Author Topic: Think Point Virus (Read 19976 times)

SuperDave · « **Reply #30 on:** November 06, 2010, 01:14:53 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

darts44 · « **Reply #31 on:** November 06, 2010, 10:47:04 PM »

Hi! Dave,
After a few attempts, i finally succeeded to download the ESET.
I unchecked the box "remove found threats", because i was not sure you wanted it that way. You didn't mention if i needded to keep it on not.
Here is the results of the scan:
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.dll   Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe   Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe   Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll   Win32/Adware.Toolbar.Dealio application
C:\Windows\Installer\6bcc6a.msi   Win32/Adware.Toolbar.Dealio application
Operating memory   Win32/Adware.Toolbar.Dealio application
Waiting your intructions eagerly.
Regards,
Yves

SuperDave · « **Reply #32 on:** November 07, 2010, 10:47:04 AM »

Please run it again and check "remove found threats".

darts44 · « **Reply #33 on:** November 07, 2010, 10:53:15 PM »

Hi! Dave,
Here is the results:
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.dll   Win32/Adware.Toolbar.Dealio application   cleaned by deleting (after the next restart) - quarantined
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe   Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe   Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll   Win32/Adware.Toolbar.Dealio application   cleaned by deleting - quarantined
C:\Users\Yves\AppData\Local\Temp\NOD349B.tmp   Win32/Adware.Toolbar.Dealio application   cleaned by deleting (after the next restart) - quarantined
C:\Windows\Installer\6bcc6a.msi   Win32/Adware.Toolbar.Dealio application   deleted - quarantined

Regards, Yves

SuperDave · « **Reply #34 on:** November 08, 2010, 12:06:58 PM »

How's your computer running now?. Any issues?

darts44 · « **Reply #35 on:** November 09, 2010, 01:49:53 AM »

Hi! Dave,
My PC seem to be O.K, but how can i make sure there is nothing left from that" Think Point" on it?
There is still some names of files on the "Windows Task Manager", how can i get rid of them? See additional. atiedxx.exe, csrss.exe, winlogon.exe
Regards, Yves

darts44 · « **Reply #36 on:** November 09, 2010, 01:52:01 AM »

here is the additional

[recovering disk space - old attachment deleted by admin]

SuperDave · « **Reply #37 on:** November 09, 2010, 11:25:01 AM »

Quote

atiedxx.exe

This is a file for your video card.

Quote

csrss.exe

The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system.

Quote

winlogon.exe

winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.

You can google all those files to find out what are their functions .
Let's see if you can run ComboFix again as outlined in Reply #9

darts44 · « **Reply #38 on:** November 09, 2010, 02:44:43 PM »

Hi! Dave,
O.K , i run the ComboFix and here is the results:
ComboFix 10-11-09.01 - Yves 10/11/2010 5:47.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3070.2010 [GMT 10:00]
Running from: c:\users\Yves\Desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe
G:\Autorun.inf

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.

2010-11-09 20:47 . 2010-11-09 20:47   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-11-09 08:06 . 2010-10-07 23:21   6146896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{44CDFD57-B753-47D5-9915-893F16DBC98A}\mpengine.dll
2010-11-09 04:26 . 2010-11-09 04:26   --------   d-----w-   c:\program files\Vodafone
2010-11-03 04:36 . 2010-11-03 04:36   --------   d-----w-   c:\program files\Common Files\Java
2010-11-03 04:35 . 2010-11-03 04:35   --------   d-----w-   c:\program files\Sun
2010-11-03 04:32 . 2010-11-03 04:34   --------   d-----w-   c:\program files\Java
2010-11-03 02:59 . 2010-11-03 02:59   --------   d-----w-   c:\users\Yves\AppData\Roaming\Malwarebytes
2010-11-03 02:59 . 2010-11-08 23:32   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-11-03 02:59 . 2010-11-03 02:59   --------   d-----w-   c:\programdata\Malwarebytes
2010-11-02 23:16 . 2010-11-02 23:16   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-10-26 20:45 . 2010-08-04 06:18   641536   ----a-w-   c:\windows\system32\CPFilters.dll
2010-10-26 20:45 . 2010-08-04 06:17   417792   ----a-w-   c:\windows\system32\msdri.dll
2010-10-26 20:45 . 2010-08-04 06:15   204288   ----a-w-   c:\windows\system32\MSNP.ax
2010-10-26 20:45 . 2010-08-04 06:15   199680   ----a-w-   c:\windows\system32\mpg2splt.ax
2010-10-26 20:39 . 2010-07-13 05:22   26504   ----a-w-   c:\windows\system32\drivers\Diskdump.sys
2010-10-23 11:36 . 2010-10-23 11:36   --------   d-----w-   c:\programdata\5D
2010-10-23 10:25 . 2010-10-23 11:28   --------   d-----w-   c:\users\Yves\AppData\Local\BearShare
2010-10-23 10:18 . 2010-10-23 20:49   --------   dc-h--w-   c:\programdata\~0
2010-10-23 10:18 . 2010-10-23 10:18   --------   d-----w-   c:\users\Yves\AppData\Local\PackageAware
2010-10-20 14:18 . 2010-10-20 14:18   --------   d-----w-   c:\windows\en
2010-10-20 14:18 . 2010-10-20 14:18   --------   dc----w-   c:\windows\system32\DRVSTORE
2010-10-20 14:18 . 2010-09-22 14:21   39272   ----a-w-   c:\windows\system32\drivers\fssfltr.sys
2010-10-20 14:13 . 2010-10-20 14:13   --------   d-----w-   c:\program files\MSN Toolbar
2010-10-20 14:13 . 2010-10-20 14:14   --------   d-----w-   c:\program files\Bing Bar Installer
2010-10-20 14:13 . 2009-09-04 07:44   69464   ----a-w-   c:\windows\system32\XAPOFX1_3.dll
2010-10-20 14:13 . 2009-09-04 07:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2010-10-20 14:13 . 2009-09-04 07:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2010-10-20 14:12 . 2010-10-20 14:12   469256   ----a-w-   c:\program files\Common Files\Windows Live\.cache\c76b1f1e1cb70602b\InstallManager_WLE_WLE.exe
2010-10-20 14:11 . 2010-10-20 14:11   15712   ----a-w-   c:\program files\Common Files\Windows Live\.cache\b5d373971cb706020\MeshBetaRemover.exe
2010-10-20 14:11 . 2010-10-20 14:11   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DSETUP.dll
2010-10-20 14:11 . 2010-10-20 14:11   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11   525656   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11   1691480   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11   94040   ----a-w-   c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DSETUP.dll
2010-10-20 14:09 . 2010-11-06 03:26   --------   d-----w-   c:\users\Yves\AppData\Local\Windows Live
2010-10-20 14:09 . 2010-05-23 10:15   1619456   ----a-w-   c:\windows\system32\WMVDECOD.DLL
2010-10-20 14:09 . 2010-05-23 10:11   196608   ----a-w-   c:\windows\system32\mfreadwrite.dll
2010-10-20 14:09 . 2010-05-23 10:11   3181568   ----a-w-   c:\windows\system32\mf.dll
2010-10-15 21:34 . 2010-05-05 06:46   363520   ----a-w-   c:\windows\system32\StructuredQuery.dll
2010-10-15 21:03 . 2010-08-21 05:36   738816   ----a-w-   c:\windows\system32\wmpmde.dll
2010-10-15 21:01 . 2010-09-01 04:26   164864   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 21:01 . 2010-09-01 04:23   12625408   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-15 21:01 . 2010-09-01 02:34   2327552   ----a-w-   c:\windows\system32\win32k.sys
2010-10-15 21:01 . 2010-08-27 05:46   168448   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-15 21:01 . 2010-08-27 03:31   310784   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-15 21:01 . 2010-08-27 03:30   308736   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-15 21:01 . 2010-08-27 03:30   113664   ----a-w-   c:\windows\system32\drivers\srvnet.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-03 04:35 . 2010-07-27 22:47   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-10-19 01:41 . 2010-07-26 23:48   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-22 14:47 . 2010-09-22 14:47   49016   ----a-w-   c:\windows\system32\sirenacm.dll
2010-09-22 14:32 . 2010-09-22 14:32   301936   ----a-w-   c:\windows\WLXPGSS.SCR
2010-09-21 04:03 . 2010-09-21 04:03   208768   ----a-w-   c:\windows\system32\LIVESSP.DLL
2010-08-25 20:48 . 2010-08-25 20:48   53248   ----a-r-   c:\users\Yves\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-21 05:32 . 2010-09-15 06:16   316928   ----a-w-   c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2010-09-29 2942856]
"AnyTime Organizer"="c:\program files\AnyTime Organizer Premier\AtDem.exe" [2007-11-21 29696]
"E09AXLRD_2727443"="c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE" [2008-06-03 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-20 1038848]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-06-25 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AnyTime.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyTime.lnk
backup=c:\windows\pss\AnyTime.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FastStone Capture.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastStone Capture.lnk
backup=c:\windows\pss\FastStone Capture.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-03-27 06:07   362232   ----a-w-   c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adm_tray.exe]
2010-06-04 08:49   530768   ----a-w-   c:\program files\Acronis\DriveMonitor\adm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 13:07   932288   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 18:47   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 17:44   500208   ------w-   c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 12:10   402432   ----a-w-   c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyTime Organizer]
2007-11-21 03:45   29696   ----a-w-   c:\progra~1\ANYTIM~1\AtDem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
2010-09-29 05:30   2942856   ----a-w-   c:\program files\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_15580131]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2163780]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2494237]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2519946]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_25437101]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_31464294]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5542044]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5633040]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_582850]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6173833]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6696436]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_738477]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_8550430]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_9218411]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_969171]
2008-06-03 10:05   351000   ----a-w-   c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 06:13   54576   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
2010-10-22 20:47   353736   ----a-w-   c:\program files\IncrediMail\Bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2010-07-21 06:52   1797008   ----a-w-   c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2010-07-21 07:07   1778064   ----a-w-   c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 06:43   6061400   ----a-w-   c:\program files\Logitech\Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 06:43   6061400   ----a-w-   c:\program files\Logitech\Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 08:35   165208   ----a-w-   c:\program files\Logitech\LWS\Webcam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 00:17   5252408   ----a-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileBroadband]
2010-06-25 02:57   253952   ----a-w-   c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RESTART_STICKY_NOTES]
2009-07-14 01:14   354304   ----a-w-   c:\windows\System32\StikyNot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 01:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 03:37   517096   ----a-w-   c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-03-27 06:06   5107232   ----a-w-   c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorldTime2006]
2007-10-21 07:17   1486848   ----a-w-   c:\program files\AnyTime Organizer Premier\WorldTime.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUMETR32.SYS [2010-09-29 18576]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2010-06-15 35568]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [2010-06-10 9216]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-27 1343400]
R3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\DRIVERS\zgwhsdiag.sys [2009-10-28 105216]
R3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\DRIVERS\zgwhsmdm.sys [2009-10-28 105216]
R3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\DRIVERS\zgwhsnmea.sys [2009-10-28 105216]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-07-27 911680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-07-27 2480048]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-02-19 380928]
S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2010-09-29 1412488]
S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-06-15 26352]
S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-06-15 493032]
S2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-06-25 9216]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-07-27 160704]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [2010-03-01 61952]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-04-30 105856]
S3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [2010-06-10 194048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ     hpqcxs08 hpqddsvc
nosGetPlusHelper   REG_MULTI_SZ     nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {E481D8DE-43C8-4878-B42D-DD2FAEC18884} = 202.124.65.22 202.124.65.18
.
- - - - ORPHANS REMOVED - - - -

BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
HKLM-Run-atr.exe - (no file)
MSConfigStartUp-DATAMNGR - c:\progra~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
MSConfigStartUp-SearchSettings - c:\program files\YouTube Downloader Toolbar\SearchSettings.exe
AddRemove-Hoadley Options Strategy Evaluation Tool_is1 - c:\program files\HoadleyOptions\unins000.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3860)
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\A\ESBRes.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Acronis\DriveMonitor\adm.exe
.
**************************************************************************
.
Completion time: 2010-11-10 07:20:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-09 21:20

Pre-Run: 313,216,090,112 bytes free
Post-Run: 313,234,837,504 bytes free

- - End Of File - - 15DBDB942C9E623E8AA909342BBEF4BF
Look a pretty long one and very impressive. Please, explain to me the results!
Should i delete "ComboFix" from my PC?
Best regards, Yves

SuperDave · « **Reply #39 on:** November 10, 2010, 01:13:35 PM »

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
userinit.exe

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

******************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

darts44 · « **Reply #40 on:** November 10, 2010, 04:30:38 PM »

Hi! Dave,
Here are the results of the scan with " SystemLook".
Regards,
Yves
SystemLook 04.09.10 by jpshortstuff
Log created at 09:23 on 11/11/2010 by Yves
Administrator - Elevation successful

========== filefind ==========

Searching for "userinit.exe "
C:\Windows\ERDNT\cache\userinit.exe   --a---- 26112 bytes   [21:08 09/11/2010]   [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\System32\userinit.exe   --a---- 26112 bytes   [23:34 13/07/2009]   [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe   --a---- 26112 bytes   [23:34 13/07/2009]   [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175

-= EOF =-

darts44 · « **Reply #41 on:** November 10, 2010, 04:46:38 PM »

Hi! Dave,
Here are the results with the scan SysProtAntirootkit
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No hidden files/folders found
I am happy with the results.

Regards,
Yves

SuperDave · « **Reply #42 on:** November 10, 2010, 04:57:03 PM »

Ok. Let's see if we can fix that corrupted/infected file.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

FCopy::
C:\Windows\ERDNT\cache\userinit.exe | c:\windows\system32\userinit.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

darts44 · « **Reply #43 on:** November 10, 2010, 05:21:11 PM »

Hi! Dave,
Here i am not sure....
I got the "commy.exe" and it is this one i have to use and drag "CFScript.txt" in it.
Or re-download the original ComboFix?
Regards, Yves

SuperDave · « **Reply #44 on:** November 10, 2010, 05:26:25 PM »

Yes, use the one you have on your desktop.

Computer Hope Forum

News:

Author Topic: Think Point Virus (Read 19976 times)

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus

darts44

Re: Think Point Virus

SuperDave

Re: Think Point Virus