Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirects + Window Freezes! Already deleted "Internet


  • This topic is locked This topic is locked

#1
vannilafudge

vannilafudge

    Member

  • Member
  • PipPip
  • 20 posts
Hello,

I'll try to be as clear as I can while typing as little as possible:

-Last week, "Internet Security 2010" downloaded itself onto my computer
-I downloaded "Malwarebytes" and it got rid of it.
-Then, whenever I tried to go to My Music or even delete music, it would say "Access is denied, Make sure the disk is not full or write-protected and that the file is not currently in use"
-And I started getting google redirects (I'm trusting you know what it means so I don't have to describe it :) )
-And when I'm on firefox mozilla, a random site pops up as a tab sometimes
-And if I start my computer regularly/normally, it will freeze within 5-10 minutes of use and I'll have to manually shut it down (hence the reason why I'm on Safe Mode with Networking at the moment.)


What I've tried:
-I've ran Malwarebytes a million times, and ever since it removed "Internet Security 2010" the first time, it never found anything else.
-I've followed the "How to fix Google Redirects" on this website; so I've ran TFC and Erunt and TDSSKiller. (By the way, TFC worked when I ran it on safemode, but when I ran TFC on regular-startup, it would go straight to something like "Access violation at address blhablahba")




Do I have something more malicious than Malware? Or is it just one of those hijack things? I would appreciate any suggestions and help! Because this is my friend's computer, and I'm supposed to return it to him after he comes back from vacation! :)

Following this will be the OTL.Txt, and then the Extras.Txt from running OTL, respectively.(manually by copy and pasting the list from "Malware and Spyware Cleaning Guide" from this website.







OTL.Txt:


OTL logfile created on: 2/13/2010 12:48:41 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 830.00 Mb Available Physical Memory | 81.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 44.13 Gb Free Space | 59.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID
Current User Name: User
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/13 12:46:47 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2003/03/31 04:00:00 | 001,004,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/02/13 12:46:47 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2006/08/25 07:53:52 | 000,925,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1891_x-ww_7d3bbc01\comctl32.dll
MOD - [2004/07/09 03:27:28 | 000,292,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ddraw.dll
MOD - [2003/03/31 04:00:00 | 000,686,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\opengl32.dll
MOD - [2003/03/31 04:00:00 | 000,143,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MSIMTF.dll
MOD - [2003/03/31 04:00:00 | 000,116,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\glu32.dll
MOD - [2003/03/31 04:00:00 | 000,007,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dciman32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/03/31 09:39:36 | 000,233,472 | ---- | M] (Teruten) [Auto | Stopped] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/12/05 01:41:00 | 000,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/01/04 13:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://rd.yahoo.com/.../search/ie.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.07074039
FF - prefs.js..extensions.enabledItems: [email protected]:1.4
FF - prefs.js..extensions.enabledItems: {800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5}:1.9.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.2.20080910

FF - HKLM\software\mozilla\Firefox\Extensions\\{800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5}: C:\Documents and Settings\User\Local Settings\Application Data\{800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5} [2010/02/08 18:39:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/14 17:47:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 19:51:03 | 000,000,000 | ---D | M]

[2008/09/17 19:31:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/02/13 12:37:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions
[2008/09/26 15:33:30 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/12 09:05:21 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2007/12/22 16:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\[email protected]
[2010/02/13 12:37:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/03 20:57:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected](2).org
[2007/12/18 23:55:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected](3).org
[2008/06/17 23:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2006/01/18 11:50:00 | 000,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
[2007/04/16 09:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2003/03/31 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Qvuxege] C:\WINDOWS\axuvanuz.DLL (DoubleFusion)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Aim6] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\KuGoo {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - Reg Error: Key error. File not found
O18 - Protocol\Handler\KuGoo3 {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - Reg Error: Key error. File not found
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/03 19:18:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/07/03 19:17:59 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Restore point Set: OTL Restore Point (17454841580224512)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/13 12:46:40 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/02/13 12:11:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SysRestorePoint_v13
[2010/02/13 12:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\erunt
[2010/02/13 11:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Downloads
[2010/02/13 11:37:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\UAB
[2010/02/13 11:37:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/02/13 11:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\PC_Drivers_Headquarters
[2010/02/12 10:08:06 | 000,000,000 | ---D | C] -- C:\Program Files\PC Drivers HeadQuarters
[2010/02/12 09:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/12 09:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Driver Fetch
[2010/02/12 09:16:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG8
[2010/02/12 09:05:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent
[2010/02/08 23:10:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Meewwwsique
[2010/02/08 23:05:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\My Meewsique
[2010/02/08 22:35:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\My Music
[2010/02/08 21:14:12 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/08 21:10:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/08 21:10:20 | 000,018,520 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/08 21:10:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/08 18:51:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/02/08 18:51:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/08 18:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/08 18:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/08 18:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\{800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5}
[2007/11/17 19:34:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/17 19:34:35 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/11/17 19:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/10/04 17:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[4 C:\Documents and Settings\User\My Documents\*.tmp files -> C:\Documents and Settings\User\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/02/13 12:46:47 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/02/13 12:27:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/13 12:18:56 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/13 12:17:52 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010/02/13 12:17:52 | 000,000,180 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/02/13 12:06:11 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\User\ntuser.bak
[2010/02/13 12:06:07 | 003,229,960 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/02/13 10:55:07 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ynigomi.dat
[2010/02/13 10:55:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Hzuvi.bin
[2010/02/12 10:11:49 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\Driver Fetch.job
[2010/02/12 10:08:38 | 000,002,198 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Driver Detective.lnk
[2010/02/12 10:06:59 | 000,468,820 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/12 10:06:59 | 000,401,064 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/12 10:06:59 | 000,062,344 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/12 08:41:49 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft Office Word 2003.lnk
[2010/02/11 16:58:57 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay.doc
[2010/02/11 15:15:56 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay Q2.doc
[2010/02/11 13:08:43 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/11 10:56:59 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay notes.doc
[2010/02/11 10:35:55 | 000,110,286 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Swimming0910.pdf
[2010/02/11 09:49:05 | 000,000,398 | ---- | M] () -- C:\WINDOWS\NJCOM.INI
[2010/02/03 21:53:19 | 000,049,562 | ---- | M] () -- C:\Documents and Settings\User\My Documents\SavaPool.pdf
[2010/02/02 21:21:27 | 000,111,334 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SusannaCheng.pdf
[2010/02/02 15:23:19 | 001,099,322 | ---- | M] () -- C:\Documents and Settings\User\Desktop\mom tax form part 2.pdf
[2010/02/02 15:23:16 | 000,000,191 | ---- | M] () -- C:\Documents and Settings\User\My Documents\DPE.DUS
[2010/02/02 15:23:06 | 000,000,626 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/02 14:47:33 | 000,591,218 | ---- | M] () -- C:\Documents and Settings\User\Desktop\mom tax form part 1.pdf
[2010/02/01 23:59:26 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\User\My Documents\davis scholarship essay.doc
[4 C:\Documents and Settings\User\My Documents\*.tmp files -> C:\Documents and Settings\User\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/12 10:08:38 | 000,002,198 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Driver Detective.lnk
[2010/02/12 09:42:17 | 000,000,354 | ---- | C] () -- C:\WINDOWS\tasks\Driver Fetch.job
[2010/02/11 10:56:59 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay notes.doc
[2010/02/11 10:35:55 | 000,110,286 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Swimming0910.pdf
[2010/02/10 19:18:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/09 21:26:25 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay Q2.doc
[2010/02/09 20:43:01 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\User\Desktop\UCLA scholarship essay.doc
[2010/02/08 18:39:42 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ynigomi.dat
[2010/02/08 18:39:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Hzuvi.bin
[2010/02/02 21:21:27 | 000,111,334 | ---- | C] () -- C:\Documents and Settings\User\Desktop\SusannaCheng.pdf
[2010/02/02 15:23:06 | 001,099,322 | ---- | C] () -- C:\Documents and Settings\User\Desktop\mom tax form part 2.pdf
[2010/02/02 14:47:20 | 000,591,218 | ---- | C] () -- C:\Documents and Settings\User\Desktop\mom tax form part 1.pdf
[2010/02/01 20:21:41 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\User\My Documents\davis scholarship essay.doc
[2009/11/19 22:04:56 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/11/19 22:04:56 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/11/19 22:04:48 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\User\Application Data\$_hpcst$.hpc
[2008/10/24 22:10:27 | 000,000,398 | ---- | C] () -- C:\WINDOWS\NJCOM.INI
[2008/03/28 19:27:12 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2008/03/03 20:27:34 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/02/28 22:12:43 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/02/28 21:40:43 | 000,011,158 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/01/06 18:14:43 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/12/05 01:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 01:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 01:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 01:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 01:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/10/19 20:02:06 | 001,019,904 | R--- | C] () -- C:\WINDOWS\System32\nvwimg(2).dll
[2007/10/19 20:02:05 | 001,662,976 | R--- | C] () -- C:\WINDOWS\System32\nvwdmcpl(2).dll
[2007/10/19 20:02:05 | 001,470,464 | R--- | C] () -- C:\WINDOWS\System32\nview(2).dll
[2007/10/19 20:02:05 | 000,466,944 | R--- | C] () -- C:\WINDOWS\System32\nvshell(2).dll
[2007/10/01 22:34:50 | 000,002,563 | ---- | C] () -- C:\WINDOWS\Cmudau.ini
[2007/09/09 12:45:58 | 000,000,016 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/09 12:40:19 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\cmdrvrmu.dll
[2007/08/31 20:43:57 | 000,000,453 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/29 23:21:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\sms.INI
[2007/08/29 22:40:09 | 000,892,928 | ---- | C] () -- C:\WINDOWS\System32\YeppPlugIn.dll
[2007/08/29 22:40:09 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\smax10.dll
[2007/08/29 22:40:09 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\secumax.dll
[2007/08/29 22:40:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylistSamsung.dll
[2007/08/29 22:40:08 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\yeppCddb.dll
[2007/08/11 20:40:34 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/08/10 00:39:47 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/07/04 20:48:08 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2007/07/03 21:04:47 | 000,073,216 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/03 19:23:32 | 000,008,192 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/07/03 19:22:44 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/06/14 03:29:32 | 000,060,928 | ---- | C] () -- C:\WINDOWS\System32\drivers\viamraid.sys
[2004/02/25 22:18:04 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/03/31 04:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1996/04/03 11:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/10/06 19:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2007/11/17 19:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2007/07/04 00:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/04/24 20:02:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kingsoft
[2010/02/13 11:37:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/11/19 22:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2007/09/24 17:57:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2007/11/13 22:30:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/13 11:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UAB
[2009/10/06 19:36:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/13 13:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ACAMPREF
[2009/10/06 19:37:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\acccore
[2008/04/17 19:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Aim
[2010/02/12 09:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Azureus
[2007/07/09 19:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GetRightToGo
[2010/01/23 23:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\gtk-2.0
[2007/09/15 14:43:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\User\Application Data\ijjigame
[2009/04/24 20:02:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Kingsoft
[2008/04/23 17:46:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LimeWire
[2009/12/13 01:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\MusE
[2008/10/24 22:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\NJStar
[2009/11/19 22:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\PC Suite
[2009/05/23 09:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\PPStream
[2009/11/20 00:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Samsung
[2008/04/24 15:26:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Snapfish
[2009/02/02 13:28:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SystemRequirementsLab
[2010/02/12 10:11:49 | 000,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Fetch.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 04:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\i386\sp2.cab:atapi.sys
[2003/03/31 04:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\dllcache\atapi.sys
[2003/03/31 04:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2003/03/31 04:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2003/03/31 04:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2003/03/31 04:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2003/03/31 04:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2003/03/31 04:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2003/03/31 04:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2005/04/26 03:22:28 | 000,060,928 | ---- | M] (VIA Technologies inc,.ltd) MD5=0363E216E4EB5052969C96608934DBDE -- C:\WINDOWS\OemDir\viamraid.sys
[2005/04/26 03:22:28 | 000,060,928 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2005/04/26 03:22:28 | 000,060,928 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\viamraid.sys

< %systemroot%\System32\config\*.sav >
[2007/07/03 12:01:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/07/03 12:01:12 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/07/03 12:01:12 | 000,434,176 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 480 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
< End of report >











Extras.Txt:



OTL Extras logfile created on: 2/13/2010 12:48:41 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 830.00 Mb Available Physical Memory | 81.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 44.13 Gb Free Space | 59.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID
Current User Name: User
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- C:\PROGRA~1\INTERN~1\iexplore.exe -nohome (Microsoft Corporation)
https [open] -- C:\PROGRA~1\INTERN~1\iexplore.exe -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\PPStream\PPStream.exe" = C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS -- File not found
"C:\Program Files\PPStream\PPSAP.exe" = C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18E0918E-1060-48f3-925C-56C82E88551B}" = HP PSC & OfficeJet 3.5
"{1F7473D9-6C0B-4F5A-8FA4-AB8AD78CBE54}" = DocProc
"{22988B2A-374A-4A7B-B795-A1AFF2046BE9}" = PhotoGallery
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}" = SkinsHP1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{34957B51-9676-41CE-9E52-44AE91B73F1C}" = HP Software Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}" = Unload
"{4640FDE1-B83A-4376-84ED-86F86BEE2D41}" = Driver Detective
"{47C25360-AEBC-4B21-B233-87CE653B3369}" = AIOMinimal
"{48242276-DB89-42e8-9678-BD4280D7B99A}" = Copy
"{55DCBED7-5710-4939-A928-4CBD9AB09EBB}" = 1310_Help
"{5786D2C8-A4C4-4DDB-B671-8ED2A53310EC}" = 1310Tour
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{6864A62D-3EF3-415F-9922-240EED34B4C0}" = Fax
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{723C033E-63EA-4227-BAB2-0AA8693C16EB}" = Director
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{81DD5688-695A-4c1d-AE7D-368BF857725A}" = TrayApp
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{99D48FBB-2DEF-49A9-BCC9-C5AF63DD2643}" = AiOSoftware
"{9B03C535-3AEA-4ef2-B326-0A01A2207034}" = CreativeProjects
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AC76BA86-7AD7-5670-0000-800000000003}" = Korean Fonts Support For Adobe Reader 8
"{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer
"{BC339BFD-F550-471a-8D26-4D08126C62F7}" = SkinsHP2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}" = QuickProjects
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{E443F067-3345-482C-BD7A-12675A53D292}" = Readme
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F730A60D-F6DA-4653-9C6E-548F7A3A5EE0}" = 1310Trb
"{F9B0968A-810E-484C-B81D-7F19DC2CBBF5}" = 1310
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"AOL Instant Messenger" = AOL Instant Messenger
"CCleaner" = CCleaner
"getPlus®_dll" = getPlus®_dll
"Guitar Pro 5_is1" = Guitar Pro 5.2
"HP Photo & Imaging" = HP Image Zone 3.5
"HPOCR" = OCR Software by I.R.I.S 7.0
"InstallShield_{AF7E85DC-317C-47F5-810E-B82EE093A612}" = Samsung New PC Studio USB Driver Installer
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Melody Assistant" = Melody Assistant
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"middle_man" = middle_man
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MuseScore 0.9" = MuseScore 0.9 MuseScore score typesetter
"NJStar Communicator" = NJStar Communicator
"NVIDIA Drivers" = NVIDIA Drivers
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software
"Shockwave" = Shockwave
"SystemRequirementsLab" = System Requirements Lab
"Veoh Web Player Beta" = Veoh Web Player Beta
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/13/2010 4:17:39 PM | Computer Name = DAVID | Source = Application Error | ID = 1000
Description = Faulting application tfc.exe, version 3.1.4.0, faulting module unknown,
version 0.0.0.0, fault address 0x7712174b.

Error - 2/13/2010 4:27:30 PM | Computer Name = DAVID | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/13/2010 4:27:30 PM | Computer Name = DAVID | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/13/2010 4:33:15 PM | Computer Name = DAVID | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/13/2010 4:33:15 PM | Computer Name = DAVID | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/13/2010 4:38:19 PM | Computer Name = DAVID | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/13/2010 4:38:19 PM | Computer Name = DAVID | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/13/2010 4:43:21 PM | Computer Name = DAVID | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/13/2010 4:43:21 PM | Computer Name = DAVID | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/13/2010 4:49:24 PM | Computer Name = DAVID | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

[ System Events ]
Error - 2/13/2010 4:20:26 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7000
Description = The Powertweak NT helper service failed to start due to the following
error: %%3

Error - 2/13/2010 4:27:30 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/13/2010 4:27:34 PM | Computer Name = DAVID | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 2/13/2010 4:27:34 PM | Computer Name = DAVID | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2/13/2010 4:27:42 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/13/2010 4:28:59 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips Processor

Error - 2/13/2010 4:33:15 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/13/2010 4:38:19 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/13/2010 4:43:21 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/13/2010 4:49:24 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2008/06/17 23:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
    O4 - HKLM..\Run: [Qvuxege] C:\WINDOWS\axuvanuz.DLL (DoubleFusion)
    O18 - Protocol\Handler\KuGoo {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\KuGoo3 {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - Reg Error: Key error. File not found
    [2010/02/13 10:55:07 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ynigomi.dat
    [2010/02/13 10:55:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Hzuvi.bin
    
    :Files
    C:\WINDOWS\system32\drivers\viamraid.sys|C:\WINDOWS\OemDir\viamraid.sys /replace
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done



Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.
  • 0

#3
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello, thank you SO SO MUCH for replying so quickly. I was out of town the past 2 days, so I apologize for such a late response on my part. Anyways, I have copied and pasted the GooredFix log as well as the ComboFix log, respectively:


GooredFix Log:


GooredFix by jpshortstuff (08.01.10.1)
Log created at 11:51 on 15/02/2010 (User)
Firefox version 3.0.17 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5} -> Success!
Deleting C:\Documents and Settings\User\Local Settings\Application Data\{800F0FB1-CAA4-4803-B43D-4ECA7DAF12F5} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
[email protected](2).org [08:37 03/11/2007]
[email protected](3).org [00:58 19/12/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:32 13/01/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd}(2) [08:37 03/11/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd}(3) [00:28 19/12/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd}(4) [00:48 19/12/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [04:37 06/01/2008]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\
[email protected] [00:08 23/12/2007]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [23:33 26/09/2008]
{dd3d7613-0246-469d-bc65-2a3cc1668adc} [05:23 09/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-














ComboFix Log:



ComboFix 10-02-12.01 - User 02/15/2010 12:40:53.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1022.833 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
PEV Error: AppFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Fonts\UPCFI.TTF
c:\windows\system32\launcher.exe

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-15 19:45 . 2010-02-15 19:45 -------- dc----w- C:\_OTL
2010-02-13 22:13 . 2010-02-13 22:13 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-02-13 22:12 . 2010-02-13 22:12 -------- dc----w- c:\documents and settings\User\Application Data\AVG8
2010-02-12 17:42 . 2010-02-12 17:42 -------- dc----w- c:\program files\Driver Fetch
2010-02-11 03:18 . 2010-02-11 21:08 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 05:14 . 2010-02-09 05:14 -------- dc----w- c:\program files\Trend Micro
2010-02-09 05:10 . 2010-01-08 00:07 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 05:10 . 2010-02-13 22:12 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 05:10 . 2010-01-08 00:07 18520 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 03:41 . 2010-02-09 03:41 -------- dcs---w- c:\documents and settings\NetworkService\UserData
2010-02-09 02:51 . 2010-02-09 02:51 -------- dc----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-02-09 02:51 . 2010-02-09 02:51 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 22:12 . 2008-01-09 05:28 -------- dc----w- c:\program files\CCleaner
2010-02-12 17:11 . 2007-07-04 04:32 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 17:01 . 2007-07-04 08:45 -------- dc----w- c:\documents and settings\User\Application Data\Azureus
2010-01-24 07:18 . 2009-08-19 06:34 -------- dc----w- c:\documents and settings\User\Application Data\gtk-2.0
2009-12-23 10:04 . 2009-12-23 10:04 -------- dc----w- c:\program files\Guitar Pro 5
2009-12-22 18:04 . 2007-07-05 05:04 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-12-19 01:36 . 2009-12-13 08:01 -------- dc----w- c:\program files\MuseScore 0.9
2009-12-13 21:29 . 2007-08-11 05:36 40688 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 21:16 . 2009-12-12 21:16 1409 -c--a-w- c:\windows\Fonts\SToccata.fot
2009-11-20 08:10 . 2009-11-20 08:10 69632 -c--a-w- c:\documents and settings\User\Application Data\Samsung\New PC Studio\DriverChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-05 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-28 208953]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-22 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 FsUsbExService;FsUsbExService;c:\windows\System32\FsUsbExService.Exe [2009-03-31 233472]
R2 Powert;Powertweak NT helper;c:\progra~1\POWERT~1\powert2k.sys [x]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [x]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.SYS [2009-03-31 36608]
R3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\YH-820.sys [2004-09-10 7552]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R3 XDva134;XDva134;c:\windows\System32\XDva134.sys [x]
R3 XDva158;XDva158;c:\windows\System32\XDva158.sys [x]
R3 XDva164;XDva164;c:\windows\System32\XDva164.sys [x]
R3 XDva165;XDva165;c:\windows\System32\XDva165.sys [x]
R3 XDva167;XDva167;c:\windows\System32\XDva167.sys [x]
R3 XDva186;XDva186;c:\windows\System32\XDva186.sys [x]
R3 XDva189;XDva189;c:\windows\System32\XDva189.sys [x]
R3 XDva190;XDva190;c:\windows\System32\XDva190.sys [x]
R3 XDva195;XDva195;c:\windows\System32\XDva195.sys [x]
R3 XDva201;XDva201;c:\windows\System32\XDva201.sys [x]
R3 XDva212;XDva212;c:\windows\System32\XDva212.sys [x]
R3 XDva215;XDva215;c:\windows\System32\XDva215.sys [x]
R3 XDva219;XDva219;c:\windows\System32\XDva219.sys [x]

.
Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\Driver Fetch.job
- c:\program files\Driver Fetch\2.0.0.0\DriverFetch.exe [2010-02-12 01:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-NPSStartup - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 13:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86EA88D4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76c7aac
\Driver\ACPI -> ACPI.sys @ 0xf761c740
\Driver\atapi -> atapi.sys @ 0xf75c303c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(672)
c:\windows\System32\dssenh.dll
.
Completion time: 2010-02-15 13:39:43
ComboFix-quarantined-files.txt 2010-02-15 21:39

Pre-Run: 46,960,136,192 bytes free
Post-Run: 46,946,955,264 bytes free

- - End Of File - - 199D157CFDCE7D56386AD28EC42C4610
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
open OTL click the none button, paste this in the custom scan box


/md5start
qmgr.dll
/md5stop


click run scan post that log



Download TDSSKiller and save it to your Desktop.

  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

  • 0

#5
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
OTL:



OTL logfile created on: 2/15/2010 5:31:09 PM - Run 3
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 734.00 Mb Available Physical Memory | 72.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 43.51 Gb Free Space | 58.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAVID
Current User Name: User
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========



< MD5 for: QMGR.DLL >
[2003/03/31 04:00:00 | 000,221,696 | ---- | M] (Microsoft Corporation) MD5=6A1CF14D0E7D0B2241F552223769C8A7 -- C:\WINDOWS\system32\qmgr.dll
< End of report >














TDSKiller:



12:05:08:453 1216 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
12:05:08:453 1216 ================================================================================
12:05:08:453 1216 SystemInfo:

12:05:08:453 1216 OS Version: 5.1.2600 ServicePack: 1.0
12:05:08:453 1216 Product type: Workstation
12:05:08:453 1216 ComputerName: DAVID
12:05:08:453 1216 UserName: User
12:05:08:453 1216 Windows directory: C:\WINDOWS
12:05:08:453 1216 Processor architecture: Intel x86
12:05:08:453 1216 Number of processors: 1
12:05:08:453 1216 Page size: 0x1000
12:05:08:453 1216 Boot type: Normal boot
12:05:08:453 1216 ================================================================================
12:05:08:468 1216 UnloadDriverW: NtUnloadDriver error 2
12:05:08:468 1216 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:05:08:515 1216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:05:08:562 1216 UtilityInit: KLMD drop and load success
12:05:08:562 1216 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
12:05:08:562 1216 UtilityInit: KLMD open success
12:05:08:562 1216 UtilityInit: Initialize success
12:05:08:562 1216
12:05:08:562 1216 Scanning Services ...
12:05:08:562 1216 CreateRegParser: Registry parser init started
12:05:08:562 1216 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
12:05:08:562 1216 CreateRegParser: DisableWow64Redirection error
12:05:08:562 1216 wfopen_ex: Trying to open file C:\WINDOWS\System32\config\system
12:05:08:562 1216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\System32\config\system) returned status C0000043
12:05:08:562 1216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:05:08:562 1216 wfopen_ex: Trying to KLMD file open
12:05:08:562 1216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\config\system
12:05:08:562 1216 wfopen_ex: File opened ok (Flags 2)
12:05:08:562 1216 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\System32\config\system) init success: 264B98
12:05:08:562 1216 wfopen_ex: Trying to open file C:\WINDOWS\System32\config\software
12:05:08:562 1216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\System32\config\software) returned status C0000043
12:05:08:562 1216 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:05:08:562 1216 wfopen_ex: Trying to KLMD file open
12:05:08:562 1216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\config\software
12:05:08:562 1216 wfopen_ex: File opened ok (Flags 2)
12:05:08:562 1216 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\System32\config\software) init success: 264C40
12:05:08:562 1216 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
12:05:08:562 1216 CreateRegParser: EnableWow64Redirection error
12:05:08:562 1216 CreateRegParser: RegParser init completed
12:05:09:093 1216 GetAdvancedServicesInfo: Raw services enum returned 317 services
12:05:09:093 1216 fclose_ex: Trying to close file C:\WINDOWS\System32\config\system
12:05:09:093 1216 fclose_ex: Trying to close file C:\WINDOWS\System32\config\software
12:05:09:093 1216
12:05:09:093 1216 Scanning Kernel memory ...
12:05:09:093 1216 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:05:09:093 1216 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F83940
12:05:09:093 1216 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
12:05:09:093 1216
12:05:09:093 1216 DetectCureTDL3: DEVICE_OBJECT: 86F36CF8
12:05:09:093 1216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F36CF8
12:05:09:093 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F36CF8[0x38]
12:05:09:093 1216 DetectCureTDL3: DRIVER_OBJECT: 86F83940
12:05:09:093 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F83940[0xA8]
12:05:09:093 1216 KLMD_ReadMem: Trying to ReadMemory 0xE164AF50[0x18]
12:05:09:093 1216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:05:09:093 1216 DetectCureTDL3: IrpHandler (0) addr: F76C92CD
12:05:09:093 1216 DetectCureTDL3: IrpHandler (1) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (2) addr: F76C92CD
12:05:09:093 1216 DetectCureTDL3: IrpHandler (3) addr: F76C3AAE
12:05:09:093 1216 DetectCureTDL3: IrpHandler (4) addr: F76C3AAE
12:05:09:093 1216 DetectCureTDL3: IrpHandler (5) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (6) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (7) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (8) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (9) addr: F76C434C
12:05:09:093 1216 DetectCureTDL3: IrpHandler (10) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (11) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (12) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (13) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (14) addr: F76C43D4
12:05:09:093 1216 DetectCureTDL3: IrpHandler (15) addr: F76C7AAC
12:05:09:093 1216 DetectCureTDL3: IrpHandler (16) addr: F76C434C
12:05:09:093 1216 DetectCureTDL3: IrpHandler (17) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (18) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (19) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (20) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (21) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (22) addr: F76C508F
12:05:09:093 1216 DetectCureTDL3: IrpHandler (23) addr: F76C9E61
12:05:09:093 1216 DetectCureTDL3: IrpHandler (24) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (25) addr: 804F20A6
12:05:09:093 1216 DetectCureTDL3: IrpHandler (26) addr: 804F20A6
12:05:09:093 1216 TDL3_FileDetect: Processing driver: Disk
12:05:09:093 1216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\DRIVERS\disk.sys
12:05:09:093 1216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\DRIVERS\disk.sys
12:05:09:125 1216 TDL3_FileDetect: C:\WINDOWS\System32\DRIVERS\disk.sys - Verdict: Clean
12:05:09:125 1216
12:05:09:125 1216 DetectCureTDL3: DEVICE_OBJECT: 86F82B48
12:05:09:125 1216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F82B48
12:05:09:125 1216 DetectCureTDL3: DEVICE_OBJECT: 86F83A38
12:05:09:125 1216 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F83A38
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F83A38[0x38]
12:05:09:125 1216 DetectCureTDL3: DRIVER_OBJECT: 86F85030
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F85030[0xA8]
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F85A30[0x38]
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86F7E910[0xA8]
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0xE1659680[0x20]
12:05:09:125 1216 DetectCureTDL3: DRIVER_OBJECT name: \Driver\viamraid, Driver Name: viamraid
12:05:09:125 1216 DetectCureTDL3: IrpHandler (0) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (1) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (2) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (3) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (4) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (5) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (6) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (7) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (8) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (9) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (10) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (11) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (12) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (13) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (14) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (15) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (16) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (17) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (18) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (19) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (20) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (21) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (22) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (23) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (24) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (25) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: IrpHandler (26) addr: 86E968D4
12:05:09:125 1216 DetectCureTDL3: All IRP handlers pointed to one addr: 86E968D4
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86E968D4[0x400]
12:05:09:125 1216 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
12:05:09:125 1216 Driver "viamraid" Irp handler infected by TDSS rootkit ... 12:05:09:125 1216 KLMD_WriteMem: Trying to WriteMemory 0x86E9694D[0xD]
12:05:09:125 1216 cured
12:05:09:125 1216 KLMD_ReadMem: Trying to ReadMemory 0x86E9677F[0x400]
12:05:09:125 1216 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
12:05:09:125 1216 Driver "viamraid" StartIo handler infected by TDSS rootkit ... 12:05:09:125 1216 TDL3_StartIoHookCure: Number of patches 1
12:05:09:125 1216 KLMD_WriteMem: Trying to WriteMemory 0x86E96888[0x6]
12:05:09:125 1216 cured
12:05:09:125 1216 TDL3_FileDetect: Processing driver: viamraid
12:05:09:125 1216 TDL3_FileDetect: Processing driver file: C:\WINDOWS\System32\drivers\viamraid.sys
12:05:09:125 1216 KLMD_CreateFileW: Trying to open file C:\WINDOWS\System32\drivers\viamraid.sys
12:05:09:125 1216 TDL3_FileDetect: C:\WINDOWS\System32\drivers\viamraid.sys - Verdict: Clean
12:05:09:125 1216
12:05:09:125 1216 Completed
12:05:09:125 1216
12:05:09:125 1216 Results:
12:05:09:125 1216 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
12:05:09:125 1216 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:05:09:125 1216 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:05:09:125 1216
12:05:09:125 1216 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:05:09:125 1216 UtilityDeinit: KLMD(ARK) unloaded successfully
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
SRPeek::
c:\windows\system32\qmgr.dll
Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello, thank you again for all the help!

Just for addition on the symptoms of my computer:
-recently, whatever I type using firefox mozilla will be backwards. For example, if I intend to type "I have a virus." on firefox, it will become ".suriv a evah I" But it'll be better after I restart firefox.



On the side notes, I have used mbam before consulting help from you, and the first time I ran it, it got rid of two things. Anyways, I have included the ComboFix log, mbam log, and Kaspersky online scan log, respectively:







ComboFix Log:


ComboFix 10-02-12.01 - User 02/16/2010 8:59:44.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1022.836 [GMT -8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
.

2010-02-16 16:53:56 . 2010-02-16 16:53:56 -------- dc----w- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2010-02-15 19:45:53 . 2010-02-15 19:45:53 -------- dc----w- C:\_OTL
2010-02-13 22:13:47 . 2010-02-13 22:13:47 -------- dc----w- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2010-02-13 22:12:53 . 2010-02-13 22:12:53 -------- dc----w- C:\Documents and Settings\User\Application Data\AVG8
2010-02-12 17:42:14 . 2010-02-12 17:42:14 -------- dc----w- C:\Program Files\Driver Fetch
2010-02-11 03:18:13 . 2010-02-11 21:08:43 664 -c--a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-02-09 05:14:12 . 2010-02-09 05:14:12 -------- dc----w- C:\Program Files\Trend Micro
2010-02-09 05:10:22 . 2010-01-08 00:07:14 38224 -c--a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-02-09 05:10:20 . 2010-02-13 22:12:50 -------- dc----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-09 05:10:20 . 2010-01-08 00:07:04 18520 -c--a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-02-09 03:41:52 . 2010-02-09 03:41:52 -------- dcs---w- C:\Documents and Settings\NetworkService\UserData
2010-02-09 02:51:27 . 2010-02-09 02:51:27 -------- dc----w- C:\Documents and Settings\User\Application Data\Malwarebytes
2010-02-09 02:51:22 . 2010-02-09 02:51:22 -------- dc----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 22:12:37 . 2008-01-09 05:28:09 -------- dc----w- C:\Program Files\CCleaner
2010-02-12 17:11:55 . 2007-07-04 04:32:52 -------- dc----w- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-12 17:01:06 . 2007-07-04 08:45:04 -------- dc----w- C:\Documents and Settings\User\Application Data\Azureus
2010-01-24 07:18:07 . 2009-08-19 06:34:12 -------- dc----w- C:\Documents and Settings\User\Application Data\gtk-2.0
2009-12-23 10:04:06 . 2009-12-23 10:04:03 -------- dc----w- C:\Program Files\Guitar Pro 5
2009-12-22 18:04:42 . 2007-07-05 05:04:28 -------- dc-h--w- C:\Program Files\InstallShield Installation Information
2009-12-19 01:36:05 . 2009-12-13 08:01:54 -------- dc----w- C:\Program Files\MuseScore 0.9
2009-12-13 21:29:53 . 2007-08-11 05:36:43 40688 -c--a-w- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 21:16:00 . 2009-12-12 21:16:00 1409 -c--a-w- C:\WINDOWS\Fonts\SToccata.fot
2009-11-20 08:10:33 . 2009-11-20 08:10:45 69632 -c--a-w- C:\Documents and Settings\User\Application Data\Samsung\New PC Studio\DriverChecker.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\System32\DLLCache\qmgr.dll [x]
[7] 6A1CF14D0E7D0B2241F552223769C8A7 221696 \RP795\A0222326.dll

C:\WINDOWS\LastGood.Tmp\System32\bits\qmgr.dll [x]
[-] 696AC82FB290A03F205901442E0E9589 361984 \RP795\A0222341.dll

C:\WINDOWS\LastGood.Tmp\System32\DLLCache\qmgr.dll [x]
[7] 6A1CF14D0E7D0B2241F552223769C8A7 221696 \RP795\A0222326.dll

C:\WINDOWS\LastGood.Tmp\System32\qmgr.dll [x]
[7] 6A1CF14D0E7D0B2241F552223769C8A7 221696 \RP796\A0223643.dll

C:\WINDOWS\system32\dllcache\qmgr.dll [x]
[7] 6A1CF14D0E7D0B2241F552223769C8A7 221696 \RP799\A0230550.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 13:42:20 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 09:11:35 132496]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 01:28:18 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 16:38:42 241664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 09:04:34 39792]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 09:41:00 8523776]
"nwiz"="nwiz.exe" [2007-12-05 09:41:00 1626112]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 09:41:00 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2002-08-28 13:38:42 208953]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-22 13:00:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 13:39:06 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 13:39:50 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 13:39:50 455168]
"NPSStartup"="" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [11/19/2009 10:04:56 PM 233472]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [10/6/2009 7:36:26 PM 24652]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [11/19/2009 10:04:56 PM 36608]
S2 Powert;Powertweak NT helper;\??\C:\PROGRA~1\POWERT~1\powert2k.sys --> C:\PROGRA~1\POWERT~1\powert2k.sys [?]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\System32\drivers\CM108.sys --> C:\WINDOWS\System32\drivers\CM108.sys [?]
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\drivers\YH-820.sys [10/3/2007 9:59:04 PM 7552]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [11/19/2009 10:05:02 PM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [11/19/2009 10:05:02 PM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [11/19/2009 10:05:02 PM 121856]
S3 XDva134;XDva134;\??\C:\WINDOWS\System32\XDva134.sys --> C:\WINDOWS\System32\XDva134.sys [?]
S3 XDva158;XDva158;\??\C:\WINDOWS\System32\XDva158.sys --> C:\WINDOWS\System32\XDva158.sys [?]
S3 XDva164;XDva164;\??\C:\WINDOWS\System32\XDva164.sys --> C:\WINDOWS\System32\XDva164.sys [?]
S3 XDva165;XDva165;\??\C:\WINDOWS\System32\XDva165.sys --> C:\WINDOWS\System32\XDva165.sys [?]
S3 XDva167;XDva167;\??\C:\WINDOWS\System32\XDva167.sys --> C:\WINDOWS\System32\XDva167.sys [?]
S3 XDva186;XDva186;\??\C:\WINDOWS\System32\XDva186.sys --> C:\WINDOWS\System32\XDva186.sys [?]
S3 XDva189;XDva189;\??\C:\WINDOWS\System32\XDva189.sys --> C:\WINDOWS\System32\XDva189.sys [?]
S3 XDva190;XDva190;\??\C:\WINDOWS\System32\XDva190.sys --> C:\WINDOWS\System32\XDva190.sys [?]
S3 XDva195;XDva195;\??\C:\WINDOWS\System32\XDva195.sys --> C:\WINDOWS\System32\XDva195.sys [?]
S3 XDva201;XDva201;\??\C:\WINDOWS\System32\XDva201.sys --> C:\WINDOWS\System32\XDva201.sys [?]
S3 XDva212;XDva212;\??\C:\WINDOWS\System32\XDva212.sys --> C:\WINDOWS\System32\XDva212.sys [?]
S3 XDva215;XDva215;\??\C:\WINDOWS\System32\XDva215.sys --> C:\WINDOWS\System32\XDva215.sys [?]
S3 XDva219;XDva219;\??\C:\WINDOWS\System32\XDva219.sys --> C:\WINDOWS\System32\XDva219.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-02-12 C:\WINDOWS\Tasks\Driver Fetch.job
- C:\Program Files\Driver Fetch\2.0.0.0\DriverFetch.exe [2010-02-12 17:42:14 . 2010-01-14 01:15:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: C:\Program Files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: C:\Program Files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.















Mbam log:




Malwarebytes' Anti-Malware 1.44
Database version: 3711
Windows 5.1.2600 Service Pack 1 (Safe Mode)
Internet Explorer 6.0.2800.1106

2/16/2010 9:19:52 PM
mbam-log-2010-02-16 (21-19-52).txt

Scan type: Quick Scan
Objects scanned: 120655
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.











Kaspersky Online Scan log:




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, February 16, 2010
Operating system: Microsoft Windows XP Professional Service Pack 1 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, February 17, 2010 01:40:47
Records in database: 3542910
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 60434
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:25:45


File name / Threat / Threats count
C:\Program Files\Mozilla Firefox\CabalRider_USA\CabalRider.exe Infected: Trojan.Win32.Vapsup.vjv 1
C:\WINDOWS\system32\drivers\jmgvrdor.sys Infected: Rootkit.Win32.Agent.alht 1

Selected area has been scanned.
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Mozilla Firefox\CabalRider_USA\CabalRider.exe
C:\WINDOWS\system32\drivers\jmgvrdor.sys

Driver::
jmgvrdor
SCopy::
RP795\A0222326.dll | C:\WINDOWS\system32\qmgr.dll
KillAll::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#9
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I have another problem now! I just used MBAM to scan my computer, and it said something like "the first few items cannot be deleted" or something like that, and it found nearly 16 infected files!! I have copied and pasted the log for MBAM below too, after the ComboFix log

One more thing! Now, whenever I try to browse websites, it would direct me to:

Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.



So I can't go on a bunch of websites, including youtube! Please help :)










ComboFix Log:





ComboFix 10-02-12.01 - User 02/17/2010 15:37:43.3.1 - x86 NETWORK
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

FILE ::
"C:\Program Files\Mozilla Firefox\CabalRider_USA\CabalRider.exe"
"C:\WINDOWS\system32\drivers\jmgvrdor.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Mozilla Firefox\CabalRider_USA\CabalRider.exe
C:\U.exe
C:\WINDOWS\System32\drivers\jmgvrdor.sys
C:\WINDOWS\system32\drivers\str.sys
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\sdra64.exe

-- Previous Run --

C:\WINDOWS\system32\qmgr.dll . . . is infected!!

--------

Infected copy of C:\WINDOWS\system32\qmgr.dll was found and disinfected
Restored copy from - C:\WINDOWS\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YRQSVKT
-------\Service_yrqsvkt


((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-17 17:14:37 . 2010-02-17 17:14:37 -------- dc----w- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-02-16 16:53:56 . 2010-02-16 16:53:56 -------- dc----w- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2010-02-15 19:45:53 . 2010-02-15 19:45:53 -------- dc----w- C:\_OTL
2010-02-13 22:13:47 . 2010-02-13 22:13:47 -------- dc----w- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2010-02-13 22:12:53 . 2010-02-13 22:12:53 -------- dc----w- C:\Documents and Settings\User\Application Data\AVG8
2010-02-12 17:42:14 . 2010-02-12 17:42:14 -------- dc----w- C:\Program Files\Driver Fetch
2010-02-11 03:18:13 . 2010-02-11 21:08:43 664 -c--a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-02-09 05:10:22 . 2010-01-08 00:07:14 38224 -c--a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-02-09 05:10:20 . 2010-02-13 22:12:50 -------- dc----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-09 05:10:20 . 2010-01-08 00:07:04 18520 -c--a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-02-09 03:41:52 . 2010-02-09 03:41:52 -------- dcs---w- C:\Documents and Settings\NetworkService\UserData
2010-02-09 02:51:27 . 2010-02-09 02:51:27 -------- dc----w- C:\Documents and Settings\User\Application Data\Malwarebytes
2010-02-09 02:51:22 . 2010-02-09 02:51:22 -------- dc----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 07:26:27 . 2008-08-24 08:25:56 -------- dc----w- C:\Program Files\Susanna
2010-02-13 22:12:37 . 2008-01-09 05:28:09 -------- dc----w- C:\Program Files\CCleaner
2010-02-12 17:11:55 . 2007-07-04 04:32:52 -------- dc----w- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-12 17:01:06 . 2007-07-04 08:45:04 -------- dc----w- C:\Documents and Settings\User\Application Data\Azureus
2010-01-24 07:18:07 . 2009-08-19 06:34:12 -------- dc----w- C:\Documents and Settings\User\Application Data\gtk-2.0
2009-12-23 10:04:06 . 2009-12-23 10:04:03 -------- dc----w- C:\Program Files\Guitar Pro 5
2009-12-22 18:04:42 . 2007-07-05 05:04:28 -------- dc-h--w- C:\Program Files\InstallShield Installation Information
2009-12-13 21:29:53 . 2007-08-11 05:36:43 40688 -c--a-w- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 21:16:00 . 2009-12-12 21:16:00 1409 -c--a-w- C:\WINDOWS\Fonts\SToccata.fot
2009-11-20 08:10:33 . 2009-11-20 08:10:45 69632 -c--a-w- C:\Documents and Settings\User\Application Data\Samsung\New PC Studio\DriverChecker.exe
.

((((((((((((((((((((((((((((( [email protected]_17.06.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-17 04:43:37 . 2010-02-17 04:43:37 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012010021620100217\index.dat
+ 2007-07-04 03:19:47 . 2010-02-17 23:36:42 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-04 03:19:47 . 2010-02-17 23:36:42 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-07-04 03:19:47 . 2010-02-16 16:58:23 32768 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-17 17:14:37 . 2010-02-17 17:14:37 25676 C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\UserCache.bin
+ 2010-02-17 01:39:35 . 2010-02-17 23:36:42 442368 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-16 22:25:17 . 2010-02-16 22:25:17 237568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\8ee637958b29bf4ba13924d5e5fd44dc\System.Web.RegularExpressions.ni.dll
+ 2010-02-16 22:25:19 . 2010-02-16 22:25:19 233472 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\f9d62c88e60de84c96cad2e909cf831a\System.ServiceProcess.ni.dll
+ 2010-02-16 22:25:17 . 2010-02-16 22:25:17 1179648 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\12ce3bc0287269449c736f3ec6a6fb2c\System.Data.OracleClient.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 13:42:20 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 09:11:35 132496]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 01:28:18 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 16:38:42 241664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 09:04:34 39792]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 09:41:00 8523776]
"nwiz"="nwiz.exe" [2007-12-05 09:41:00 1626112]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 09:41:00 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2002-08-28 13:38:42 208953]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-22 13:00:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 13:39:06 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 13:39:50 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 13:39:50 455168]
"NPSStartup"="" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [11/19/2009 10:04:56 PM 233472]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [10/6/2009 7:36:26 PM 24652]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [11/19/2009 10:04:56 PM 36608]
S2 Powert;Powertweak NT helper;\??\C:\PROGRA~1\POWERT~1\powert2k.sys --> C:\PROGRA~1\POWERT~1\powert2k.sys [?]
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;C:\WINDOWS\System32\drivers\CM108.sys --> C:\WINDOWS\System32\drivers\CM108.sys [?]
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\drivers\YH-820.sys [10/3/2007 9:59:04 PM 7552]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [11/19/2009 10:05:02 PM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [11/19/2009 10:05:02 PM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [11/19/2009 10:05:02 PM 121856]
S3 XDva134;XDva134;\??\C:\WINDOWS\System32\XDva134.sys --> C:\WINDOWS\System32\XDva134.sys [?]
S3 XDva158;XDva158;\??\C:\WINDOWS\System32\XDva158.sys --> C:\WINDOWS\System32\XDva158.sys [?]
S3 XDva164;XDva164;\??\C:\WINDOWS\System32\XDva164.sys --> C:\WINDOWS\System32\XDva164.sys [?]
S3 XDva165;XDva165;\??\C:\WINDOWS\System32\XDva165.sys --> C:\WINDOWS\System32\XDva165.sys [?]
S3 XDva167;XDva167;\??\C:\WINDOWS\System32\XDva167.sys --> C:\WINDOWS\System32\XDva167.sys [?]
S3 XDva186;XDva186;\??\C:\WINDOWS\System32\XDva186.sys --> C:\WINDOWS\System32\XDva186.sys [?]
S3 XDva189;XDva189;\??\C:\WINDOWS\System32\XDva189.sys --> C:\WINDOWS\System32\XDva189.sys [?]
S3 XDva190;XDva190;\??\C:\WINDOWS\System32\XDva190.sys --> C:\WINDOWS\System32\XDva190.sys [?]
S3 XDva195;XDva195;\??\C:\WINDOWS\System32\XDva195.sys --> C:\WINDOWS\System32\XDva195.sys [?]
S3 XDva201;XDva201;\??\C:\WINDOWS\System32\XDva201.sys --> C:\WINDOWS\System32\XDva201.sys [?]
S3 XDva212;XDva212;\??\C:\WINDOWS\System32\XDva212.sys --> C:\WINDOWS\System32\XDva212.sys [?]
S3 XDva215;XDva215;\??\C:\WINDOWS\System32\XDva215.sys --> C:\WINDOWS\System32\XDva215.sys [?]
S3 XDva219;XDva219;\??\C:\WINDOWS\System32\XDva219.sys --> C:\WINDOWS\System32\XDva219.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-02-12 C:\WINDOWS\Tasks\Driver Fetch.job
- C:\Program Files\Driver Fetch\2.0.0.0\DriverFetch.exe [2010-02-12 17:42:14 . 2010-01-14 01:15:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\fb877ugp.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: C:\Program Files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: C:\Program Files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.



















MBAM Log:





Malwarebytes' Anti-Malware 1.44
Database version: 3711
Windows 5.1.2600 Service Pack 1 (Safe Mode)
Internet Explorer 6.0.2800.1106

2/17/2010 7:26:55 PM
mbam-log-2010-02-17 (19-26-55).txt

Scan type: Quick Scan
Objects scanned: 118197
Time elapsed: 20 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: msl32hax.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\System32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msl32hax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by vannilafudge, 17 February 2010 - 11:53 PM.

  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

Advertisements


#11
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
AHHHHHHHHHHHH! My computer doesn't even let me start up! It just turns on and then gives me the option of "start normally, safe mode, safe mode with blahblah, etc" and none of them works. When I choose either one, it will just go to a black screen and the computer will simply restart itself. What should i do? I don't mind reformatting it, but I don't have the disc. Is there anything else I can do to save it? :)
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
have you tried last known good configuration ?

sure you don't have your windows cd ?
  • 0

#13
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Yeah I've tried last known configuration as well. It just restarts itself again. And I'm sure I don't have the CD :\ Anyways, thanks for all your help!
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Hello

We will have to create a small 'fix CD' to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO
  • In the upper right pane, double click on the i386 folder.
  • Right click in the upper right pane and select Add Files...
  • Navigate to C:\Windows\System32 and select userinit.exe
  • Then click Open to add userinit.exe to the CD image.
  • Click File and select Save As...
  • Name the file RCplus and save it somewhere you can find it.
Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.
  • Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
  • Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
  • Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
  • In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
  • Under Format make sure that Mode 1 is selected.
  • And finally, click on the Burn it! button to burn RCplus.iso to disk.
Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.
  • 0

#15
vannilafudge

vannilafudge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you for not giving up on this computer haha. I will follow your instructions as soon as I have a chance to get a blank CD! :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP