Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: THINKPOINT boot virus  (Read 36909 times)

0 Members and 1 Guest are viewing this topic.

Iwishiknew

    Topic Starter


    Beginner
    Re: THINKPOINT boot virus
    « Reply #30 on: November 09, 2010, 08:28:57 PM »
    Quote
    Were you able to update AVG?

    Yes

    Quote
    What happens when you try to kill the processes?
     

    this message:



    when i try to run blackpudding i get this:



    Quote
    Delete An Uninstall Entry

    •Start HijackThis

    •Click on the Open the Misc Tools section

    •Click on the Open Uninstall Manager button.

    •Highlight the entry you want to remove.
    (AskBarDis or anything related to Ask,
    Search Settings and
    Application Updater)
    •Click Delete these entries
    Exit HJT

    i don't see either of those entries.






    SuperDave

    • Malware Removal Specialist


    • Genius
    • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: THINKPOINT boot virus
    « Reply #31 on: November 10, 2010, 04:52:19 PM »
    Ok. Could you please try running ComboFix again?
    Windows 8 and Windows 10 dual boot with two SSD's

    Iwishiknew

      Topic Starter


      Beginner
      Re: THINKPOINT boot virus
      « Reply #32 on: November 10, 2010, 05:58:28 PM »
      Ok, i tried to run ComboFix; a little green bar appears as if it's scanning then this Comodo alert appears:



      then this warning appears :



      The computer has been randomly shutting down after a scary blue screen with the message hard error !

      fun and games....

      Iwishiknew

        Topic Starter


        Beginner
        Re: THINKPOINT boot virus
        « Reply #33 on: November 11, 2010, 06:16:51 AM »
        Things are getting worse.... computer shutting down within minutes of bootup ..... is it safe to back up files to another HD or do i risk infecting the other HD ?

        SuperDave

        • Malware Removal Specialist


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: THINKPOINT boot virus
        « Reply #34 on: November 11, 2010, 07:07:06 AM »
        Quote
        is it safe to back up files to another HD or do i risk infecting the other HD ?
        Only if the other HD is empty so that you can wipe it clean afterwards. You would probably be better of saving to some DVD-+ RW's. They can hold quite a bit of data and can be erased afterward.
        Windows 8 and Windows 10 dual boot with two SSD's

        Iwishiknew

          Topic Starter


          Beginner
          Re: THINKPOINT boot virus
          « Reply #35 on: November 11, 2010, 11:57:45 AM »
          Ok thanks,

          Should i format the disk and reinstall Windows ? Will that help or will the boot virus (which the motherboard anti virus program is warning about on bootup) still be there ?


          Iwishiknew

            Topic Starter


            Beginner
            Re: THINKPOINT boot virus
            « Reply #36 on: November 11, 2010, 04:40:51 PM »
            After cleaning all the dust out of the fans and replacing the broken one in the power supply the computer has stopped shutting down  :) coincidence ... maybe  :-\  i will continue to try to rid the com of malware before reformating which i hate to do because i always loose stuff.

            i tried running commy.exe again but same problem.

            scanned with Ad-aware, Malwarebytes and AVG and removed all malware found.

            scanning again and again...

            what else can i try ?

            doctor help i'm dying here  :-[

            SuperDave

            • Malware Removal Specialist


            • Genius
            • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: THINKPOINT boot virus
            « Reply #37 on: November 12, 2010, 01:18:12 PM »
            Ok. Please try this tool to continue with the cleaning.

            Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

            •Double click on RSIT.exe to run.

            •Click Continue at the disclaimer screen.

            •Once it has finished, two logs will open.
            log.txt <will be maximized and info.txt <will be minimized

            •Please post the contents of both logs in the next reply.
            Windows 8 and Windows 10 dual boot with two SSD's

            Iwishiknew

              Topic Starter


              Beginner
              Re: THINKPOINT boot virus
              « Reply #38 on: November 12, 2010, 06:35:41 PM »
              thanks SuperDave, here are the RSIT logs:

              info.txt logfile of random's system information tool 1.08 2010-11-13 02:32:39

              ======Uninstall list======

              -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
              µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
              Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
              Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
              Adobe Audition 1.0-->MsiExec.exe /I{81E76DE9-BBCB-449C-91BB-6E4E5436D496}
              Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -maintain activex
              Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
              Adobe MPEG Encoder-->MsiExec.exe /I{9811A185-3D3D-11D6-9E14-00036D172B00}
              Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
              Adobe Premiere 6.5-->C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.5\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.5\Uninst.dll"
              Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
              AllWebMenus PRO v4-->C:\PROGRA~1\ALLWEB~1\UNWISE.EXE C:\PROGRA~1\ALLWEB~1\INSTALL.LOG
              Antares Autotune VST RTAS TDM v5.08-->"C:\Program Files\Antares Audio Technologies\unins000.exe"
              Any Video Converter 3.0.7-->"C:\Program Files\Any Video Converter\unins000.exe"
              Apple Application Support-->MsiExec.exe /I{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}
              Apple Mobile Device Support-->MsiExec.exe /I{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}
              Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
              ArcSoft MediaImpression for Kodak-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D6D9C5C7-88DF-486C-9BFC-DF8C4D5D1FAF}\Setup.exe" -l0x9
              AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
              Busker v4.1 demo-->C:\WINDOWS\ST5UNST.EXE -n "c:\JmSoftware\Busker v4.1 demo\ST5UNST.LOG" 
              CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
              C-Media WDM Audio Driver-->C:\WINDOWS\system32\cmirmdrv.exe
              COMODO Internet Security-->MsiExec.exe /I{FD8E178D-8B4E-42DA-B434-EFF270329B1C}
              CuteFTP 8 Lite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED5761A3-C109-4E0E-8241-19DB67E66BED}\Setup.exe" -l0x9
              D-i-v-X AVI Codec Pack Pro 2.4.0-->C:\WINDOWS\system32\C2MP\Uninst.exe
              DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
              Empress Tremolo Plugin 1.00-->"C:\Program Files\Steinberg\EmpressPlugins\unins000.exe"
              eMule-->"C:\Program Files\eMule\Uninstall.exe"
              ePlayer-->MsiExec.exe /I{950B394C-82D0-4559-96A0-0C3AA0D458FB}
              ffdshow [rev 3207] [2010-01-18]-->"C:\Program Files\K-Lite Codec Pack\ffdshow\unins000.exe"
              FileZilla Client 3.3.4.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
              HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
              Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
              HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
              HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
              HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
              HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
              HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
              HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
              iTunes-->MsiExec.exe /I{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}
              K-Lite Codec Pack 5.6.1 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
              Lexicon Pantheon Reverb DX-->C:\WINDOWS\unvise32.exe C:\Program Files\Lexicon Pantheon Reverb DX\uninstal.log
              LG MC USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6059C682-4C5F-4106-8487-943E98225D3B}\setup.exe" -l0x9  -removeonly
              LG PC Suite II-->C:\Program Files\InstallShield Installation Information\{14DCD95A-EBA3-4BF0-B7EF-533852E99BE6}\setup.exe -runfromtemp -l0x0009 -removeonly
              LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 LG -removeonly
              Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
              Melodyne Runtime 4.0 (x86)-->MsiExec.exe /I{4679DEDD-9D82-4425-BF9E-F37B41224AC2}
              Melodyne singletrack-->"C:\Program Files\InstallShield Installation Information\{16DF894D-FC3F-4B87-908D-671E201CD7A8}\setup.exe" -runfromtemp -l0x0409  -removeonly
              Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
              Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
              Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
              Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
              Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
              Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
              Mozilla Firefox (3.5.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
              MP3 to SWF Converter 2.9 build 927-->C:\Program Files\HooTech\MP32SWF\uninst.exe
              Native Instruments B4 II-->C:\PROGRA~1\NATIVE~1\B4II~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\B4II~1\INSTALL.LOG
              Orange Plug-in messagerie vocale 888-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16E79B1D-D1C2-4CA6-8B23-F4D890E0DCB9}\Setup.exe" -l0x40c --AddRemove
              QuickTime-->MsiExec.exe /I{E7004147-2CCA-431C-AA05-2AB166B9785D}
              RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
              Samsung USB Driver-->"C:\Program Files\InstallShield Installation Information\{86D6A20D-3910-4441-A3E5-EB6977251C86}\setup.exe" -runfromtemp -l0x0009 anything -removeonly
              Scientific Atlanta WebSTAR 2000 series Cable Modem-->UNDPX2K.EXE
              Search Settings v1.2.3-->MsiExec.exe /X{5F05C28D-DEA9-4AD6-A73A-064175988EAB}
              Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
              Sibelius Scorch (ActiveX Only)-->MsiExec.exe /I{9F31A1CD-57BC-47AD-B403-C6BD29FF1E2D}
              Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
              Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
              Spell Checker For OE 2.1-->C:\Program Files\Common Files\Microsoft Shared\proof\Uninstal.exe
              SPIF225 USB to SATA Bridge 98 Driver Installer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB3F9E62-1C4A-45DA-96E4-BFEB26C73F18}\setup.exe" -l0x9  -removeonly
              Steinberg Cubase SX 3-->"C:\Program Files\Steinberg\Cubase SX 3\Uninstall.exe" "C:\Program Files\Steinberg\Cubase SX 3\install.log"
              Steinberg Cubase SX-->C:\PROGRA~1\STEINB~1\CUBASE~2\UNINST~1.EXE C:\PROGRA~1\STEINB~1\CUBASE~2\Install.log
              SUPERAntiSpyware-->"C:\Program Files\SUPERAntiSpyware\Uninstall.exe"
              Syncrosoft's License Control-->C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
              TotalAudioConverter-->"C:\Program Files\TotalAudioConverter\unins000.exe"
              Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
              Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
              USB Flash Port Driver-->MsiExec.exe /I{065D5505-3821-4C2E-BB6C-FE66A7E7CB4F}
              USB2.0 PC Camera (SN9C201&202)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\Setup.exe" -l0x9
              VB:FFX-4 Rack-->C:\Program Files\VB\FFX4\uninst.exe C:\Program Files\VB\FFX4
              VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
              Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
              Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
              VstPlayer-->MsiExec.exe /I{C6FF65DB-B18E-4F0E-948F-E058E67BAF48}
              Waves IR 1-->C:\PROGRA~1\Waves\IR1UNI~1\UNWISE.EXE C:\PROGRA~1\Waves\IR1UNI~1\INSTALL.LOG
              Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
              Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
              Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
              Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
              Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
              Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
              Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
              WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

              ======Security center information======

              AV: AVG Anti-Virus Free
              FW: COMODO Firewall

              =====Application event log=====

              Computer Name: CROMWELL
              Event Code: 35
              Message: WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

              Record Number: 476
              Source Name: WinMgmt
              Time Written: 20091102132650.000000+060
              Event Type: warning
              User:

              Computer Name: CROMWELL
              Event Code: 40
              Message: WMI ADAP was unable to create the object Win32_PerfRawData_ASPNET_ASPNETApplicat ions for Performance Library ASP.NET because error 0x80041001 was returned

              Record Number: 475
              Source Name: WinMgmt
              Time Written: 20091102132649.000000+060
              Event Type: warning
              User:

              Computer Name: CROMWELL
              Event Code: 35
              Message: WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

              Record Number: 474
              Source Name: WinMgmt
              Time Written: 20091102132649.000000+060
              Event Type: warning
              User:

              Computer Name: CROMWELL
              Event Code: 1020
              Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

              Record Number: 457
              Source Name: ASP.NET 2.0.50727.0
              Time Written: 20091102132454.000000+060
              Event Type: warning
              User:

              Computer Name: CROMWELL
              Event Code: 1002
              Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

              Record Number: 447
              Source Name: Application Hang
              Time Written: 20091101140720.000000+060
              Event Type: error
              User:

              ======Environment variables======

              "ComSpec"=%SystemRoot%\system32\cmd.exe
              "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
              "windir"=%SystemRoot%
              "FP_NO_HOST_CHECK"=NO
              "OS"=Windows_NT
              "PROCESSOR_ARCHITECTURE"=x86
              "PROCESSOR_LEVEL"=15
              "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
              "PROCESSOR_REVISION"=0204
              "NUMBER_OF_PROCESSORS"=1
              "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
              "TEMP"=%SystemRoot%\TEMP
              "TMP"=%SystemRoot%\TEMP
              "asl.log"=Destination=file
              "CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
              "QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

              -----------------EOF-----------------

              Iwishiknew

                Topic Starter


                Beginner
                Re: THINKPOINT boot virus
                « Reply #39 on: November 12, 2010, 06:41:29 PM »
                I can't post the log  >:( aaarrrgggg !!!

                does the info.txt help at all ?

                SuperDave

                • Malware Removal Specialist


                • Genius
                • Thanked: 1020
                • Certifications: List
                • Experience: Expert
                • OS: Windows 10
                Re: THINKPOINT boot virus
                « Reply #40 on: November 12, 2010, 07:42:28 PM »
                Rob, have you updated your AVG? The log still shows AVG9

                P2P - I see you have P2P software installed on your machine, eMule and uTorrent. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

                Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

                I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
                *****************************************
                Please go to Jotti's malware scan
                (If more than one file needs scanned they must be done separately and links posted for each one)

                * Copy the file path in the below Code box:

                Code: [Select]
                C:\WINDOWS\system32\234.js
                C:\WINDOWS\system32\drivers\ndhchq.sys
                C:\WINDOWS\system32\drivers\ndhchq.sys

                * At the upload site, click once inside the window next to Browse.
                * Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
                * Next click Submit file
                * Your file will possibly be entered into a queue which normally takes less than a minute to clear.
                * This will perform a scan across multiple different virus scanning engines.
                * Important: Wait for all of the scanning engines to complete.
                * Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
                *********************************
                Copy and paste the text in the code box below into Notepad.
                Code: [Select]
                @echo off
                del C:\WINDOWS\tasks\At1.job
                del C:\WINDOWS\tasks\At10.job
                del C:\WINDOWS\tasks\At11.job
                del C:\WINDOWS\tasks\At12.job
                del C:\WINDOWS\tasks\At13.job
                del C:\WINDOWS\tasks\At14.job
                del C:\WINDOWS\tasks\At15.job
                del C:\WINDOWS\tasks\At16.job
                del C:\WINDOWS\tasks\At17.job
                del C:\WINDOWS\tasks\At18.job
                del C:\WINDOWS\tasks\At19.job
                del C:\WINDOWS\tasks\At2.job
                del C:\WINDOWS\tasks\At20.job
                del C:\WINDOWS\tasks\At21.job
                del C:\WINDOWS\tasks\At22.job
                del C:\WINDOWS\tasks\At23.job
                del C:\WINDOWS\tasks\At24.job
                del C:\WINDOWS\tasks\At25.job
                del C:\WINDOWS\tasks\At26.job
                del C:\WINDOWS\tasks\At3.job
                del C:\WINDOWS\tasks\At4.job
                del C:\WINDOWS\tasks\At5.job
                del C:\WINDOWS\tasks\At6.job
                del C:\WINDOWS\tasks\At7.job
                del C:\WINDOWS\tasks\At8.job
                del C:\WINDOWS\tasks\At9.job
                del C:\found.001
                del C:\WINDOWS\srchasst
                del blackpudding.bat
                exit

                Then click File > Save as
                Save to the Desktop as blackpudding.bat
                And Save as type: All Files.

                Double-click on blackpudding.bat to run it.
                ***************************************
                Please try to run ComboFix again but this time, just doubleclick on the ComboFix icon on your desktop.
                Windows 8 and Windows 10 dual boot with two SSD's

                Iwishiknew

                  Topic Starter


                  Beginner
                  Re: THINKPOINT boot virus
                  « Reply #41 on: November 13, 2010, 07:09:20 AM »
                  I uninstalled emule and utorrent (i don't use p2p often but think i did get the virus on a p2p website).

                  Can't install the newest version of AVG. Can't uninstall AVG9. since disabling resident sheild i can't re-enable it.

                  Jotti : virus found on file \WINDOWS\system32\234.js but link doesn't work so here is a screenshot:



                  http://virusscan.jotti.org/en/scanresult/5d9802bba9ce0857c732f121dd26f50a4c98a

                  WINDOWS\system32\drivers\ndhchq.sys
                  http://virusscan.jotti.org/en (empty)

                  blackpudding :
                  when i tried to run it i got 2 messages "are you sure y/n" i hit yes twice and the program disappeared.

                  Combofix:
                  Can't run while AVG is installed - can't uninstall AVG.


                   ???



                  SuperDave

                  • Malware Removal Specialist


                  • Genius
                  • Thanked: 1020
                  • Certifications: List
                  • Experience: Expert
                  • OS: Windows 10
                  Re: THINKPOINT boot virus
                  « Reply #42 on: November 13, 2010, 12:20:49 PM »
                  Quote
                  when i tried to run it i got 2 messages "are you sure y/n" i hit yes twice and the program disappeared.
                  That's good. It is self-deleting.
                  You need to get rid of AVG. But first, download one of these free AV's and install it. I prefer MicroSoft Security Essentials. Then run the AVG removal tool below.

                  Remember to only install one antivirus!
                   
                  1) Avast! Home Edition
                  2) AVG Free Edition
                  3) Avira AntiVir Personal
                  4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
                  4-a) Microsoft Security Essentials for Windows XP
                  5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
                  6) PC Tools AntiVirus Free Edition

                  It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
                  ***********************************************

                  AVG Antivirus - AVG Antivirus Remover utility

                  *************************************************
                  Now please try to run ComboFix.
                  Windows 8 and Windows 10 dual boot with two SSD's

                  Iwishiknew

                    Topic Starter


                    Beginner
                    Re: THINKPOINT boot virus
                    « Reply #43 on: November 13, 2010, 06:50:34 PM »
                    SuperDave !  :)

                    I installed Avast! (Is it ok to run Avast! along side an anti malware program like SuperAntiSpyware ?)

                    The AVG removal tool worked, AVG is gone.

                    Combofix was able to run and produced this log :

                    ComboFix 10-11-12.06 - Rob 11/14/2010   2:12.1.1 - x86
                    Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1024.429 [GMT 1:00]
                    Running from: c:\documents and settings\Rob\Desktop\war on spyware\commy.exe
                    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
                    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
                    FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
                    .

                    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                    .

                    c:\documents and settings\Rob\Application Data\install
                    c:\program files\Search Settings
                    c:\program files\Search Settings\FF\chrome.manifest
                    c:\program files\Search Settings\FF\chrome\content\plugin.js
                    c:\program files\Search Settings\FF\chrome\content\plugin.xul
                    c:\program files\Search Settings\FF\chrome\content\protection.js
                    c:\program files\Search Settings\FF\chrome\content\utils.js
                    c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
                    c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
                    c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
                    c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
                    c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
                    c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
                    c:\program files\Search Settings\FF\install.rdf
                    c:\program files\Search Settings\SearchSettings.exe
                    c:\program files\Search Settings\SearchSettings_AVG_RESTORED.exe
                    c:\program files\Search Settings\SearchSettingsRes409.dll
                    c:\windows\system\Pncrt.dll
                    c:\windows\system32\driVERs\ndhchq.sys

                    .
                    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
                    .
                    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
                    .

                    -------\Legacy_ndhchq
                    -------\Service_ndhchq


                    (((((((((((((((((((((((((   Files Created from 2010-10-14 to 2010-11-14  )))))))))))))))))))))))))))))))
                    .

                    2010-11-13 14:40 . 2010-11-13 14:40   --------   d-----w-   c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
                    2010-11-13 14:18 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
                    2010-11-13 14:18 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
                    2010-11-13 14:18 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
                    2010-11-13 14:18 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
                    2010-11-13 14:18 . 2010-09-07 15:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
                    2010-11-13 14:18 . 2010-09-07 15:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
                    2010-11-13 14:18 . 2010-09-07 15:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
                    2010-11-13 14:17 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
                    2010-11-13 14:17 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
                    2010-11-13 14:17 . 2010-11-13 14:17   --------   d-----w-   c:\program files\Alwil Software
                    2010-11-13 14:17 . 2010-11-13 14:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
                    2010-11-13 13:17 . 2010-11-13 13:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
                    2010-11-10 22:43 . 2010-11-10 23:50   --------   d-----w-   c:\documents and settings\Rob\Application Data\Celemony Software GmbH
                    2010-11-10 22:42 . 2010-11-10 22:42   --------   d-----w-   c:\program files\Common Files\VST3
                    2010-11-10 22:41 . 2010-11-10 22:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Celemony Software GmbH
                    2010-11-10 22:41 . 2010-11-10 22:41   --------   d-----w-   c:\program files\Common Files\Celemony
                    2010-11-08 04:09 . 2010-11-08 04:09   388096   ----a-r-   c:\documents and settings\Rob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
                    2010-11-08 04:09 . 2010-11-13 01:32   --------   d-----w-   c:\program files\Trend Micro
                    2010-11-03 19:23 . 2010-11-03 19:23   --------   d-----w-   C:\VritualRoot
                    2010-11-03 11:39 . 2010-11-03 11:39   --------   d-----w-   c:\documents and settings\Rob\Application Data\Malwarebytes
                    2010-11-03 11:39 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
                    2010-11-03 11:39 . 2010-11-03 11:39   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
                    2010-11-03 11:39 . 2010-11-03 11:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
                    2010-11-03 11:39 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
                    2010-11-03 11:29 . 2010-11-03 11:29   --------   d-----w-   c:\documents and settings\Administrator
                    2010-11-03 02:22 . 2010-11-03 02:22   --------   d-----w-   c:\documents and settings\Rob\Application Data\SUPERAntiSpyware.com
                    2010-11-03 02:22 . 2010-11-03 02:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
                    2010-11-03 02:22 . 2010-11-08 15:13   --------   d-----w-   c:\program files\SUPERAntiSpyware
                    2010-11-03 01:59 . 2010-11-03 01:59   --------   d-----w-   c:\program files\CCleaner
                    2010-11-03 01:45 . 2010-11-03 01:45   --------   d-----w-   c:\program files\COMODO
                    2010-11-03 01:42 . 2010-11-03 11:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Comodo
                    2010-11-02 19:41 . 2010-11-02 19:41   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
                    2010-11-02 18:02 . 2010-11-02 18:02   --------   d-sh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
                    2010-11-02 08:52 . 2006-03-30 16:39   368640   ----a-w-   c:\windows\system32\ReWire.dll
                    2010-11-02 08:07 . 2003-11-18 05:27   2402025   ----a-w-   c:\windows\system32\dongle.dll
                    2010-10-31 00:26 . 2010-10-31 00:26   --------   d-----w-   c:\windows\system32\wbem\Repository
                    2010-10-30 23:44 . 2010-10-30 23:44   --------   d-----w-   c:\documents and settings\Rob\Application Data\DriverCure
                    2010-10-28 23:34 . 2010-10-28 23:34   --------   d-----w-   c:\program files\u-he
                    2010-10-28 23:34 . 2010-11-10 22:41   --------   d-----w-   c:\program files\Celemony
                    2010-10-27 21:40 . 2010-10-27 21:40   --------   d-----w-   c:\documents and settings\Rob\Application Data\Antares
                    2010-10-27 21:18 . 2010-11-02 10:28   --------   d-----w-   c:\program files\Antares Audio Technologies
                    2010-10-27 12:15 . 2010-11-13 13:45   --------   d-----w-   C:\found.001
                    2010-10-26 17:12 . 2010-11-13 13:10   --------   d-----w-   c:\documents and settings\Rob\Application Data\uTorrent
                    2010-10-26 12:49 . 2010-11-02 07:57   --------   d-----w-   c:\program files\Syncrosoft
                    2010-10-26 12:49 . 2002-11-25 05:36   45056   ----a-w-   c:\windows\system32\Synsopos.exe
                    2010-10-26 12:47 . 2000-06-27 21:40   487936   ----a-w-   c:\windows\system32\Rmbe3260.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   87040   ----a-w-   c:\windows\system32\Ra32sipr.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   72704   ----a-w-   c:\windows\system32\Ra3228_8.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   21504   ----a-w-   c:\windows\system32\Ra32dnet.dll
                    2010-10-26 12:47 . 2000-06-27 21:40   352768   ----a-w-   c:\windows\system32\pngu3263.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   81920   ----a-w-   c:\windows\system32\Ra3214_4.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   131072   ----a-w-   c:\windows\system32\Pneng50.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   85504   ----a-w-   c:\windows\system32\Encdnet.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   61952   ----a-w-   c:\windows\system32\Decdnet.dll
                    2010-10-26 12:47 . 1999-02-26 16:08   130560   ----a-w-   c:\windows\system32\Pnc3250.dll
                    2010-10-25 22:24 . 2010-10-25 22:36   --------   d-----w-   c:\documents and settings\Rob\Application Data\Easy Duplicate Finder
                    2010-10-23 22:32 . 2007-11-06 11:22   36224   ----a-w-   c:\windows\system32\drivers\ArcCD.sys
                    2010-10-23 22:32 . 2007-04-25 06:55   134912   ----a-w-   c:\windows\system32\drivers\ArcUdfs.sys
                    2010-10-23 22:32 . 2007-04-24 09:33   7680   ----a-w-   c:\windows\system32\drivers\ArcRec.sys
                    2010-10-21 13:47 . 2010-10-23 22:32   --------   d-----w-   c:\program files\Kodak
                    2010-10-20 20:16 . 2010-10-20 20:16   --------   d-----w-   c:\documents and settings\Rob\Application Data\AnvSoft
                    2010-10-20 20:16 . 2010-10-20 20:17   --------   d-----w-   c:\program files\Any Video Converter
                    2010-10-20 19:29 . 2010-10-20 19:32   --------   d-----w-   c:\documents and settings\Rob\Local Settings\Application Data\Video Converter
                    2010-10-20 19:28 . 2010-10-26 12:28   --------   d-----w-   c:\program files\Free Video Converter
                    2010-10-20 19:27 . 2010-10-20 19:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\VideoConverter
                    2010-10-19 15:46 . 2010-10-19 15:46   --------   d-----w-   c:\documents and settings\Rob\Local Settings\Application Data\ArcSoft
                    2010-10-19 15:42 . 2010-10-21 13:51   --------   d--h--w-   c:\documents and settings\All Users\Application Data\ArcSoft
                    2010-10-19 15:40 . 2006-11-10 13:05   18688   ----a-w-   c:\windows\system32\drivers\afc.sys
                    2010-10-19 15:40 . 2010-10-23 22:34   --------   d-----w-   c:\program files\Common Files\ArcSoft
                    2010-10-19 15:39 . 2010-10-19 16:15   --------   d-----w-   c:\documents and settings\Rob\Application Data\ArcSoft
                    2010-10-19 11:12 . 2010-10-19 11:12   --------   d-----w-   c:\documents and settings\Guest\Application Data\Apple Computer
                    2010-10-19 11:12 . 2010-10-19 11:12   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\Apple Computer

                    .
                    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    2010-10-03 15:14 . 2010-10-03 15:14   76   ----a-w-   c:\documents and settings\Rob\Local Settings\Application Data\GLF458.tmp
                    2010-09-19 20:32 . 2010-09-18 17:44   184976   ----a-w-   C:\CEPxReverb3.tmp
                    2010-09-19 19:25 . 2009-12-25 18:38   2762080   ----a-w-   C:\CEPxReverb2.tmp
                    2010-09-19 17:13 . 2009-10-24 18:32   5058192   ----a-w-   C:\CEPxReverb1.tmp
                    2010-09-19 17:05 . 2009-10-23 23:22   3890576   ----a-w-   C:\CEPxReverb0.tmp
                    2010-09-19 16:59 . 2009-10-23 20:08   2882976   ----a-w-   C:\CEPxReverb9.tmp
                    2010-09-19 16:58 . 2009-10-23 19:56   2561744   ----a-w-   C:\CEPxReverb8.tmp
                    2010-09-19 15:53 . 2009-10-23 19:55   2440800   ----a-w-   C:\CEPxReverb7.tmp
                    2010-09-19 14:11 . 2009-10-13 23:12   698256   ----a-w-   C:\CEPxReverb6.tmp
                    2010-09-19 14:11 . 2009-10-13 23:11   3366624   ----a-w-   C:\CEPxReverb5.tmp
                    2010-09-18 17:45 . 2010-09-18 17:45   2142080   ----a-w-   C:\CEPxReverb4.tmp
                    2010-09-10 22:41 . 2010-09-10 22:41   285480   ----a-w-   c:\windows\system32\guard32.dll
                    2010-09-10 22:40 . 2010-09-10 22:40   91560   ----a-w-   c:\windows\system32\drivers\inspect.sys
                    2010-09-10 22:40 . 2010-09-10 22:40   25240   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
                    2010-09-10 22:40 . 2010-09-10 22:40   239240   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
                    2010-09-10 22:40 . 2010-09-10 22:40   15592   ----a-w-   c:\windows\system32\drivers\cmderd.sys
                    2010-09-08 09:17 . 2010-09-08 09:17   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
                    2010-09-08 09:17 . 2010-09-08 09:17   69632   ----a-w-   c:\windows\system32\QuickTime.qts
                    .

                    ------- Sigcheck -------

                    [-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
                    [7] 2004-08-03 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
                    [7] 2004-08-03 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\dllcache\msvcrt.dll
                    [7] 2002-08-29 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
                    .
                    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    .
                    *Note* empty entries & legit default entries are not shown
                    REGEDIT4

                    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
                    "DeltTray"="DeltTray.exe" [2003-12-10 56320]
                    "B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-03-16 300992]
                    "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-14 110592]
                    "snp2std"="c:\windows\vsnp2std.exe" [2005-11-16 344064]
                    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
                    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-10 2500552]
                    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
                    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
                    "ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-07-20 80384]
                    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
                    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

                    c:\documents and settings\All Users\Start Menu\Programs\Startup\
                    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-8 113664]
                    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

                    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                    2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

                    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
                    @="Service"

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                    "EnableFirewall"= 0 (0x0)

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                    "%windir%\\system32\\sessmgr.exe"=
                    "c:\\Program Files\\Messenger\\msmsgs.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
                    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
                    "c:\\Program Files\\iTunes\\iTunes.exe"=
                    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                    "1035:TCP"= 1035:TCP:Akamai NetSession Interface
                    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

                    R0 inic1620;inic1620;c:\windows\system32\drivers\inic1620.sys [9/3/2009 4:41 PM 20224]
                    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/24/2009 1:43 PM 64288]
                    R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [9/4/2009 5:10 PM 84529]
                    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/13/2010 3:18 PM 165584]
                    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239240]
                    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 25240]
                    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 7:25 PM 12872]
                    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 7:41 PM 67656]
                    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [12/16/2009 5:38 PM 375296]
                    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/13/2010 3:18 PM 17744]
                    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 12:17 PM 1181328]
                    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [10/23/2010 11:32 PM 36224]
                    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/13/2010 3:18 PM 136176]
                    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [10/23/2010 11:32 PM 134912]

                    --- Other Services/Drivers In Memory ---

                    *Deregistered* - ArcRec
                    .
                    Contents of the 'Scheduled Tasks' folder

                    2010-11-14 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
                    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:44]

                    2010-11-14 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
                    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:44]

                    2010-11-14 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
                    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:44]

                    2010-11-14 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
                    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:44]

                    2010-11-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
                    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:44]

                    2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
                    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-13 14:18]

                    2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
                    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-13 14:18]
                    .
                    .
                    ------- Supplementary Scan -------
                    .
                    uStart Page = hxxp://www.google.com/
                    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
                    TCP: {F40B8187-044C-4BFC-8FC8-B9C24ED5BE98} = 156.154.70.22,156.154.71.22
                    FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\33uo4by5.default\
                    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
                    FF - prefs.js: browser.search.selectedEngine - Web Search
                    FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/403
                    FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=403&q=
                    FF - component: c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\33uo4by5.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
                    FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
                    FF - plugin: c:\program files\Mozilla Firefox\plugins\npornap.dll
                    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
                    FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
                    .
                    - - - - ORPHANS REMOVED - - - -

                    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
                    HKLM-Run-RevHDD - c:\windows\SYSTEM\RevHDD.exe
                    HKLM-Run-Cmaudio - cmicnfg.cpl
                    Notify-avgrsstarter - avgrsstx.dll
                    AddRemove-VB:FFX-4 Rack - c:\program files\VB\FFX4\uninst.exe



                    **************************************************************************

                    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                    Rootkit scan 2010-11-14 02:33
                    Windows 5.1.2600 Service Pack 2 NTFS

                    detected NTDLL code modification:
                    ZwClose, ZwOpenFile

                    scanning hidden processes ... 

                    scanning hidden autostart entries ...

                    scanning hidden files ... 

                    scan completed successfully
                    hidden files: 0

                    **************************************************************************
                    .
                    --------------------- LOCKED REGISTRY KEYS ---------------------

                    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
                    @Denied: (2) (LocalSystem)
                    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
                       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,9f,f0,f1,a6,9c,30,46,b7,40,12,\
                    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
                       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,9f,f0,f1,a6,9c,30,46,b7,40,12,\

                    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
                    @Denied: (A 2) (Everyone)
                    @="FlashBroker"
                    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

                    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
                    "Enabled"=dword:00000001

                    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
                    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

                    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
                    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

                    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
                    @Denied: (A 2) (Everyone)
                    @="IFlashBroker4"

                    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
                    @="{00020424-0000-0000-C000-000000000046}"

                    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
                    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
                    "Version"="1.0"
                    .
                    --------------------- DLLs Loaded Under Running Processes ---------------------

                    - - - - - - - > 'winlogon.exe'(736)
                    c:\windows\system32\WININET.dll
                    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

                    - - - - - - - > 'lsass.exe'(796)
                    c:\windows\system32\guard32.dll
                    c:\windows\system32\WININET.dll

                    - - - - - - - > 'explorer.exe'(2324)
                    c:\windows\system32\WININET.dll
                    c:\windows\system32\guard32.dll
                    c:\windows\system32\msi.dll
                    c:\windows\system32\ieframe.dll
                    c:\windows\system32\webcheck.dll
                    c:\windows\system32\WPDShServiceObj.dll
                    c:\windows\system32\PortableDeviceTypes.dll
                    c:\windows\system32\PortableDeviceApi.dll
                    .
                    ------------------------ Other Running Processes ------------------------
                    .
                    c:\program files\Alwil Software\Avast5\AvastSvc.exe
                    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
                    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
                    c:\windows\system32\wbem\unsecapp.exe
                    c:\windows\system32\wscntfy.exe
                    c:\windows\system32\DeltTray.exe
                    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
                    c:\program files\iPod\bin\iPodService.exe
                    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
                    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
                    .
                    **************************************************************************
                    .
                    Completion time: 2010-11-14  02:40:05 - machine was rebooted
                    ComboFix-quarantined-files.txt  2010-11-14 01:39

                    Pre-Run: 14,949,916,672 bytes free
                    Post-Run: 16,544,411,648 bytes free

                    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
                    [boot loader]
                    timeout=2
                    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
                    [operating systems]
                    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
                    UnsupportedDebug="do not select this" /debug
                    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

                    - - End Of File - - 5EFB47407E3E9A14136BF9EC820B082A



                    SuperDave

                    • Malware Removal Specialist


                    • Genius
                    • Thanked: 1020
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 10
                    Re: THINKPOINT boot virus
                    « Reply #44 on: November 14, 2010, 01:16:18 PM »
                    Quote
                    Is it ok to run Avast! along side an anti malware program like SuperAntiSpyware ?)
                    Yes. It's ok.
                    We're finally making some progress. Let do this next.


                    Re-running ComboFix to remove infections:

                    • Close any open browsers.
                    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
                    • Open notepad and copy/paste the text in the quotebox below into it:
                      Quote
                      KillAll::

                      File::
                      C:\found.001

                    • Save this as CFScript.txt, in the same location as ComboFix.exe



                    • Referring to the picture above, drag CFScript into ComboFix.exe
                    • When finished, it shall produce a log for you at C:\ComboFix.txt
                    • I don't need to see the log from this action.
                    ************************************

                    Download OTL  to your Desktop
                    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
                    • Under the Custom Scan box paste this in
                    netsvcs
                    msconfig
                    safebootminimal
                    safebootnetwork
                    activex
                    drivers32
                    %SYSTEMDRIVE%\*.exe
                    %systemroot%\*. /mp /s
                    c:\$recycle.bin\*.* /s
                    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
                    /md5start
                    eventlog.dll
                    scecli.dll
                    netlogon.dll
                    cngaudit.dll
                    sceclt.dll
                    ntelogon.dll
                    logevent.dll
                    iaStor.sys
                    nvstor.sys
                    nvstor32.sys
                    atapi.sys
                    IdeChnDr.sys
                    viasraid.sys
                    AGP440.sys
                    vaxscsi.sys
                    nvatabus.sys
                    viamraid.sys
                    nvata.sys
                    nvgts.sys
                    iastorv.sys
                    ViPrt.sys
                    eNetHook.dll
                    explorer.exe
                    svchost.exe
                    userinit.exe
                    qmgr.dll
                    ws2_32.dll
                    proquota.exe
                    imm32.dll
                    kernel32.dll
                    ndis.sys
                    autochk.exe
                    spoolsv.exe
                    xmlprov.dll
                    ntmssvc.dll
                    mswsock.dll
                    Beep.SYS
                    ntfs.sys
                    termsrv.dll
                    sfcfiles.dll
                    st3shark.sys
                    ahcix86.sys
                    srsvc.dll
                    nvrd32.sys
                    /md5stop
                    %systemroot%\system32\*.dll /lockedfiles
                    %systemroot%\Tasks\*.job /lockedfiles

                    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
                      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
                      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time
                    Windows 8 and Windows 10 dual boot with two SSD's