GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Safe mode not working thanks to Thinkpoint

2 posters

descriptionSafe mode not working thanks to Thinkpoint EmptySafe mode not working thanks to Thinkpoint17th November 2010, 4:13 pm

more_horiz
All the instructions I have read tell me to use safe mode to fight the Thinkpoint virus. However, the virus has disabled all safe mode options, any safe mode option I pick loops me back to the safe mode list of options. I AM STUCK. Any advice here?

descriptionSafe mode not working thanks to Thinkpoint EmptySafe mode, ThinkPoint cont'd17th November 2010, 4:25 pm

more_horiz
Let me make it clear...when I boot, the machine goes to the safe mode list of options and loops back there no matter which option I choose...I do not have access to a command line, internet, Task Manager, etc.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint17th November 2010, 11:48 pm

more_horiz
Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint18th November 2010, 3:06 pm

more_horiz
I know you like to post a boilerplate answer to all ThinkPoint inquiries. BUT, as my posts made clear things like downloading an exe to my desktop doesn't work when I am stuck on the safe mode options screen!!!!! Please read my posts again.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint19th November 2010, 12:53 am

more_horiz
If you are using Safe Mode, you'll need to use Safe Mode With Networking for internet access.

Please try this while in Safe Mode too.

We need to use the RKill Tool by Grinler

Rkill.com <--- Download site

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Try downloading OTL now.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint25th November 2010, 7:46 pm

more_horiz
I used OTLPE Standard REATOGO to scan and here is an excerpt from the OTL.Txt (the full file is too big for this append). I would appreciate any help.

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.80 Gb Total Space | 46.43 Gb Free Space | 64.66% Space Free | Partition Type: NTFS
Drive X: | 282.52 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/01/04 22:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | System] -- C:\WINDOWS\System32\drivers\ustedpqz.sys -- (ustedpqz)
DRV - File not found [Kernel | System] -- C:\WINDOWS\System32\drivers\peulbcyg.sys -- (peulbcyg)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- C:\WINDOWS\System32\drivers\ovyenrnk.sys -- (ovyenrnk)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | System] -- C:\WINDOWS\System32\drivers\cgkqhjcp.sys -- (cgkqhjcp)
DRV - [2010/11/04 18:32:00 | 000,052,224 | ---- | M] () [Kernel | System] -- C:\WINDOWS\PRAGMAtvpqsbpxpb\PRAGMAd.sys -- (PRAGMAtvpqsbpxpb)
DRV - [2009/06/18 00:59:58 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
DRV - [2009/03/04 06:27:32 | 000,031,744 | ---- | M] () [Kernel | On_Demand] -- C:\Documents and Settings\Marcus\Local Settings\Temp\bDMusicb.sys -- (bDMusicb)
DRV - [2008/08/21 07:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/01/13 13:33:18 | 005,672,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/01/24 17:28:02 | 000,176,128 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/10/27 17:36:52 | 000,393,088 | ---- | M] (Sensaura) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2005/10/10 00:35:30 | 000,017,792 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tpm.sys -- (TPM)
DRV - [2004/10/09 04:51:08 | 000,503,507 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\V0080Dev.sys -- (V0080Dev)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\antithinkpoint_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Mandela_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Mandela_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\Mandela_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Mandela_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Mandela_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\Marcus_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Marcus_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Marcus_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Other_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Other_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\Other_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Other_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{8FA3D377-EADF-4147-995F-3C5752AAA3DE}: C:\Documents and Settings\Marcus\Local Settings\Application Data\{8FA3D377-EADF-4147-995F-3C5752AAA3DE} [2010/10/22 18:41:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{341C3846-05CC-4624-9A56-31F98E1DF826}: C:\Documents and Settings\Other\Local Settings\Application Data\{341C3846-05CC-4624-9A56-31F98E1DF826} [2010/10/23 10:40:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{5271F506-02F6-488C-9C9C-EE7A11FBD895}: C:\Documents and Settings\Mandela\Local Settings\Application Data\{5271F506-02F6-488C-9C9C-EE7A11FBD895} [2010/10/20 20:11:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{C50F3662-0462-40FD-9E17-8D495BB951C3}: C:\Documents and Settings\antithinkpoint\Local Settings\Application Data\{C50F3662-0462-40FD-9E17-8D495BB951C3} [2010/10/24 11:54:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A64541B8-1C2D-48DE-9F65-5DF87872EC56}: C:\Documents and Settings\NetworkService\Local Settings\Application Data\{A64541B8-1C2D-48DE-9F65-5DF87872EC56}\ [2010/11/04 19:06:52 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/08/21 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Mandela_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Marcus_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Other_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE ()
O4 - HKLM..\Run: [Fpakepa] C:\WINDOWS\efasazasazasa.DLL (Ask.com)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask .exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe ()
O4 - HKU\.DEFAULT..\Run: [dfrgsnapnt.exe] C:\WINDOWS\Temp\dfrgsnapnt.exe ()
O4 - HKU\.DEFAULT..\Run: [Iqepo] C:\WINDOWS\rfat50.DLL (ArcSoft Inc.)
O4 - HKU\Mandela_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\Marcus_ON_C..\Run: [cleansweep.exe] C:\cleansweep.exe\cleansweep.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXl/yA\Marcus\LOCALS~1\Temp\757160358.exe] C:\DOCUME~1\Marcus\LOCALS~1\Temp\757160358.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlkc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\cmd.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlmc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\mdm.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlne] C:\DOCUME~1\Marcus\LOCALS~1\Temp\lsass.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlo_] C:\DOCUME~1\Marcus\LOCALS~1\Temp\tih74.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlora] C:\DOCUME~1\Marcus\LOCALS~1\Temp\iexplarer.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlotc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\hexdump.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlpe] C:\DOCUME~1\Marcus\LOCALS~1\Temp\csrss.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlppf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\services.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlprc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\install.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlq+] C:\DOCUME~1\Marcus\LOCALS~1\Temp\win32.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqb] C:\DOCUME~1\Marcus\LOCALS~1\Temp\winamp.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\win.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\user.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqse] C:\DOCUME~1\Marcus\LOCALS~1\Temp\winlogon.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqvc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\svchost.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqW] C:\DOCUME~1\Marcus\LOCALS~1\Temp\drweb.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlrf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\smss.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlsPc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\nvsvc32.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlud] C:\DOCUME~1\Marcus\LOCALS~1\Temp\system.exe File not found
O4 - HKU\Marcus_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\Other_ON_C..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20081031-1700\preload.exe ()
O4 - HKU\Other_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
O4 - HKU\Mandela_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\antithinkpoint_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Mandela_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Other_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Other_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\NetworkService\Application Data\hotfix.exe) - C:\Documents and Settings\NetworkService\Application Data\hotfix.exe ()
O20 - HKU\Mandela_ON_C Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\Marcus_ON_C Winlogon: Shell - (C:\Documents and Settings\Marcus\Application Data\hotfix.exe) - C:\Documents and Settings\Marcus\Application Data\hotfix.exe File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O22 - SharedTaskScheduler: {B6BA40C1-A501-59BD-F413-03B03A2C8952} - dfskea98e4iagjiufhg87df87u - Reg Error: Key error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\DESKTOPGB.gif
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/09 10:56:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/09 09:18:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IECompatCache
[2010/11/09 08:25:40 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Mandela\IECompatCache
[2010/11/04 19:07:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Creative
[2010/11/04 19:06:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\SendTo
[2010/11/04 19:06:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\{A64541B8-1C2D-48DE-9F65-5DF87872EC56}
[2010/11/04 19:06:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\My Documents\My Pictures
[2010/11/04 19:06:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\My Documents\My Music
[2010/11/04 19:06:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\My Documents
[2010/11/04 19:06:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\NetworkService\Recent
[2010/11/04 19:06:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Start Menu
[2010/11/04 19:06:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Desktop
[2010/11/04 18:32:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAtvpqsbpxpb
[2010/11/04 18:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/11/01 19:36:25 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IECompatCache
[2010/11/01 19:36:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\PrivacIE
[3 C:\Documents and Settings\Mandela\My Documents\*.tmp files -> C:\Documents and Settings\Mandela\My Documents\*.tmp -> ]
[16 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint26th November 2010, 1:03 am

more_horiz
Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKLM..\Run: [Fpakepa] C:\WINDOWS\efasazasazasa.DLL (Ask.com)
    O4 - HKU\.DEFAULT..\Run: [dfrgsnapnt.exe] C:\WINDOWS\Temp\dfrgsnapnt.exe ()
    O4 - HKU\.DEFAULT..\Run: [Iqepo] C:\WINDOWS\rfat50.DLL (ArcSoft Inc.)
    O4 - HKU\Marcus_ON_C..\Run: [cleansweep.exe] C:\cleansweep.exe\cleansweep.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXl/yA\Marcus\LOCALS~1\Temp\757160358.exe] C:\DOCUME~1\Marcus\LOCALS~1\Temp\757160358.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlkc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\cmd.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlmc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\mdm.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlne] C:\DOCUME~1\Marcus\LOCALS~1\Temp\lsass.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlo_] C:\DOCUME~1\Marcus\LOCALS~1\Temp\tih74.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlora] C:\DOCUME~1\Marcus\LOCALS~1\Temp\iexplarer.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlotc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\hexdump.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlpe] C:\DOCUME~1\Marcus\LOCALS~1\Temp\csrss.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlppf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\services.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlprc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\install.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlq+] C:\DOCUME~1\Marcus\LOCALS~1\Temp\win32.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqb] C:\DOCUME~1\Marcus\LOCALS~1\Temp\winamp.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\win.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\user.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqse] C:\DOCUME~1\Marcus\LOCALS~1\Temp\winlogon.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqvc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\svchost.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlqW] C:\DOCUME~1\Marcus\LOCALS~1\Temp\drweb.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlrf] C:\DOCUME~1\Marcus\LOCALS~1\Temp\smss.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlsPc] C:\DOCUME~1\Marcus\LOCALS~1\Temp\nvsvc32.exe File not found
    O4 - HKU\Marcus_ON_C..\Run: [HNUgkHXlud] C:\DOCUME~1\Marcus\LOCALS~1\Temp\system.exe File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKU\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O7 - HKU\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O7 - HKU\Other_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Documents and Settings\NetworkService\Application Data\hotfix.exe) - C:\Documents and Settings\NetworkService\Application Data\hotfix.exe ()
    O20 - HKU\Marcus_ON_C Winlogon: Shell - (C:\Documents and Settings\Marcus\Application Data\hotfix.exe) - C:\Documents and Settings\Marcus\Application Data\hotfix.exe File not found
    O22 - SharedTaskScheduler: {B6BA40C1-A501-59BD-F413-03B03A2C8952} - dfskea98e4iagjiufhg87df87u - Reg Error: Key error. File not found
    [2010/11/04 18:32:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAtvpqsbpxpb

    :commands
    [emptytemp]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionSafe mode not working thanks to Thinkpoint EmptyFix log is where?27th November 2010, 7:29 pm

more_horiz
Thanks. I ran the fix in OTLPE. However, NotePad with the fix log did not appear. Where could I find it?

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint28th November 2010, 12:48 am

more_horiz
Is it on your Desktop? or in C:\ drive?

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint30th November 2010, 1:39 pm

more_horiz
I get to OTLPE via a desktp on CD.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint1st December 2010, 12:17 am

more_horiz
Ah well, either way.
Can you boot your system normally now?

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint2nd December 2010, 3:07 pm

more_horiz
No, I cannot boot normally. Nothing has changed. I was encouraged when I could get to a desktop via REATOGO-X-PE on CD. However, the log file you were looking for did not popup after running the fix and I do not know the name of the file or where to find it. Suggestions?

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint2nd December 2010, 3:30 pm

more_horiz
Aha! When I run the fix a msg pops that says to reboot to complete the fix. If I do NOT reboot, the log pops up. Here are the contents:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Fpakepa not found.
File C:\WINDOWS\efasazasazasa.DLL not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\dfrgsnapnt.exe not found.
File C:\WINDOWS\Temp\dfrgsnapnt.exe not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Iqepo not found.
File C:\WINDOWS\rfat50.DLL not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\Marcus_ON_C\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry key HKEY_USERS\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Registry key HKEY_USERS\Marcus_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System not found.
Registry key HKEY_USERS\Other_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\NetworkService\Application Data\hotfix.exe deleted successfully.
File C:\Documents and Settings\NetworkService\Application Data\hotfix.exe not found.
Registry value HKEY_USERS\Marcus_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Marcus\Application Data\hotfix.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{B6BA40C1-A501-59BD-F413-03B03A2C8952} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}\ not found.
Folder C:\WINDOWS\PRAGMAtvpqsbpxpb\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
-> No Temporary Internet Files cache folder defined!

User: All Users
-> No Temporary Internet Files cache folder defined!

User: antithinkpoint
-> No Temporary Internet Files cache folder defined!

User: Default User
-> No Temporary Internet Files cache folder defined!

User: LocalService
-> No Temporary Internet Files cache folder defined!

User: Mandela
-> No Temporary Internet Files cache folder defined!

User: Marcus
-> No Temporary Internet Files cache folder defined!

User: NetworkService
-> No Temporary Internet Files cache folder defined!

User: Other
-> No Temporary Internet Files cache folder defined!

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTLPE by OldTimer - Version 3.1.43.0 log created on 12022010_102406

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint9th December 2010, 3:02 pm

more_horiz
Not able to help me?

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint10th December 2010, 12:43 am

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Safe mode not working thanks to Thinkpoint CF_download_FF

    Safe mode not working thanks to Thinkpoint CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Safe mode not working thanks to Thinkpoint Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Safe mode not working thanks to Thinkpoint Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint10th December 2010, 6:15 pm

more_horiz
As the Thinkpoint virus left me without access to the internet I have to download to a memory stick on a healthy computer and try to run Combo-Fix.exe from the stick. Both downloads result in a "corrupt file" message when I try to run them off the stick on the infected machine.

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint11th December 2010, 12:47 am

more_horiz
Hello.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

descriptionSafe mode not working thanks to Thinkpoint EmptyRe: Safe mode not working thanks to Thinkpoint

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum