Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Checking a Hijackthis log - after "msupdate.exe" incident

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Checking a Hijackthis log - after "msupdate.exe" incident

Unread postby Odilon » June 17th, 2010, 12:21 am

I'm trying to figure out if my computer is clear of a recent msupdate.exe infection.

(I'm Using Windows 7)
Symptoms were: When starting up the computer this morning, a window appeared saying msupdate.exe needs to access the hard drive, I said no, screen went blank...and nothing. Did this a couple times, then went in via task manager and found the offending file, deleted, it, and then scanned with Hijackthis.

Can anyone help?

Log is below:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:17 AM, on 6/17/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe
C:\Program Files\RotateImage\RCIMGDIR.exe
C:\Users\Odilon\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hsbc.com.hk/1/2/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [FingerPrintSoftwareSplashScreen] "C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe" \s
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Aide] C:\Program Files\Chinatelecom C+W\Aide.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TelRun] C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
O4 - HKCU\..\Run: [Google Update] "C:\Users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: RCIMGDIR.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4391E21-5430-414E-B191-7A4CAA865E14}: NameServer = 149.254.230.7 149.254.201.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\Windows\system32\ADMonitor.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Windows\system32\AtService.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\Windows\system32\DTS.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 7383 bytes
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am
Advertisement
Register to Remove

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby MWR 3 day Mod » June 20th, 2010, 2:54 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 20th, 2010, 10:37 pm

Hello Odilon and welcome to the forums :)

I am turtledove, and will be assisting you with your log.
If you still need assistance, please do the following:

*Print all instructions or Copy to Notepad for reference.
*Please note, unless I'm notified ahead of time, this topic will close if there is not a response in 3 Days.
*Place a link to this thread in your Favorites/Bookmarks for easily returning here.
*Please respond until I give the all clear, as absence of symptoms does NOT always mean Clean.
*Please do not run any other tools/scans unless requested* Do not install/uninstall anything unless requested
**Please be sure you have read Malware Removal Forum Guidelines and Rules especially P2P Policy
*If you can do the above all should go well.
*If you do not understand a step, please STOP and ASK before proceeding*

**All fixes are for this computer and the current issues on it. Please Do Not use these instructions on another issue or computer.**


Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.



Since it has been some time since your above post, please post the following logs. I will go over the new logs and return as soon as possible.

Next Step: Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.



Thank you
turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 21st, 2010, 9:02 pm

Dear Turtledove,

Thanks for your reply. I downloaded and tried to run RSIT.exe, but it stopped in the middle and gave me the following error message:

AutoIT Error
Line 2563 (File "C:\Users\Odilon\Downloads\RSIT.exe"):
Error: Variable used without being declared

Also, yesterday I did a full scan of my machine using Windows Security Essentials", and it found the following:


Trojanclicker:Win32/Yabector.B
Category: Trojan Notifier

Description: This program connects to the Internet in the background.

Recommendation: Remove this software immediately.

[color=#0000FF]Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:C:\Users\Odilon\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001db4
containerfile:C:\Users\Odilon\Downloads\unlocker1.8.9.exe
file:C:\Users\Odilon\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001db4->(nsis-6-$(PLUGINSDIR)\eBay_shortcuts_1016_new.exe)
file:C:\Users\Odilon\Downloads\unlocker1.8.9.exe->(nsis-6-$(PLUGINSDIR)\eBay_shortcuts_1016_new.exe)

--------------------

Exploit:Win32/CVE-2009-3129

---------------------[/color]

I'm baffled, really not sure what to do next.

Odilon
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 21st, 2010, 9:51 pm

Hello Odilon,
Thank you for the information. Please try the following, we'll go from there.


Please delete the copy of RSIT from your C:\Users\Odilon\Downloads\RSIT.exe folder. Delete any RSIT Folders as well if any.

Please download RSIT again, but it must be saved to your desktop.

Next Step: Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

Let me know if there is a problem again.
Please copy the above instructions for ease of use or print them out.
Please DO NOT run any other scans unless I request them.
Thank you
turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 21st, 2010, 10:59 pm

Dear Turtledove,

Thanks, and sorry for doing random scans. I will only follow your instructions from here on.

I downloaded and installed again, but hte same thing happen. This time I noticed a log file appear in the rsit folder, but nothing appeared mazimized.

Below is the log file:

Logfile of random's system information tool 1.07 (written by random/random)
Run by Odilon at 2010-06-22 10:48:58
Microsoft Windows 7 Home Premium
System drive C: has 4 GB (11%) free of 41 GB
Total RAM: 3032 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:49:12 AM, on 6/22/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Odilon\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\RotateImage\RCIMGDIR.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\Desktop\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\Odilon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hsbc.com.hk/1/2/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [FingerPrintSoftwareSplashScreen] "C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe" \s
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Aide] C:\Program Files\Chinatelecom C+W\Aide.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TelRun] C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
O4 - HKCU\..\Run: [Google Update] "C:\Users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: RCIMGDIR.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4391E21-5430-414E-B191-7A4CAA865E14}: NameServer = 149.254.230.7 149.254.201.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\Windows\system32\ADMonitor.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Windows\system32\AtService.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\Windows\system32\DTS.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 7629 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1368385870-323229818-1778835536-1000UA.job
C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
C:\Windows\tasks\SystemToolsDailyTest.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-04 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"=C:\Program Files\Lenovo\TrackPoint\tp4serv.exe [2009-06-26 92960]
""= []
"TpShocks"=C:\Windows\system32\TpShocks.exe [2009-07-08 337184]
"FingerPrintSoftware"=C:\Program Files\Lenovo Fingerprint Software\fpapp.exe [2009-10-20 1582328]
"FingerPrintSoftwareSplashScreen"=C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe [2009-10-20 102400]
"picon"=C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [2009-08-04 358424]
"PWMTRV"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor []
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2009-03-13 68976]
"LENOVO.TPFNF6R"=C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe [2009-08-20 62752]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2009-08-13 135168]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2009-08-13 167424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2009-08-13 144384]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"Aide"=C:\Program Files\Chinatelecom C+W\Aide.exe []
"MSSE"=C:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]
"TelRun"=C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe [2009-09-29 110416]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-25 952768]
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"=C:\Program Files\CONEXANT\SAII\SAIICpl.exe [2009-07-16 307768]
"Google Update"=C:\Users\Odilon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-11 135664]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2010-05-13 26192168]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
RCIMGDIR.exe.lnk - C:\Program Files\RotateImage\RCIMGDIR.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2009-08-13 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BFE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bowser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Browser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\dfsc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dhcp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DnsCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dot3Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Eaphost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\IKEEXT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ipnat.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanWorkstation]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LmHosts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Messenger]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb10]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NativeWifiP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS Wrapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ndiscap]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ndisuio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOSGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetDDEGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetMan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\netprofm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetworkProvider]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NlaSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Nsi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nsiproxy.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP_TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PolicyAgent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdbss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdpencdd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdsessmgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCardSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Streams Drivers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\VaultSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wlansvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E972-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E973-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E974-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E975-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"DisallowCpl"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{945a3b9b-1944-11df-8b53-001f1622fd18}]
shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ada9261-001c-11df-ac24-001f1622fd18}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc036b81-503d-11df-b675-001f1622fd18}]
shell\AutoRun\command - E:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c62d89bd-1567-11df-b5fc-001f1622fd18}]
shell\AutoRun\command - F:\windows\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c62d89c3-1567-11df-b5fc-001f1622fd18}]
shell\AutoRun\command - F:\windows\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f5f662-001b-11df-9ab1-001f1622fd18}]
shell\AutoRun\command - E:\AutoRun.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-06-22 10:48:58 ----D---- C:\rsit
2010-06-18 20:38:36 ----D---- C:\Users\Odilon\AppData\Roaming\Malwarebytes
2010-06-18 20:38:19 ----D---- C:\ProgramData\Malwarebytes
2010-06-18 20:38:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-17 11:18:52 ----D---- C:\Program Files\Trend Micro
2010-06-17 08:33:24 ----A---- C:\Windows\ntbtlog.txt
2010-06-16 09:31:34 ----D---- C:\Program Files\Smith Micro
2010-06-14 00:21:00 ----HD---- C:\ProgramData\CanonBJ
2010-06-11 16:46:05 ----A---- C:\Windows\system32\asycfilt.dll
2010-06-11 16:46:03 ----A---- C:\Windows\system32\mshtml.dll
2010-06-11 16:46:00 ----A---- C:\Windows\system32\ieframe.dll
2010-06-11 16:45:59 ----A---- C:\Windows\system32\urlmon.dll
2010-06-11 16:45:59 ----A---- C:\Windows\system32\mstime.dll
2010-06-11 16:45:58 ----A---- C:\Windows\system32\wininet.dll
2010-06-11 16:45:58 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-06-11 16:45:58 ----A---- C:\Windows\system32\iedkcs32.dll
2010-06-11 16:45:57 ----A---- C:\Windows\system32\jsproxy.dll
2010-06-11 16:45:53 ----A---- C:\Windows\system32\atmlib.dll
2010-06-11 16:45:53 ----A---- C:\Windows\system32\atmfd.dll
2010-05-28 09:06:29 ----D---- C:\ProgramData\PC-Doctor for Windows
2010-05-28 09:04:32 ----D---- C:\Users\Odilon\AppData\Roaming\Update
2010-05-26 07:39:37 ----A---- C:\Windows\system32\tzres.dll

======List of files/folders modified in the last 1 months======

2010-06-22 10:48:33 ----D---- C:\Users\Odilon\AppData\Roaming\Skype
2010-06-22 09:31:15 ----D---- C:\Windows\Temp
2010-06-22 09:01:23 ----D---- C:\Windows\system32\config
2010-06-22 08:50:34 ----D---- C:\Windows\Prefetch
2010-06-22 08:50:21 ----SHD---- C:\System Volume Information
2010-06-22 08:46:55 ----SHD---- C:\Windows\Installer
2010-06-22 08:46:54 ----D---- C:\Windows\system32\Tasks
2010-06-22 08:39:54 ----A---- C:\Windows\system32\log.txt
2010-06-22 08:07:00 ----D---- C:\Users\Odilon\AppData\Roaming\skypePM
2010-06-22 05:00:22 ----D---- C:\Windows\System32
2010-06-22 05:00:22 ----D---- C:\Windows\inf
2010-06-22 05:00:22 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-06-20 15:38:33 ----D---- C:\Windows\system32\drivers
2010-06-18 20:38:19 ----HD---- C:\ProgramData
2010-06-18 20:38:18 ----RD---- C:\Program Files
2010-06-17 08:33:24 ----D---- C:\Windows
2010-06-15 07:27:39 ----D---- C:\Windows\system32\catroot2
2010-06-12 07:46:37 ----D---- C:\Windows\Microsoft.NET
2010-06-12 07:46:33 ----RSD---- C:\Windows\assembly
2010-06-12 07:37:30 ----D---- C:\Windows\winsxs
2010-06-12 07:36:50 ----D---- C:\Program Files\Internet Explorer
2010-06-12 07:36:49 ----D---- C:\Windows\system32\migration
2010-06-12 00:24:11 ----D---- C:\ProgramData\Microsoft Help
2010-06-12 00:23:36 ----D---- C:\Windows\system32\catroot
2010-06-04 09:30:31 ----D---- C:\Windows\Tasks
2010-05-29 03:37:34 ----A---- C:\Windows\system32\MRT.exe
2010-05-28 09:06:55 ----D---- C:\ProgramData\PCDr
2010-05-28 09:06:32 ----D---- C:\Program Files\PC-Doctor
2010-05-26 13:04:22 ----D---- C:\Windows\rescache
2010-05-26 08:24:13 ----D---- C:\Windows\system32\en-US




turtledove wrote:Hello Odilon,
Thank you for the information. Please try the following, we'll go from there.


Please delete the copy of RSIT from your C:\Users\Odilon\Downloads\RSIT.exe folder. Delete any RSIT Folders as well if any.

Please download RSIT again, but it must be saved to your desktop.

Next Step: Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

Let me know if there is a problem again.
Please copy the above instructions for ease of use or print them out.
Please DO NOT run any other scans unless I request them.
Thank you
turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 21st, 2010, 11:42 pm

Hello odilon,

Thank you. Please try the following, be sure to save to desktop.

Step 1
***IMPORTANT: You need to move some files from your Drive C; as it only has 11% Free available. You should have a minimum of 15 % Free Space. This will be necessary for most of our tools we may need to run. Please put some files on another drive partition or on CD/DVD. You may need to do this first if DDS does not produce its logs. IF DDS works, please make room on drive C while I research the two logs.

Step 1

DDS
Please download DDS ... by sUBs.
Save it to your desktop. Alternate download link:here.
  1. Double click the tool to run it.
  2. A black Screen will open... read the contents but do nothing.
  3. When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
    Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
    if you close Notepad, before copying /pasting them... you will need to run DDS again.
  4. Copy/paste both DDS.txt and Attach.txt reports in your next reply.

Let me know if there are any problems with the above.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 22nd, 2010, 5:58 am

Dear Turtledove,

I have run DDS, and it seems to have worked properly (ie, two notepad files opened). The results are pasted below.

I can easily make some more room on the C drive, no worries.

Thanks for your help!

Odilon


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/11/2009 1:31:34 AM
System Uptime: 6/22/2010 12:53:08 PM (5 hours ago)

Motherboard: LENOVO | | 7458PF5
Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | None | 785/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 40 GiB total, 4.329 GiB free.
D: is FIXED (NTFS) - 256 GiB total, 243.267 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP161: 6/22/2010 8:50:02 AM - Windows Update

==== Installed Programs ======================

Adobe Acrobat 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Audacity 1.3.12 (Unicode)
Avidemux 2.5
Canon CanoScan Toolbox 5.0
CanoScan 4400F
Chinese Traditional Fonts Support For Adobe Reader 9
Conexant 20561 SmartAudio HD
CutePDF Writer 2.8
Google Chrome
HijackThis 2.0.2
Integrated Camera Driver Installer Package Ver.1.27.500.0
Integrated Camera TWAIN
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
Intel(R) TV Wizard
Intel® Active Management Technology
Java Auto Updater
Java(TM) 6 Update 20
KeePass Password Safe 1.17
LAME v3.98.2 for Audacity
Lenovo Fingerprint Software
Lenovo System Interface Driver
Lenovo ThinkVantage Toolbox
Malwarebytes' Anti-Malware
Microsoft Antimalware
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
OGA Notifier 2.0.0048.0
On Screen Display
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Skype™ 4.2
StuffIt Expander 2010
System Update
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Active Protection System
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/07/2009 8.1.2.56)
Windows Media Player Firefox Plugin

==== Event Viewer Messages From Past Week ========

6/22/2010 4:55:59 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
6/21/2010 9:39:50 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer SKLHKGS-IMAC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7AE5E3AE-D922-4540-BCFB-A3179. The master browser is stopping or an election is being forced.
6/21/2010 9:35:53 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer STRATCAS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7AE5E3AE-D922-4540-BCFB-A3179DA64. The master browser is stopping or an election is being forced.
6/21/2010 11:07:05 PM, Error: Service Control Manager [7016] - The Data Transfer Service service has reported an invalid current state 0.
6/20/2010 1:35:54 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
6/18/2010 7:15:06 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
6/18/2010 11:07:51 PM, Error: Microsoft-Windows-Application-Experience [205] - The Program Compatibility Assistant service failed to perform the phase two initialization.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdrom DfsC discache lenovo.smi MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx TPPWRIF vwififlt Wanarpv6 WfpLwf
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/17/2010 9:01:51 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
6/17/2010 8:27:56 AM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
6/16/2010 4:53:42 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
6/15/2010 7:12:32 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
6/15/2010 1:26:17 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1788.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

==== End Of File ===========================



DDS (Ver_10-03-17.01) - NTFSx86
Run by Odilon at 17:52:57.54 on Tue 06/22/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3032.1606 [GMT 8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\explorer.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\CTC_Setup\CMUpdater\TelRun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Odilon\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\RotateImage\RCIMGDIR.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Odilon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Odilon\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hsbc.com.hk/1/2/home
uWinlogon: Shell=Explorer.exe "c:\users\odilon\appdata\local\msupdater.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
uRun: [Google Update] "c:\users\odilon\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [FingerPrintSoftwareSplashScreen] "c:\program files\lenovo fingerprint software\splashscreen.exe" \s
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Aide] c:\program files\chinatelecom c+w\Aide.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [TelRun] c:\program files\ctc_setup\cmupdater\TelRun.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rcimgd~1.lnk - c:\program files\rotateimage\RCIMGDIR.exe
uPolicies-explorer: DisallowCpl = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
TCP: {A4391E21-5430-414E-B191-7A4CAA865E14} = 149.254.230.7 149.254.201.126
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-10-20 1701112]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-10-20 98304]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2009-12-11 62320]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-12-11 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2009-12-11 72320]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-10-20 485376]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-18 38224]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2009-6-26 23080]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-12-11 45424]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-10-20 106496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-2-9 9728]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-5-8 21360]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-12-11 75040]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-6 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-4-16 11520]
S3 zgdccat;ZTE CDMA AT Interface;c:\windows\system32\drivers\zgdccat.sys [2010-2-9 106112]
S3 zgdccdiag;ZTE CDMA Diagnostics Interface;c:\windows\system32\drivers\zgdccdiag.sys [2010-2-9 106112]
S3 zgdccmdm;ZTE CDMA Proprietary USB Modem;c:\windows\system32\drivers\zgdccmdm.sys [2010-2-9 106112]
S3 zgdccvousb;ZTE CDMA Sound Interface;c:\windows\system32\drivers\zgdccvousb.sys [2010-2-9 106112]

=============== Created Last 30 ================

2010-06-20 07:38:33 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-18 12:38:36 0 d-----w- c:\users\odilon\appdata\roaming\Malwarebytes
2010-06-18 12:38:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 12:38:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 12:38:19 0 d-----w- c:\programdata\Malwarebytes
2010-06-18 12:38:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 03:18:52 0 d-----w- c:\program files\Trend Micro
2010-06-16 01:31:34 0 d-----w- c:\program files\Smith Micro
2010-06-13 16:21:00 0 d--h--w- c:\programdata\CanonBJ
2010-06-11 08:46:05 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 08:46:05 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 08:45:58 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 08:45:53 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 08:45:53 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-28 01:06:29 0 d-----w- c:\programdata\PC-Doctor for Windows
2010-05-28 01:04:32 0 d-----w- c:\users\odilon\appdata\roaming\Update
2010-05-25 23:39:37 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-21 06:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-12 09:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 19:19:33 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 17:53:28.96 ===============





turtledove wrote:Hello odilon,

Thank you. Please try the following, be sure to save to desktop.

Step 1
***IMPORTANT: You need to move some files from your Drive C; as it only has 11% Free available. You should have a minimum of 15 % Free Space. This will be necessary for most of our tools we may need to run. Please put some files on another drive partition or on CD/DVD. You may need to do this first if DDS does not produce its logs. IF DDS works, please make room on drive C while I research the two logs.

Step 1

DDS
Please download DDS ... by sUBs.
Save it to your desktop. Alternate download link:here.
  1. Double click the tool to run it.
  2. A black Screen will open... read the contents but do nothing.
  3. When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
    Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
    if you close Notepad, before copying /pasting them... you will need to run DDS again.
  4. Copy/paste both DDS.txt and Attach.txt reports in your next reply.

Let me know if there are any problems with the above.

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 22nd, 2010, 6:16 am

Hello odilon,

Good job :) You're most welcome.
Thank for the reports.
Please do move what you can to your larger drive in the meantime. I'll go over the two logs and return as soon as possible. Please be patient as this could take some time to research. I would advise being off the internet and not surfing as much as possible, except for here and the tools I may need you to download.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 22nd, 2010, 6:33 am

Dear Turtledove,

If it's any help, I think I just discovered which attachment corrupted my machine. It appears to have been an excel file, as I remember downloading it and not being able to open it (and it got messy, with the wrong file type, etc etc - in retrospect very suspicious, but it came from a colleague and so I didn't think at the time).

I could fwd you the file if you think it would help.

Thanks,
Odilon


turtledove wrote:Hello odilon,

Good job :) You're most welcome.
Thank for the reports.
Please do move what you can to your larger drive in the meantime. I'll go over the two logs and return as soon as possible. Please be patient as this could take some time to research. I would advise being off the internet and not surfing as much as possible, except for here and the tools I may need you to download.

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 22nd, 2010, 6:42 am

Hello Turtledove,

One more detail that might help your diagnosis. When the computer starts up, and I log in, I need to go to task manager and manually start a "new task" (I type "explorer") to get the machine started...otherwise I wouldn't be able to use it at all.

Thanks!
Odilon


Odilon wrote:Dear Turtledove,

If it's any help, I think I just discovered which attachment corrupted my machine. It appears to have been an excel file, as I remember downloading it and not being able to open it (and it got messy, with the wrong file type, etc etc - in retrospect very suspicious, but it came from a colleague and so I didn't think at the time).

I could fwd you the file if you think it would help.

Thanks,
Odilon


turtledove wrote:Hello odilon,

Good job :) You're most welcome.
Thank for the reports.
Please do move what you can to your larger drive in the meantime. I'll go over the two logs and return as soon as possible. Please be patient as this could take some time to research. I would advise being off the internet and not surfing as much as possible, except for here and the tools I may need you to download.

Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 22nd, 2010, 1:01 pm

Good Day odilon,

Thank you for the additional information. Will return with further instructions as soon as possible.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 22nd, 2010, 2:43 pm

Hello odilon,

Please copy or print out instructions for easy reference.

Step 1

Security Check

  • Download Security Check by screen317 from:
  • Save it to your Desktop.
  • Right click SecurityCheck.exe And select " Run as administrator " , then follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.


Step 2

Please Download SysProt Antirootkit from one of the links below.


  • Extract (unzip) its contents to your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
    See images below.

    Image

  • And check Hidden objects only at the bottom.
    Image

  • At the bottom of the window.Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Question on 3 items:
Did you set this item: O17 of Hijackthis log: O17 - HKLM\System\CCS\Services\Tcpip\..\{A4391E21-5430-414E-B191-7A4CAA865E14}: NameServer = 149.254.230.7 149.254.201.126 Appears to belong to T-Mobile
And the O4 line: Chinatelecom C+W\Aide.exe Are you familiar with this item?
**It appears there is no Firewall being used, are you using one?


Items to Post
checkup.txt
Sysprot log
Answers to questions


Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby Odilon » June 22nd, 2010, 3:38 pm

Hi Turtledove,

Thanks. I have completed the two scans according to your instructions, and copy the log files below.

About your three questions, the T-mobile and Chinatelecom should be mobile broadband services that I installed, so I suspect these are not the cause of the problem. About the firewall, I need to check that...I guess I should have one.

Thanks again!

Odilon

Logs:

Results of screen317's Security Check version 0.99.4
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Microsoft Security Essentialy successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 20
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.2
Chinese Traditional Fonts Support For Adobe Reader 9
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


------------------------------------------------------------------------

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: ODILON-X200.OSINYWIR:62013
Remote Address: 208.19.38.34:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:62012
Remote Address: 208.19.38.34:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:62003
Remote Address: 208.19.38.34:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:62002
Remote Address: IAD04S01-IN-F164.1E100.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:62001
Remote Address: IAD04S01-IN-F164.1E100.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:62000
Remote Address: IAD04S01-IN-F164.1E100.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:61999
Remote Address: IAD04S01-IN-F164.1E100.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:61998
Remote Address: IAD04S01-IN-F157.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61997
Remote Address: IAD04S01-IN-F157.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61996
Remote Address: IAD04S01-IN-F157.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61995
Remote Address: IAD04S01-IN-F157.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61994
Remote Address: IAD04S01-IN-F157.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61993
Remote Address: WWW-12-01-SNC2.FACEBOOK.COM:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61988
Remote Address: QW-IN-F139.1E100.NET:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:61987
Remote Address: QW-IN-F139.1E100.NET:HTTP
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61966
Remote Address: USER-0CCEMT8.CABLE.MINDSPRING.COM:17570
Type: TCP
Process: 2056 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61965
Remote Address: OOL-18BBA314.DYN.OPTONLINE.NET:16934
Type: TCP
Process: 2056 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61950
Remote Address: 53552BD1.CABLE.CASEMA.NL:30023
Type: TCP
Process: 2056 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61949
Remote Address: 53542E90.CABLE.CASEMA.NL:60293
Type: TCP
Process: 2056 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61897
Remote Address: 24.143.199.8:HTTP
Type: TCP
Process: 0 (PID)
State: TIME_WAIT

Local Address: ODILON-X200.OSINYWIR:61881
Remote Address: IAD04S01-IN-F19.1E100.NET:HTTPS
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61878
Remote Address: IAD04S01-IN-F19.1E100.NET:HTTPS
Type: TCP
Process: 2684 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61877
Remote Address: 24-119-11-58.CPE.CABLEONE.NET:52480
Type: TCP
Process: 2056 (PID)
State: ESTABLISHED

Local Address: ODILON-X200.OSINYWIR:61624
Remote Address: IAD04S01-IN-F18.1E100.NET:HTTPS
Type: TCP
Process: 2956 (PID)
State: CLOSE_WAIT

Local Address: ODILON-X200.OSINYWIR:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: ODILON-X200:61875
Remote Address: LOCALHOST:61874
Type: TCP
Process: 1988 (PID)
State: ESTABLISHED

Local Address: ODILON-X200:61874
Remote Address: LOCALHOST:61875
Type: TCP
Process: 1988 (PID)
State: ESTABLISHED

Local Address: ODILON-X200:49179
Remote Address: 0.0.0.0:0
Type: TCP
Process: 456 (PID)
State: LISTENING

Local Address: ODILON-X200:5550
Remote Address: 0.0.0.0:0
Type: TCP
Process: 812 (PID)
State: LISTENING

Local Address: ODILON-X200:49175
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1588 (PID)
State: LISTENING

Local Address: ODILON-X200:49172
Remote Address: 0.0.0.0:0
Type: TCP
Process: 552 (PID)
State: LISTENING

Local Address: ODILON-X200:49165
Remote Address: 0.0.0.0:0
Type: TCP
Process: 456 (PID)
State: LISTENING

Local Address: ODILON-X200:49159
Remote Address: 0.0.0.0:0
Type: TCP
Process: 576 (PID)
State: LISTENING

Local Address: ODILON-X200:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1032 (PID)
State: LISTENING

Local Address: ODILON-X200:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 952 (PID)
State: LISTENING

Local Address: ODILON-X200:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: 504 (PID)
State: LISTENING

Local Address: ODILON-X200:16993
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1988 (PID)
State: LISTENING

Local Address: ODILON-X200:10243
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: ODILON-X200:6159
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2056 (PID)
State: LISTENING

Local Address: ODILON-X200:ICSLAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: ODILON-X200:664
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1988 (PID)
State: LISTENING

Local Address: ODILON-X200:RTSP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1236 (PID)
State: LISTENING

Local Address: ODILON-X200:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: ODILON-X200:HTTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2056 (PID)
State: LISTENING

Local Address: ODILON-X200:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 844 (PID)
State: LISTENING

Local Address: ODILON-X200:HTTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2056 (PID)
State: LISTENING

Local Address: ODILON-X200.OSINYWIR:SSDP
Remote Address: NA
Type: UDP
Process: 2316 (PID)
State: NA

Local Address: ODILON-X200.OSINYWIR:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: ODILON-X200.OSINYWIR:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: ODILON-X200:56340
Remote Address: NA
Type: UDP
Process: 2316 (PID)
State: NA

Local Address: ODILON-X200:49154
Remote Address: NA
Type: UDP
Process: 2056 (PID)
State: NA

Local Address: ODILON-X200:SSDP
Remote Address: NA
Type: UDP
Process: 2316 (PID)
State: NA

Local Address: ODILON-X200:6159
Remote Address: NA
Type: UDP
Process: 2056 (PID)
State: NA

Local Address: ODILON-X200:LLMNR
Remote Address: NA
Type: UDP
Process: 1388 (PID)
State: NA

Local Address: ODILON-X200:5005
Remote Address: NA
Type: UDP
Process: 1236 (PID)
State: NA

Local Address: ODILON-X200:5004
Remote Address: NA
Type: UDP
Process: 1236 (PID)
State: NA

Local Address: ODILON-X200:HTTPS
Remote Address: NA
Type: UDP
Process: 2056 (PID)
State: NA

Local Address: ODILON-X200:68
Remote Address: NA
Type: UDP
Process: 952 (PID)
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found




turtledove wrote:Hello odilon,

Please copy or print out instructions for easy reference.

Step 1

Security Check

  • Download Security Check by screen317 from:
  • Save it to your Desktop.
  • Right click SecurityCheck.exe And select " Run as administrator " , then follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.


Step 2

Please Download SysProt Antirootkit from one of the links below.


  • Extract (unzip) its contents to your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
    See images below.

    Image

  • And check Hidden objects only at the bottom.
    Image

  • At the bottom of the window.Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Question on 3 items:
Did you set this item: O17 of Hijackthis log: O17 - HKLM\System\CCS\Services\Tcpip\..\{A4391E21-5430-414E-B191-7A4CAA865E14}: NameServer = 149.254.230.7 149.254.201.126 Appears to belong to T-Mobile
And the O4 line: Chinatelecom C+W\Aide.exe Are you familiar with this item?
**It appears there is no Firewall being used, are you using one?


Items to Post
checkup.txt
Sysprot log
Answers to questions


Thank you

turtledove
Odilon
Active Member
 
Posts: 14
Joined: June 17th, 2010, 12:13 am

Re: Checking a Hijackthis log - after "msupdate.exe" inciden

Unread postby turtledove » June 22nd, 2010, 4:05 pm

Hello odilon,

Thank you for the logs. :)
I will be back later after finished reviewing your posts.
**You do have Windows Firewall running. That is good.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware