WiredWX Hobby Weather ToolsLog in

 


Thinkpoint virus

2 posters

descriptionThinkpoint virus EmptyThinkpoint virus

more_horiz
I downloaded all the updates you asked for until a message appeared that said exception processing message c0000013 parameters and a bunch of other numbers. Not sure what to do now.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see this topic.

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix Thinkpoint virus Combofix from BleepingComputer.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Thinkpoint virus Query_RC

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Thinkpoint virus RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
ComboFix 10-10-18.03 - Smith 10/19/2010 6:47.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.615 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Smith\Application Data\hotfix.exe
c:\documents and settings\Smith\g2mdlhlpx.exe
c:\documents and settings\Smith\System
c:\documents and settings\Smith\System\win_qs8.jqx
c:\windows\Downloaded Program Files\RdXIe.dll
c:\windows\ipexozuv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:54 . 2010-10-17 12:54 -------- d-----w- c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pacersdigest.com/forumdisplay.php?f=3
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Mxinadomipu - c:\windows\dkbmpdet.dll
HKLM-Run-Syikudusiboqu - c:\windows\ipexozuv.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866FA44C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf754af28
\Driver\ACPI -> ACPI.sys @ 0xf74bdcb8
\Driver\atapi -> atapi.sys @ 0xf73a2852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7319b0a
PacketIndicateHandler -> NDIS.sys @ 0xf7324a21
SendHandler -> NDIS.sys @ 0xf7319949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Smith\LOCALS~1\Temp\mc21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'explorer.exe'(1004)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(524)
c:\program files\Spyware Doctor\Tools\swpg.dat
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\lxdmserv.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-10-19 07:25:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-19 11:25

Pre-Run: 3,208,052,736 bytes free
Post-Run: 5,206,360,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6366578AB3E60BD78D58960F4E950C99

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
The computer seems a lot faster now. Should I reactivate AVG antivirus now?

Thank you

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Your computer is not clean, yet.

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::

    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
    c:\documents and settings\All Users\Application Data\Update

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

    Driver::
    mchInjDrv
    hqgnf

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Thinkpoint virus 2v3rg44

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.





Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
    Link 1
    Link 2
    Link 3

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x866F2000 \WINDOWS\system32\KDCOM.DLL
0xF791A000 \WINDOWS\system32\BOOTVID.dll
0xF74B7000 ACPI.sys
0xF7A06000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74A6000 pci.sys
0xF7506000 isapnp.sys
0xF73D3000 hqgnf.sys
0xF7ACE000 pciide.sys
0xF7786000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7516000 MountMgr.sys
0xF73B4000 ftdisk.sys
0xF778E000 PartMgr.sys
0xF7526000 VolSnap.sys
0xF739C000 atapi.sys
0xF7536000 disk.sys
0xF7546000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737C000 fltmgr.sys
0xF736A000 sr.sys
0xF7346000 Fastfat.sys
0xF732F000 KSecDD.sys
0xF7302000 NDIS.sys
0xF7556000 uagp35.sys
0xF72E8000 Mup.sys
0xEF093000 \SystemRoot\system32\DRIVERS\processr.sys
0xB9E8A000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xB9E76000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xEF083000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xEF073000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9E53000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9DC0000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB9D9C000 \SystemRoot\system32\drivers\portcls.sys
0xEF063000 \SystemRoot\system32\drivers\drmk.sys
0xB9D3C000 \SystemRoot\system32\drivers\ALCXSENS.SYS
0xEF1B3000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9D18000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xEF1AB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xEF1A3000 \SystemRoot\system32\DRIVERS\sisnic.sys
0xB9C85000 \SystemRoot\system32\DRIVERS\Intels51.sys
0xEF19B000 \SystemRoot\System32\Drivers\Modem.SYS
0xEF193000 \SystemRoot\system32\DRIVERS\fdc.sys
0xEF053000 \SystemRoot\system32\DRIVERS\serial.sys
0xEF0DF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9C71000 \SystemRoot\system32\DRIVERS\parport.sys
0xEF043000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xEF18B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xEE1CA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xEE2C4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xEF033000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xEF0DB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9C5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xEF023000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xEE847000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xEE1C2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9BF9000 \SystemRoot\system32\DRIVERS\psched.sys
0xEE837000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEE1BA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xEE1B2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xEE827000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB7D31000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5016000 \SystemRoot\system32\DRIVERS\update.sys
0xEF57D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB602A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB600A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB7D2F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79F2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB57E5000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB7D2D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB5410000 \SystemRoot\System32\Drivers\Null.SYS
0xB7D2B000 \SystemRoot\System32\Drivers\Beep.SYS
0xB57D5000 \SystemRoot\System32\drivers\vga.sys
0xB7D29000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB7D27000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB57CD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB57C5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEF569000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1AF1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1A98000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1A41000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB1A19000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB19F7000 \SystemRoot\System32\drivers\afd.sys
0xB5FEA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF72A4000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xB19CC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1934000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB5FCA000 \SystemRoot\System32\Drivers\Fips.SYS
0xB190E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5FBA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB57BD000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB18BE000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB4FEC000 \SystemRoot\system32\drivers\ftdibus.sys
0xB50E8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB18A8000 \SystemRoot\system32\drivers\ftser2k.sys
0xF79E6000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF79DA000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB55E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA5C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA6D0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1890000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB655F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE4B1000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9C3A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEF5AD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB171B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5658000 \SystemRoot\system32\drivers\sysaudio.sys
0xB15BF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A20000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB14B6000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA606000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mbr.sys
0xB0F4D000 \SystemRoot\System32\Drivers\HTTP.sys
0xB5E38000 \??\C:\DOCUME~1\Smith\LOCALS~1\Temp\mc21.tmp
0xF7A38000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB072D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\SMSS.EXE
524 C:\WINDOWS\system32\CSRSS.EXE
548 C:\WINDOWS\system32\WINLOGON.EXE
596 C:\WINDOWS\system32\SERVICES.EXE
608 C:\WINDOWS\system32\LSASS.EXE
760 C:\WINDOWS\system32\SVCHOST.EXE
840 C:\WINDOWS\system32\SVCHOST.EXE
1012 C:\Program Files\AVG\AVG9\AVGCHSVX.EXE
1020 C:\Program Files\AVG\AVG9\AVGRSX.EXE
1228 C:\WINDOWS\system32\SVCHOST.EXE
1292 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
1372 C:\WINDOWS\system32\SVCHOST.EXE
1628 C:\WINDOWS\system32\SPOOLSV.EXE
180 C:\WINDOWS\system32\SVCHOST.EXE
232 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
728 C:\Program Files\AVG\AVG9\AVGWDSVC.EXE
992 C:\Program Files\Java\JRE6\BIN\JQS.EXE
1108 C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXDMSERV.EXE
1176 C:\WINDOWS\system32\LXDMCOMS.EXE
1316 C:\WINDOWS\system32\SVCHOST.EXE
1760 C:\WINDOWS\system32\SVCHOST.EXE
1788 C:\WINDOWS\system32\SVCHOST.EXE
2352 C:\Program Files\AVG\AVG9\AVGEMC.EXE
2432 C:\Program Files\AVG\AVG9\AVGNSX.EXE
2672 C:\Program Files\AVG\AVG9\AVGCSRVX.EXE
3072 C:\WINDOWS\system32\ALG.EXE
3448 C:\WINDOWS\SOUNDMAN.EXE
3496 C:\Program Files\Lexmark 5000 Series\LXDMMON.EXE
3504 C:\Program Files\Lexmark 5000 Series\LXDMAMON.EXE
3528 C:\Program Files\AVG\AVG9\AVGTRAY.EXE
3596 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3684 C:\Program Files\Spyware Doctor\SWDOCTOR.EXE
3828 C:\Program Files\NETGEAR GA311 Adapter\GA311.EXE
1004 C:\WINDOWS\EXPLORER.EXE
3412 C:\Program Files\Messenger\MSMSGS.EXE
1616 C:\WINDOWS\system32\SVCHOST.EXE
3900 C:\Program Files\Avant Browser\AVANT.EXE
3572 C:\WINDOWS\system32\ctfmon.exe
2776 C:\Program Files\Outlook Express\MSIMN.EXE
860 C:\Documents and Settings\Smith\Local Settings\Temporary Internet Files\Content.IE5\9AS4MTYN\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST320015A, Rev: 3.03

Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
I have lost my outlook express e-mail somewhere. My hotmail works fine.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Now the log from ComboFix, please.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
ComboFix 10-10-18.03 - Smith 10/19/2010 14:30:21.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.622 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome.manifest
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome\content\_cfg.js
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\chrome\content\overlay.xul
c:\documents and settings\Smith\Local Settings\Application Data\{08D0D98B-F84C-4993-A16C-807FAB0AC17F}\install.rdf
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pacersdigest.com/forumdisplay.php?f=3
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride =
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8677444C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-19 14:53:56
ComboFix-quarantined-files.txt 2010-10-19 18:53
ComboFix2.txt 2010-10-19 11:25

Pre-Run: 5,107,777,536 bytes free
Post-Run: 5,195,726,848 bytes free

- - End Of File - - 413FD869DBC8329D1931DB89B1ED357C

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\All Users\Application Data\Update

    DirLook::
    C:\FOUND.008
    C:\FOUND.009
    C:\

    MBR::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Thinkpoint virus 2v3rg44

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Combo Fix is not launching for me this last time. yet

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
ComboFix 10-10-18.03 - Smith 10/20/2010 10:42:20.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.738 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2005-05-26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pacersdigest.com/forumdisplay.php?f=3
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride =
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866F944C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Smith\LOCALS~1\Temp\mc21.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat

- - - - - - - > 'explorer.exe'(868)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(532)
c:\program files\Spyware Doctor\Tools\swpg.dat
.
Completion time: 2010-10-20 11:09:03
ComboFix-quarantined-files.txt 2010-10-20 15:09
ComboFix2.txt 2010-10-19 18:54
ComboFix3.txt 2010-10-19 11:25

Pre-Run: 5,092,311,040 bytes free
Post-Run: 5,146,345,472 bytes free

- - End Of File - - E8325C6991DF88A9261484B38CF1B590

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
That did not work right.

Make sure ComboFix and CFScript.txt is on your Desktop, then do this...

Go to Start > Run, and type this in and hit OK:

ComboFix "C:\Documents and Settings\Smith\Desktop\CFscript.txt"

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
ComboFix 10-10-18.03 - Smith 10/20/2010 22:47:23.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.735 [GMT -4:00]
Running from: c:\documents and settings\Smith\My Documents\My Pictures\Combo-Fix.exe
Command switches used :: c:\documents and settings\Smith\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Spyware Doctor\Tools\swpg.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Smith\Application Data\Bitrix Security
c:\documents and settings\Smith\Application Data\Bitrix Security\kezpay
c:\documents and settings\Smith\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai.dll
c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai_shrd

.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-19 01:26 . 2010-10-19 01:26 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-19 00:53 . 2010-10-19 00:53 -------- d-----w- C:\FOUND.009
2010-10-19 00:17 . 2010-10-19 00:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 14:33 . 2010-10-17 14:33 -------- d-----w- C:\FOUND.008
2010-10-17 12:54 . 2010-10-18 18:53 0 ----a-w- c:\windows\Xcidahigafe.bin
2010-10-17 12:52 . 2010-10-17 12:52 194 ----a-w- c:\documents and settings\Smith\Application Data\26662.bat
2010-10-17 12:52 . 2010-10-17 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-14 17:57 . 2010-10-14 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-14 04:49 . 2010-10-14 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-14 04:27 . 2010-10-14 04:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-14 01:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:22 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"lxdmmon.exe"="c:\program files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 455344]
"lxdmamon"="c:\program files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 20480]
"Lexmark 5000 Series Fax Server"="c:\program files\Lexmark 5000 Series\fm3032.exe" [2007-07-06 307888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-03-03 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-6-30 131584]
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-6 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-03 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMMON.EXE"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxdmjswx.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDMwbgw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/25/2008 8:19 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/3/2010 8:09 AM 285392]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 3:57 PM 8440]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/25/2008 8:19 AM 333192]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/3/2010 8:09 AM 906520]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 2:55 AM 11237]
S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [10/7/2008 12:50 PM 70144]

--- Other Services/Drivers In Memory ---

*Deregistered* - hqgnf
.
Contents of the 'Scheduled Tasks' folder

2010-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pacersdigest.com/forumdisplay.php?f=3
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride =
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} - hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{BCA4BCBE-EB6E-406B-B990-3BEBF3024B3B} - c:\documents and settings\Smith\Application Data\Bitrix Security\tuduewai.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8677444C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf751ef28
\Driver\ACPI -> ACPI.sys @ 0xf7491cb8
\Driver\atapi -> atapi.sys @ 0xf7376852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf72edb0a
PacketIndicateHandler -> NDIS.sys @ 0xf72f8a21
SendHandler -> NDIS.sys @ 0xf72ed949
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hqgnf]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-20 23:11:03
ComboFix-quarantined-files.txt 2010-10-21 03:11
ComboFix2.txt 2010-10-20 15:09
ComboFix3.txt 2010-10-19 18:54
ComboFix4.txt 2010-10-19 11:25

Pre-Run: 5,089,214,464 bytes free
Post-Run: 5,135,024,128 bytes free

- - End Of File - - 8BC06235976AAEB226DCC8392BD6CF8D

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    File::
    c:\windows\Xcidahigafe.bin
    c:\documents and settings\Smith\Application Data\26662.bat

    Folder::
    c:\documents and settings\All Users\Application Data\Update

    DirLook::
    C:\FOUND.008
    C:\FOUND.009
    C:\

    MBR::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Thinkpoint virus 2v3rg44

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

descriptionThinkpoint virus EmptyRe: Thinkpoint virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum