Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus deletes everything but the OS


  • This topic is locked This topic is locked

#1
keen246

keen246

    New Member

  • Member
  • Pip
  • 1 posts
Hi all,
Hope that any of you experts can shed a light on this serious issue I have on my laptop.
Basically, some kind of virus deletes all the files and restoration points and just leaves the operating system running (with no accessories, just the bare OP). This happens under windows 7 and XP.
Now comes the really weird part: After performing several fresh installations, I noticed that the problem happens AFTER the computer is connected to the Internet. As long as the laptop is isolated from Internet, it runs perfectly. I made full format of the hard disk but to no avail. Then I used a new hard disk, but before, I made a BIOS upgrade and disconnected the battery to clear the BIOS CMOS memory (to rule out a BIOS resident virus) but the problem happens again after connecting it to Internet. This behavior has been noticed several times.

Since I've used a new HD and cleared the BIOS I'm baffled on where in the world the virus lingers. I should also mention, I tried 3 different antiviruses and none detects anything. The virus deactivates the antivirus before starting to delete the files.
I even wipe the HD with one of those programs that writes several times 0s or 1s on the hard disk which are supposedly used to ensure that hard disks are fully cleaned. I tested the memory modules and they are ok. I ran Wireshark to see if I could see any unusual web site the computer would try to connect to, but nothing abnormal was observed. I'm not 100% sure, but I think the problems happens when the computer start to update Windows after the fresh installation.
I took the laptop to a seasoned technician but he also gave up. The issue is so strange that some people I have disscused the matter with think it might be a hardware issue, but I insist it's not as the problem only happens if the computer is connected to the Internet, otherwise it run as good as new.
The laptop in question is a Lenovo Thinkpad X301 with 128GB SSD and 4G of RAM. I love that laptop and want to keep using it as my main laptop. Please help!

Here is the OTL log for your info. I don't think you'll see something abnormal as the computer is isolated from the Internet but if I connect it, I loose everthing including OTL.
OTL logfile created on: 2/6/2012 9:43:55 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\elkin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.50 Gb Available Physical Memory | 84.57% Memory free
4.80 Gb Paging File | 4.43 Gb Available in Paging File | 92.19% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 100.58 Gb Total Space | 85.71 Gb Free Space | 85.22% Space Free | Partition Type: NTFS

Computer Name: ELKIN-X301 | User Name: elkin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/06 21:41:34 | 000,017,920 | ---- | M] () -- C:\WINDOWS\system32\rpcnetp.exe
PRC - [2012/02/06 18:39:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elkin\Desktop\OTL.exe
PRC - [2008/07/13 08:41:00 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2008/07/10 10:42:56 | 000,167,936 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
PRC - [2008/06/13 17:29:44 | 000,746,808 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2008/06/08 11:00:00 | 000,060,192 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
PRC - [2008/06/08 10:00:00 | 000,124,248 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
PRC - [2008/05/29 00:12:52 | 000,367,128 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
PRC - [2008/05/29 00:10:56 | 002,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2008/05/29 00:10:48 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/05/28 03:18:44 | 000,075,256 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
PRC - [2008/05/24 15:52:50 | 000,032,768 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2008/05/14 16:25:12 | 000,520,192 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2008/05/10 07:24:04 | 000,102,400 | ---- | M] (AuthenTec,Inc) -- C:\WINDOWS\system32\FpLogonServ.exe
PRC - [2008/05/10 07:11:06 | 001,160,440 | ---- | M] (AuthenTec, Inc.) -- C:\WINDOWS\system32\AtService.exe
PRC - [2008/05/09 05:50:46 | 000,253,952 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
PRC - [2008/05/05 20:35:22 | 000,815,104 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/05/05 20:17:12 | 000,901,120 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2008/05/05 20:06:30 | 000,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/24 23:38:34 | 000,128,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/28 05:56:02 | 001,448,576 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
PRC - [2008/03/28 05:56:02 | 000,596,584 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
PRC - [2008/03/28 05:56:02 | 000,342,624 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2008/03/23 21:41:22 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2008/03/23 17:15:04 | 000,068,464 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/06 21:41:49 | 000,017,920 | ---- | M] () -- C:\WINDOWS\system32\rpcnetp.dll
MOD - [2012/02/06 21:41:34 | 000,017,920 | ---- | M] () -- C:\WINDOWS\system32\rpcnetp.exe
MOD - [2011/01/20 16:24:21 | 000,368,640 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2011/01/20 16:24:20 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2011/01/20 16:18:57 | 000,962,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\751caebca8556646825cd9b5e2ba6232\System.Configuration.ni.dll
MOD - [2011/01/20 16:15:37 | 005,640,192 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\5e77859e868d774a8f8c1e3dd98f70b6\System.Xml.ni.dll
MOD - [2011/01/20 16:15:30 | 013,107,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c9f37ccd980a324fb306e47fecca4516\System.Windows.Forms.ni.dll
MOD - [2011/01/20 16:15:14 | 001,626,112 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\284f4ea026dd284c85733e262bed1c47\System.Drawing.ni.dll
MOD - [2011/01/20 16:15:11 | 008,093,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\45aa3d720a4dc9469d75bd3bcec48eed\System.ni.dll
MOD - [2011/01/20 16:14:57 | 011,415,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\4bc4ea82d070e44db1f505599b56e4da\mscorlib.ni.dll
MOD - [2008/07/13 08:41:00 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL
MOD - [2008/07/13 08:41:00 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
MOD - [2008/07/13 08:41:00 | 000,045,056 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL
MOD - [2008/07/10 10:42:50 | 000,024,576 | ---- | M] () -- C:\Program Files\Lenovo\Camera Center\bin\LocalizationWrapper.dll
MOD - [2008/07/10 10:42:50 | 000,007,680 | ---- | M] () -- C:\Program Files\Lenovo\Camera Center\bin\en-US\LocalizationWrapper.resources.dll
MOD - [2008/07/10 10:42:48 | 000,028,672 | ---- | M] () -- C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchPadLibrary.dll
MOD - [2008/07/10 10:42:48 | 000,020,480 | ---- | M] () -- C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchPadDataObjects.dll
MOD - [2008/05/14 16:25:12 | 000,520,192 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
MOD - [2008/05/14 16:08:56 | 000,139,264 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\CDRecord.dll
MOD - [2008/05/14 16:08:56 | 000,139,264 | ---- | M] () -- c:\Program Files\Common Files\Lenovo\CDRecord.dll
MOD - [2008/05/10 07:23:52 | 000,634,880 | ---- | M] () -- C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll
MOD - [2008/05/05 20:09:26 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2008/03/28 05:51:36 | 002,854,912 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll
MOD - [2008/03/28 05:49:42 | 000,040,960 | ---- | M] () -- C:\Program Files\ThinkPad\Bluetooth Software\BTKeyInd.dll
MOD - [2007/06/18 16:28:44 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2012/02/06 21:41:49 | 000,017,920 | ---- | M] () [Unknown | Running] -- C:\WINDOWS\System32\rpcnetp.dll -- (rpcnetp)
SRV - [2010/06/25 09:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2008/07/13 08:41:00 | 000,094,208 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2008/06/13 17:29:44 | 000,746,808 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2008/05/29 00:10:56 | 002,058,776 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®
SRV - [2008/05/29 00:10:48 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2008/05/24 15:52:50 | 000,032,768 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2008/05/14 16:25:12 | 000,520,192 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2008/05/10 07:24:04 | 000,102,400 | ---- | M] (AuthenTec,Inc) [Auto | Running] -- C:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer)
SRV - [2008/05/10 07:11:06 | 001,160,440 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- C:\WINDOWS\system32\AtService.exe -- (ATService)
SRV - [2008/05/09 05:50:46 | 000,253,952 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe -- (TVT_UpdateMonitor)
SRV - [2008/05/05 20:35:22 | 000,815,104 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/05/05 20:17:12 | 000,901,120 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2008/05/05 20:06:30 | 000,466,944 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/04/25 08:15:24 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2008/03/28 05:56:02 | 000,342,624 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2005/10/06 18:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)


========== Driver Services (SafeList) ==========

DRV - [2011/01/20 16:39:45 | 000,030,144 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2010/06/25 09:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/07/13 08:41:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2008/06/08 11:00:00 | 000,004,608 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2008/05/21 21:01:50 | 000,754,176 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2008/05/14 16:21:16 | 000,114,728 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2008/05/14 16:21:16 | 000,019,496 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2008/05/10 07:28:10 | 000,475,136 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV - [2008/05/09 05:50:48 | 000,046,144 | ---- | M] (Lenovo) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tvtumon.sys -- (tvtumon)
DRV - [2008/05/01 08:21:28 | 003,627,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/04/22 11:13:16 | 000,072,448 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\5U875.sys -- (5U875UVC)
DRV - [2008/03/27 00:18:18 | 000,990,632 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/03/27 00:18:12 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/03/26 18:42:00 | 000,244,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/03/25 21:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008/03/25 21:12:56 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/03/20 12:32:24 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/03/10 01:18:44 | 000,534,312 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/03/10 01:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/03/07 02:08:08 | 000,154,672 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/02/22 15:54:40 | 000,037,312 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2008/02/04 00:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007/09/19 18:59:14 | 000,156,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007/06/18 16:29:56 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2007/06/18 16:29:10 | 000,035,064 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/06/18 16:29:08 | 000,093,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/06/18 16:29:06 | 000,098,136 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/06/18 16:29:04 | 000,026,744 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/06/18 16:28:58 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/06/18 16:28:54 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/06/18 16:28:52 | 000,105,048 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/02/08 20:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 20:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2004/08/04 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchPadLauncher.exe ()
O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc)
O4 - HKLM..\Run: [LPMailChecker] C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\NPJPI150_16.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_16)
O16 - DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{51697E93-13CF-4B52-897D-11E3CAB151AC}: NameServer = 200.106.160.4
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ATFUS: DllName - (C:\WINDOWS\system32\FpWinLogonNp.dll) - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)
O20 - Winlogon\Notify\tpfnf2: DllName - (C:\Program Files\Lenovo\HOTKEY\notifyf2.dll) - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - (C:\Program Files\Lenovo\HOTKEY\tphklock.dll) - C:\Program Files\Lenovo\HOTKEY\tphklock.dll (Lenovo Group Limited)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/29 23:13:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/06 18:39:13 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\elkin\Desktop\OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/06 21:41:49 | 000,017,920 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2012/02/06 21:41:49 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2012/02/06 21:41:42 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/06 21:41:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/06 21:41:38 | 3177,205,760 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/06 21:41:34 | 000,017,920 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2012/02/06 18:39:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elkin\Desktop\OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/20 16:44:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2011/01/20 16:37:41 | 000,114,688 | ---- | C] () -- C:\WINDOWS\desktopset.exe
[2011/01/20 16:37:07 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2011/01/20 16:37:06 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2011/01/20 16:35:02 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2011/01/20 16:35:01 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/01/20 16:30:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2011/01/20 16:30:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2011/01/20 16:30:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2011/01/20 16:30:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2011/01/20 16:30:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2011/01/20 16:30:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2011/01/20 16:19:48 | 001,991,464 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2011/01/20 16:19:46 | 000,432,400 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2011/01/20 16:19:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4957.dll
[2011/01/20 16:05:00 | 000,000,138 | ---- | C] () -- C:\WINDOWS\System32\Softkbd.exe.config
[2011/01/20 15:59:41 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.dll
[2011/01/20 15:59:29 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\rpcnetp.exe
[2010/06/25 09:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/03/28 05:51:36 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2006/04/29 23:31:51 | 000,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/04/29 23:22:10 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/04/29 23:19:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/04/29 23:10:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/04/29 22:55:59 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/04/29 22:55:55 | 000,401,632 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/04/29 22:55:55 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/04/29 22:55:55 | 000,062,746 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/04/29 22:55:55 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/04/29 22:55:54 | 000,004,547 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/04/29 22:55:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/04/29 22:55:50 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/04/29 22:55:44 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/04/29 22:55:44 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/04/29 22:55:37 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/04/29 22:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/04/29 22:55:25 | 000,588,800 | ---- | C] () -- C:\WINDOWS\System32\autochk.exe
[2006/04/29 16:04:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/04/29 16:03:29 | 000,139,648 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2011/01/20 16:40:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2011/01/20 16:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/01/20 16:34:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2011/01/20 16:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elkin\Application Data\CachedFiles
[2011/01/20 16:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elkin\Application Data\Lenovo
[2011/01/21 19:33:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elkin\Application Data\Wireshark
[2011/01/25 10:52:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2012/02/06 21:41:49 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========



< End of report >

Mod Edit: moved from Intro forum to Malware forum.-ST

Edited by SweetTech, 07 February 2012 - 03:20 AM.

  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,540 posts
It's not a virus. Your notebook is protected by a theft prevention security app (Lojack, Computrace). One of the features of the software is remote delete:

Go to the Delete tab to remotely erase files on your computer. You can opt to delete all of your files, or just certain file types. The next time your laptop contacts the Monitoring Center, it receives the Delete command and erases the files you selected.

This can not be removed by reformatting, it's often installed by the computer manufacturer. I would start by contacting Lenovo, with proof of ownership. Since we can not verify identity in this online environment, we will not be able to offer further assistance.
  • 0

#3
keen246

keen246

    New Member

  • Topic Starter
  • Member
  • Pip
  • 1 posts
Thanks a lot! You hit the nail on the head. I've had seen the Computrace warning on the BIOS setup but never paid attention to it and didn't know it could erase your whole hard disk.
What was surprising to me was that is active and I never activated. I bought the computer brand new (2,5 years ago), so there must be an error on the database of Computrace. I called them but as usual the phone help is useless. They treated me like a thief and an idiot, but soon they'll see the joke is on them.
I can't believe they want to control my own computer being myself the legitimate owner. So I'm figuring out the work around to defeat that spyware. From what I've read, it's fairly easy to bypass that "security". So people who buy such "service" are not really aware of the danger it can inflict on your security and how easy is to bypass it.

Thanks again for you help. You can close this thread (I don't know how).
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP