Hi Turtledove,
I ran those programs (ERUNT and Combofix), and it appears to have fixed the start-up problem (ie, I no longer have to use task manager to start up explorer). As far as I can tell, the system is running normally. The only problem is that (oddly) my speakers do not appear to be playing sound...very odd.
Do you think it worked? Do we know what the problem was, and can I be sure that it is now solved?
Thanks!!
Odilon
I copy the Combofix log below:
ComboFix 10-06-22.03 - Odilon 06/23/2010 20:24:28.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.2130 [GMT 8:00]
Running from: c:\users\Odilon\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-23 12:32 . 2010-06-23 12:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-23 12:22 . 2010-06-23 12:22 -------- d-----w- C:\32788R22FWJFW
2010-06-23 12:16 . 2010-06-23 12:17 -------- d-----w- c:\program files\ERUNT
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\users\Odilon\AppData\Roaming\Malwarebytes
2010-06-18 12:38 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\programdata\Malwarebytes
2010-06-18 12:38 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 12:38 . 2010-06-18 12:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 03:18 . 2010-06-22 02:49 -------- d-----w- c:\program files\Trend Micro
2010-06-16 01:31 . 2010-06-16 01:31 -------- d-----w- c:\program files\Smith Micro
2010-06-13 16:21 . 2010-06-13 16:21 -------- d--h--w- c:\programdata\CanonBJ
2010-06-13 16:20 . 2009-07-14 01:15 71168 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNBPP4.DLL
2010-06-11 08:46 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 08:46 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 08:45 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 08:45 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 08:45 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-28 01:06 . 2010-05-28 01:06 -------- d-----w- c:\programdata\PC-Doctor for Windows
2010-05-28 01:04 . 2010-06-18 09:03 -------- d-----w- c:\users\Odilon\AppData\Roaming\Update
2010-05-25 23:39 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 12:15 . 2009-12-11 15:24 -------- d-----w- c:\users\Odilon\AppData\Roaming\Skype
2010-06-23 11:35 . 2009-12-11 15:31 -------- d-----w- c:\users\Odilon\AppData\Roaming\skypePM
2010-06-20 07:38 . 2010-06-20 07:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-11 16:24 . 2009-12-19 14:03 -------- d-----w- c:\programdata\Microsoft Help
2010-05-28 01:06 . 2009-12-11 08:35 -------- d-----w- c:\programdata\PCDr
2010-05-28 01:06 . 2009-12-11 08:34 -------- d-----w- c:\program files\PC-Doctor
2010-05-21 06:14 . 2009-12-11 07:17 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 15:30 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-07 19:46 . 2010-05-07 19:46 655872 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcr90.dll
2010-05-07 19:46 . 2010-05-07 19:46 572928 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcp90.dll
2010-05-07 19:46 . 2010-05-07 19:46 27136 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\startmenu-localizer.exe
2010-05-07 19:46 . 2010-05-07 19:46 24064 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\CommandLine.dll
2010-05-07 19:46 . 2010-05-07 19:46 225280 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\msvcm90.dll
2010-05-07 19:46 . 2010-05-07 19:46 1768960 ----a-w- c:\programdata\PC-Doctor for Windows\startmenu\Common.dll
2010-04-25 11:56 . 2010-01-13 08:19 -------- d-----w- c:\program files\Chinatelecom C+W
2010-04-25 11:55 . 2009-12-17 03:42 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-12 09:29 . 2010-04-23 00:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"Google Update"="c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-11 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-06-26 92960]
"TpShocks"="TpShocks.exe" [2009-07-08 337184]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-08-04 358424]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-13 167424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-13 144384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
"TelRun"="c:\program files\CTC_Setup\CMUpdater\TelRun.exe" [2009-09-29 110416]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
RCIMGDIR.exe.lnk - c:\program files\RotateImage\RCIMGDIR.exe [2009-12-11 31744]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-10-20 106496]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-20 9728]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-05-07 21360]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-06 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-04-16 11520]
R3 zgdccat;ZTE CDMA AT Interface;c:\windows\system32\DRIVERS\zgdccat.sys [2009-09-02 106112]
R3 zgdccdiag;ZTE CDMA Diagnostics Interface;c:\windows\system32\DRIVERS\zgdccdiag.sys [2009-09-02 106112]
R3 zgdccmdm;ZTE CDMA Proprietary USB Modem;c:\windows\system32\DRIVERS\zgdccmdm.sys [2009-09-02 106112]
R3 zgdccvousb;ZTE CDMA Sound Interface;c:\windows\system32\DRIVERS\zgdccvousb.sys [2009-09-02 106112]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-10-20 1701112]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-10-20 98304]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-08-04 2058776]
S3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\5U875.sys [2009-07-08 72320]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-10-20 485376]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-22 225408]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2009-06-26 23080]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000Core.job
- c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-11 15:12]
2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000UA.job
- c:\users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-11 15:12]
2010-06-04 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]
2010-06-22 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 00:50]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.hsbc.com.hk/1/2/homeIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A4391E21-5430-414E-B191-7A4CAA865E14} = 149.254.230.7 149.254.201.126
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Aide - c:\program files\Chinatelecom C+W\Aide.exe
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(1912)
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2010-06-23 20:37:41
ComboFix-quarantined-files.txt 2010-06-23 12:37
Pre-Run: 19,640,823,808 bytes free
Post-Run: 19,366,457,344 bytes free
- - End Of File - - 740D920CFD6C9CB639C170DCBA20EEF0
turtledove wrote:Hello odilon,
Let's get a better look.
**Please copy to notepad or print these out as you will be off the internet for this scan**
Back Up registry with ERUNT - Please use the following link and download ERUNT to your desktop. HERE
- Click on the erunt-setup.exe
- Follow the prompts to install ERUNT
- Choose language
- A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
- Backup your registry to the default location
Note: To restore your registry (if needed), go to the folder and start
ERDNT.exe Next Download and Run ComboFix
- Please download ComboFix from one of the following links.
Link 1.
Link 2.
**IMPORTANT !!! Save ComboFix.exe to your Desktop**
- Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
- Double click on ComboFix.exe & follow the prompts
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helperPost Any problems? How your system is running
C:\Combofix.txt
Thank you
turtledove