen files as I reintroduce them onto the reformatted computer.

Sorry if this doesn't make sense, I just woke up. Any suggestions?

Thanks again for the help,

-Corey

[shelf life]

pasted in log:

ComboFix 10-01-04.01 - User 01/06/2010 14:52:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1554 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\SystemProc
c:\recycler\S-1-5-21-0415444029-9557523060-575793227-1842
c:\recycler\S-1-5-21-2103967480-3013173219-068918687-9932
c:\recycler\S-1-5-21-2921848518-3340446600-879474960-500
c:\recycler\S-1-5-21-4848716352-6695824852-352608772-2732
c:\recycler\S-1-5-21-5522347633-2890938995-802165362-5511
c:\recycler\S-1-5-21-5559065472-4181881334-907679494-3691
c:\recycler\S-1-5-21-6214390846-4508696248-817465003-8409
c:\recycler\S-1-5-21-6353197008-8191531982-869909309-9236
c:\recycler\S-1-5-21-6598836512-2908719922-515404246-0091
c:\windows\nvDrv.sy
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\psqlpwd.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 08:48 . 2010-01-06 08:48 -------- d-----w- C:\e0879e7a0d8c9bc9e6
2010-01-06 08:48 . 2010-01-06 08:48 -------- d-----w- C:\94889b3037a72032ca03ac0b99
2010-01-06 05:53 . 2010-01-06 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-06 05:09 . 2010-01-06 05:09 -------- d-----w- c:\documents and settings\User\DoctorWeb
2010-01-05 09:47 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-01-05 06:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-05 06:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-05 06:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-05 06:39 . 2010-01-05 06:39 -------- d-----w- c:\program files\Avira
2010-01-05 05:57 . 2010-01-05 05:57 -------- d-----w- c:\program files\FileASSASSIN
2010-01-05 05:40 . 2010-01-05 06:27 -------- d-----w- c:\program files\RegCleaner
2010-01-05 03:49 . 2010-01-05 03:49 -------- d-----w- c:\program files\CCleaner
2010-01-05 03:30 . 2010-01-05 03:30 -------- d-----w- c:\program files\Add Remove Pro
2010-01-05 03:11 . 2010-01-05 03:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-05 02:58 . 2010-01-05 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-05 02:55 . 2003-06-26 00:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-01-05 01:54 . 2010-01-05 01:54 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-01-05 01:54 . 2010-01-05 01:54 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-01-04 08:48 . 2010-01-04 08:48 -------- d-----w- c:\program files\Trend Micro
2010-01-03 17:55 . 2010-01-03 17:55 -------- d-----w- c:\program files\Sophos
2010-01-03 17:42 . 2010-01-03 17:42 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-03 07:11 . 2010-01-03 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-03 07:11 . 2010-01-03 07:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-03 04:49 . 2010-01-03 04:49 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-01-03 00:44 . 2010-01-03 00:44 -------- d-sh--w- c:\documents and settings\User\.COMMgr
2010-01-02 20:12 . 2010-01-02 20:16 -------- d-----w- c:\documents and settings\User\Application Data\FMZilla
2010-01-02 19:55 . 2010-01-02 20:16 -------- d-----w- c:\program files\Free Music Zilla
2009-12-26 23:46 . 2009-12-26 23:46 -------- d-----w- c:\documents and settings\User\Application Data\Moyea
2009-12-26 23:45 . 2009-12-26 23:45 -------- d-----w- c:\program files\Moyea
2009-12-26 21:38 . 2009-12-26 21:38 -------- d-----w- c:\program files\Common Files\Solveig Multimedia
2009-12-26 20:35 . 2009-12-26 20:35 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-26 20:34 . 2010-01-05 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-26 19:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-26 19:38 . 2009-12-26 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira(2)
2009-12-26 19:13 . 2009-12-26 19:13 -------- d-----w- c:\program files\Solveig Multimedia
2009-12-22 19:27 . 2009-08-11 00:53 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-12-22 19:26 . 2009-12-22 19:26 -------- d-----w- C:\Intel
2009-12-22 19:20 . 2009-09-15 20:34 5977216 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-12-22 19:20 . 2009-09-15 20:19 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-12-22 19:20 . 2009-09-15 20:18 675840 ----a-w- c:\windows\system32\NETw5c32.dll
2009-12-22 19:20 . 2009-12-22 19:27 -------- d-----w- c:\program files\Intel
2009-12-22 19:20 . 2009-12-22 19:20 -------- d-----w- c:\program files\Common Files\Intel
2009-12-18 06:03 . 2009-12-18 06:03 -------- d-----w- c:\program files\RAR Password Recovery Magic
2009-12-14 18:58 . 2009-12-14 18:58 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Jaksta_LLC
2009-12-14 18:57 . 2009-12-14 18:57 -------- d-----w- c:\program files\Jaksta
2009-12-14 18:53 . 2009-12-14 18:53 -------- d-----w- c:\program files\Replay Video Capture
2009-12-14 18:53 . 2009-12-14 18:53 -------- d-----w- c:\windows\Replay Video Capture
2009-12-11 06:00 . 2010-01-02 19:51 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2009-12-11 06:00 . 2010-01-02 19:51 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2009-12-11 05:44 . 2010-01-02 19:51 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 05:52 . 2008-09-29 15:10 -------- d-----w- c:\program files\Java
2010-01-04 21:35 . 2006-04-30 06:45 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-03 09:45 . 2008-11-11 03:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-03 07:11 . 2008-11-11 05:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-03 05:23 . 2009-10-06 16:50 -------- d-----w- c:\program files\UnHackMe
2010-01-03 03:35 . 2008-11-16 17:29 -------- d-----w- c:\program files\Azureus
2010-01-03 03:34 . 2008-11-16 17:29 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2010-01-03 01:08 . 2008-11-12 06:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 20:10 . 2008-12-13 08:32 -------- d-----w- c:\program files\Replay Media Catcher
2009-12-30 22:55 . 2008-11-12 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54 . 2008-11-12 18:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 06:08 . 2009-08-22 23:41 -------- d-----w- c:\program files\Avidemux 2.5
2009-12-22 19:21 . 2009-12-02 18:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-12-22 19:21 . 2009-12-02 18:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-12-22 19:21 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\User\Application Data\Intel
2009-12-22 19:21 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-12-22 19:20 . 2008-12-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-12-21 23:41 . 2008-12-24 10:47 -------- d-----w- c:\program files\McAfee
2009-12-18 18:39 . 2009-10-28 16:51 52480 ----a-w- c:\windows\system32\nvModes.dat
2009-12-16 03:10 . 2009-07-04 21:03 -------- d-----w- c:\program files\Replay Converter
2009-12-07 18:37 . 2009-12-07 18:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-12-04 08:14 . 2008-11-10 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 03:01 . 2008-12-24 18:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-15 00:41 . 2009-11-15 00:41 -------- d-----w- c:\program files\Bulk Rename Utility
2009-11-01 10:23 . 2008-10-04 01:03 29720 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:04 . 2006-04-30 06:56 668672 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2006-04-30 06:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-04-30 06:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 23:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-04-30 06:55 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-04-30 06:55 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-04-30 06:55 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-06 16:51 . 2009-10-06 16:51 2 --shatr- c:\windows\winstart.bat
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-17 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-06 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 524288]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-17 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-17 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"TpShocks"="TpShocks.exe" [2007-03-30 181808]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13549568]
"nwiz"="nwiz.exe" [2009-01-15 1630208]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-31 2618944]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-25 1036288]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-06 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-22 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan\0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SAC-Desktop-Alert.lnk
backup=c:\windows\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2009-03-07 01:29 458752 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-05-18 23:24 196696 ------w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 20:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 00:37 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\hp_CLJ2600_Full_Solution\\SETUP.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 4:47 PM 19760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/4/2010 10:39 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2008 2:48 AM 93320]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 9:10 PM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 12:11 PM 569344]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [7/7/2009 1:27 AM 40576]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/3/2009 8:08 PM 17408]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 11:42 AM 35264]
S0 mndttgzj;mndttgzj; [x]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [1/4/2010 5:54 PM 34760]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [7/6/2009 3:15 PM 12672]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\User\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\User\LOCALS~1\Temp\000009b9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\User\LOCALS~1\Temp\000001bd.nmc\nse\bin\nsak.sys --> c:\docume~1\User\LOCALS~1\Temp\000001bd.nmc\nse\bin\nsak.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2010-01-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-29 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13kdrefo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-ACNotify - ACNotify.dll
Notify-psfus - c:\windows\system32\psqlpwd.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 15:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-06 15:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 23:12

Pre-Run: 27,695,886,336 bytes free
Post-Run: 27,690,876,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FB693DBD997D36133A055C4A7320CD75

[shelf life]

there could potentially be other vulnerabilities that it left without any indication of them being there.

Yes, its possible. Removal tools lag behind the malware.

See if you can locate this file;
c:\windows\winstart.bat
rename it to .txt then open it in notepad and post its content.

[coreygk]

Did as you asked, but when I opened it with Notepad it was absolutely empty. (?)

Should I rename back to a .bat file?

[shelf life]

Should I rename back to a .bat file?

You can delete it. Do a online scan for good measure:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan unwanted applications"

click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply.

[coreygk]

Here is the Eset Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=76b5112863ae3943b18431875da5e68a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-08 11:15:32
# local_time=2010-01-08 03:15:32 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 94 0 35531847 0 0
# compatibility_mode=3073 16777213 80 89 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 13 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0