[nijisan]

I am experiencing this whenever I run my PC. I get a black background and "Your system has been infected" is written in red font. I can't even run any anti-virus programs anymore. I can't even run hijackthis.

[Advertisements]

Hello nijisan and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start cleaning your PC you must print or save to Desktop (in .txt file) this instructions so you can access it in Safe Mode with no internet connection.

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

Step 1


Please download rkill.com to your desktop

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Step 2

Please download OTH to your desktop
Please download OTL to your Desktop
Please download the attached Scan.txt to your desktop (located at the end of this post)

Double click the OTH file and select Kill All Processes, your desktop will go blank



Then select Start OTL
OTL will now run

• double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Copy and paste them to me.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log

It would be helpful if you could post each log in separate post

Attached Files

•  Scan.txt   998bytes   105 downloads

[maliprog]

Hello nijisan and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start cleaning your PC you must print or save to Desktop (in .txt file) this instructions so you can access it in Safe Mode with no internet connection.

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

Step 1


Please download rkill.com to your desktop

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Step 2

Please download OTH to your desktop
Please download OTL to your Desktop
Please download the attached Scan.txt to your desktop (located at the end of this post)

Double click the OTH file and select Kill All Processes, your desktop will go blank



Then select Start OTL
OTL will now run

• double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Copy and paste them to me.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log

It would be helpful if you could post each log in separate post

Attached Files

•  Scan.txt   998bytes   105 downloads

[nijisan]

After running the rkill, I opened OTH and killed all processes. Then I opened OTL afterwards and clicked quick scan after inputting the scan settings you sent me. After this, the program terminated and could no longer be opened.

And to help you figure out what this is, here's a screenshot of how my desktop looks like.

Edited by nijisan, 29 November 2010 - 02:04 AM.

[maliprog]

Hi nijisan,

Let's try run it directly.

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  . Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.*
%systemroot%system32*.wt
%systemroot%system32*.ruy
%systemroot%Fonts*.com
%systemroot%Fonts*.dll
%systemroot%Fonts*.ini
%systemroot%Fonts*.ini2
%systemroot%Fonts*.exe
%systemroot%system32spoolprtprocsw32x86*.*
%systemroot%REPAIR*.bak1
%systemroot%REPAIR*.ini
%systemroot%system32*.jpg 
%systemroot%*.jpg 
%systemroot%*.png 
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%AdobeUpdate*.*
%ALLUSERSPROFILE%Favorites*.*
%APPDATA%Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%System32config*.sav 
%PROGRAMFILES%|bak;true;false;false /fp
%systemroot%system32|bak;true;false;false /fp
%ALLUSERSPROFILE%Start Menu*.lnk /x 
%systemroot%system32configsystemprofile*.dat /x
%systemroot%*.config
%systemroot%system32*.db
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateResultsInstall|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

[nijisan]

The OTL gets terminated during the scan. Then the executable itself becomes unuseable after getting terminated automatically.

[maliprog]

Hi nijisan,

There is another method then.

Step 1

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Step 2


Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3


Please don't forget to include these items in your reply:

• exeHelper log
• Malwarebytes log

It would be helpful if you could post each log in separate post

[nijisan]

Here is the log for exehelper

exeHelper by Raktor
Build 20100414
Run at 16:16:15 on 11/29/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



As for the MBAM, it terminates while scanning like the OTL.. And leaves the tool itself unnaccessible after getting terminated as well.

[maliprog]

Hi nijisan,

Please remove OTL you have and download new one but don't run it. Rename it to svchost.exe (left click on OTL and choose Rename).

Please restart in safe mode:

• If the computer is running, shut down Windows, and then turn off the power
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.

Now try to run OTL from safe mode.

[nijisan]

After running OTL(changed to svchost.exe) in safe mode, the same thing happened. It got terminated and left the program unusable.

[maliprog]

Guess your system is badly infected. We will try Combofix

Download ComboFix and rename it to svchost.exe from here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[nijisan]

I've did everything you said. After the ComboFix(renamed to svchost.exe) loaded (the blue bar) it got terminated.

[nijisan]

This virus is somehow immortal. I've tried several anti-virus programs but they all failed. >__<

[maliprog]

Hi nijisan,

Don't worry we will remove it. Just stick with me and arm your self with patient.

Step 1

I need to see what is going on your PC. I need at least one log

1. Go HERE and download FileLister.

• Save it to your Desktop
• Rt Click ->> Extract all ->> And extract it to your Desktop
• Additional help on extracting zip files can be found HERE
• Open the File Lister Folder.
• Note: Leave the FileLister.vbe file in the folder and run it from there.

• Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
• When the program is fnished it will produce a log for you Files.txt
• Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

Step 2

Do you have another PC where you can burn CD? Maybe we will need this if Step 1 fails.

Step 3

Can you access Task Manager now and if you can, can you take screenshot of running processes.

[nijisan]

+++++++++++++++++++++++++++
+ File Lister Version 1.1.4 +
+ +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>> 11/29/2010 5:53:31 PM

====== Running Processes ======

C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\grasssoft\mouse recorder\MacroService.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
c:\program files\grasssoft\mouse recorder\MacroServiceWnd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\explorer.exe
C:\Program Files\Angels Online\angel.dat
C:\Program Files\Angels Online\angel.dat
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\WINDOWS XP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\System32\WScript.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

====== BHO's ======
BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

BHO: (NO NAME) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Internet Download Manager\IDMIECC.dll

BHO: (NO NAME) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: SBCONVERT - {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

BHO: (NO NAME) - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

BHO: (NO NAME) - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\AVG\AVG9\avgssie.dll

BHO: (NO NAME) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

BHO: Search Result Optimizator - {D7BE8ED1-B138-48FD-BB22-9779A39130B1} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll

====== System Keys (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\Windows\system32\userinit.exe,
Winlogon\Shell = Explorer.exe

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[AVG9_TRAY] = C:\PROGRA~1\AVG\AVG9\avgtray.exe
[iTunesHelper] = "C:\Program Files\iTunes\iTunesHelper.exe"
[KernelFaultCheck] = %systemroot%\system32\dumprep 0 -k

====== HKCU\~\Run Keys ======

[ctfmon.exe] = C:\Windows\system32\ctfmon.exe
[IDMan] = C:\Program Files\Internet Download Manager\IDMan.exe /onboot

====== DNS Info (List may be empty) ======


NV Hostname = windows-352ac85
DataBasePath = %SystemRoot%\System32\drivers\etc
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = windows-352ac85
UseDomainNameDevolution = 1
EnableICMPRedirect = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
EnableSecurityFilters = 0
DefaultReceiveWindow = 937500
KeepAliveTime = 7200000
KeepAliveInterval = 1000
EnableICMPRedirects = 0
DisableTaskOffload = 0
MaxMTU = 1500
DefaultRcvWindow = 63888
PMTUBlackHoleDetect = 0
MaxUserPort = 65535
DefaultSendWindow = 937500
DhcpNameServer = 192.168.1.1

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

11/29/2010 5:42:45 PM 8571136 C:\32788R22FWJFW
11/29/2010 5:42:46 PM 0 C:\32788R22FWJFW\EN-US
11/29/2010 5:42:45 PM 419751 C:\32788R22FWJFW\License
11/29/2010 5:43:01 PM 0 C:\32788R22FWJFW\N_
11/29/2010 3:45:57 PM 0 C:\autorun.inf
11/29/2010 3:54:25 PM 85 C:\RECYCLER
11/29/2010 3:54:25 PM 85 C:\RECYCLER\S-1-5-21-1482476501-1004336348-682003330-1004
10/8/2010 4:18:28 PM 1708060 C:\UJ
10/8/2010 4:18:28 PM 1708060 C:\UJ\Myth Angels Online
10/8/2010 4:21:52 PM 221450 C:\UJ\Myth Angels Online\save
10/8/2010 4:41:09 PM 5254 C:\UJ\Myth Angels Online\save\cfg
10/8/2010 4:21:52 PM 641 C:\UJ\Myth Angels Online\save\data
10/8/2010 5:08:28 PM 215555 C:\UJ\Myth Angels Online\save\msg
10/8/2010 5:08:28 PM 215555 C:\UJ\Myth Angels Online\save\msg\201010
10/8/2010 4:31:40 PM 0 C:\UJ\Myth Angels Online\update
10/8/2010 4:34:42 PM 671180 C:\UJ\Myth Angels Online\zdata
10/8/2010 4:34:42 PM 671180 C:\UJ\Myth Angels Online\zdata\STAGE
10/8/2010 4:34:42 PM 190120 C:\UJ\Myth Angels Online\zdata\STAGE\21
10/8/2010 4:34:42 PM 137256 C:\UJ\Myth Angels Online\zdata\STAGE\22
10/8/2010 4:34:42 PM 51984 C:\UJ\Myth Angels Online\zdata\STAGE\23
10/8/2010 4:34:42 PM 258916 C:\UJ\Myth Angels Online\zdata\STAGE\24
10/8/2010 4:38:26 PM 32904 C:\UJ\Myth Angels Online\zdata\STAGE\26
11/29/2010 4:41:46 PM 952 35 C:\boot.ini
11/29/2010 4:41:46 PM 47580 35 C:\NTDETECT.COM
11/29/2010 4:41:46 PM 233632 35 C:\NTLDR
11/29/2010 3:44:51 PM 3219128320 38 C:\pagefile.sys
11/29/2010 1:10:53 PM 449 32 C:\rkill.log
11/29/2010 12:34:48 PM 40694 32 C:\TDSSKiller.2.4.9.0_29.11.2010_12.34.48_log.txt
10/14/2010 8:53:28 PM 451072 C:\WINDOWS\Full Speed
11/29/2010 12:26:04 PM 0 32 C:\WINDOWS\0.log
11/5/2010 5:00:28 PM 199 32 C:\WINDOWS\ghostxgameInfo.xml
11/5/2010 5:00:47 PM 20 32 C:\WINDOWS\GKLauncherInfo.ini
11/13/2010 6:35:27 PM 8592 32 C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
11/13/2010 6:43:53 PM 42260 32 C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #3.txt
11/7/2010 5:33:32 PM 11072 32 C:\WINDOWS\ModemLog_ZTE Proprietary USB Modem #2.txt
11/11/2010 3:49:53 PM 10554 32 C:\WINDOWS\ModemLog_ZTE Proprietary USB Modem #3.txt
11/7/2010 5:13:24 PM 8130 32 C:\WINDOWS\ModemLog_ZTE Proprietary USB Modem.txt
11/29/2010 4:34:30 PM 98718 32 C:\WINDOWS\ntbtlog.txt
11/29/2010 12:25:38 PM 12584 32 C:\WINDOWS\SchedLgU.Txt
11/29/2010 12:26:05 PM 173998 32 C:\WINDOWS\setupapi.log
11/29/2010 12:25:53 PM 0 32 C:\WINDOWS\Sti_Trace.log
11/29/2010 12:25:56 PM 159 32 C:\WINDOWS\wiadebug.log
11/29/2010 12:25:53 PM 50 32 C:\WINDOWS\wiaservc.log
11/29/2010 12:24:34 PM 7681 32 C:\WINDOWS\WindowsUpdate.log
11/7/2010 5:10:21 PM 1813271 C:\WINDOWS\system32\SupportAppXL
11/29/2010 10:32:44 AM 82432 32 C:\WINDOWS\system32\404Fix.exe
11/29/2010 10:32:44 AM 78336 32 C:\WINDOWS\system32\Agent.OMZ.Fix.exe
10/3/2010 1:21:00 PM 9728 2080 C:\WINDOWS\system32\BASSMOD.dll
11/29/2010 10:32:44 AM 51200 32 C:\WINDOWS\system32\dumphive.exe
11/29/2010 10:32:44 AM 82944 32 C:\WINDOWS\system32\IEDFix.C.exe
11/29/2010 10:32:44 AM 82944 32 C:\WINDOWS\system32\IEDFix.exe
11/29/2010 10:32:44 AM 80384 32 C:\WINDOWS\system32\o4Patch.exe
11/29/2010 10:32:44 AM 53248 32 C:\WINDOWS\system32\Process.exe
11/29/2010 10:32:44 AM 288417 32 C:\WINDOWS\system32\SrchSTS.exe
11/29/2010 10:32:44 AM 135168 32 C:\WINDOWS\system32\swreg.exe
11/29/2010 10:32:44 AM 40960 32 C:\WINDOWS\system32\swsc.exe
11/29/2010 10:32:44 AM 79360 32 C:\WINDOWS\system32\swxcacls.exe
11/29/2010 10:33:33 AM 2050 32 C:\WINDOWS\system32\tmp.reg
11/29/2010 10:33:33 AM 0 32 C:\WINDOWS\system32\tmp.txt
11/29/2010 10:32:44 AM 87552 32 C:\WINDOWS\system32\VACFix.exe
11/29/2010 10:32:44 AM 289144 32 C:\WINDOWS\system32\VCCLSID.exe
11/29/2010 1:38:58 PM 115 32 C:\WINDOWS\system32\version.ini
11/29/2010 10:32:44 AM 75776 32 C:\WINDOWS\system32\WS2Fix.exe

====== "\Administrator & All Users\Startup" Last 60 Days======



====== "\Program Files" Last 60 Days======

10/14/2010 10:02:57 PM 2191853 C:\Program Files\Appwalk.com Technologies Canada
10/17/2010 1:31:37 PM 8024984 C:\Program Files\AutomationLabs
10/14/2010 8:53:28 PM 75613 C:\Program Files\Full Speed
10/14/2010 9:58:48 PM 10651561 C:\Program Files\Internet Download Manager
10/3/2010 2:25:51 PM 1856115 C:\Program Files\iPod
11/27/2010 8:00:00 PM 3981730 C:\Program Files\Malwarebytes' Anti-Malware
11/7/2010 7:11:46 PM 30045542 C:\Program Files\Mobile Partner
10/3/2010 2:23:50 PM 76335762 C:\Program Files\QuickTime
11/7/2010 5:11:14 PM 13129942 C:\Program Files\SMART BRO
11/29/2010 12:05:12 PM 676203 C:\Program Files\Trend Micro
11/20/2010 9:12:46 PM 1034901 C:\Program Files\uTorrent Ultra Accelerator
11/21/2010 9:05:58 PM 666245063 C:\Program Files\Webzen
10/26/2010 3:36:43 PM 2104481 C:\Program Files\WTFast
10/29/2010 5:44:07 PM 402997248 C:\Program Files\ZhyperMU

======"Drivers" Modified Last 60 Days======

9/30/2010 2:56:49 AM 78328 2080 C:\WINDOWS\system32\drivers\idmtdi.sys
4/14/2008 8:00:00 PM 38400 32 C:\WINDOWS\system32\drivers\vbma3ff2.sys

====== Files Deleted under "%Temp%" ======

12 Files deleted

======"All Users\Application Data" Last 60 Days======

11/27/2010 8:00:00 PM 5768294 C:\Documents and Settings\All Users\Application Data\Malwarebytes
11/27/2010 8:00:00 PM 5768294 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
11/29/2010 12:10:29 PM 666 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
11/4/2010 7:58:16 PM 29476 C:\Documents and Settings\All Users\Application Data\RealHideIP
10/16/2010 10:40:03 PM 0 C:\Documents and Settings\All Users\Application Data\Uniblue
11/29/2010 8:57:35 AM 731 32 C:\Documents and Settings\All Users\Application Data\.wtav
11/4/2010 7:57:47 PM 182 32 C:\Documents and Settings\All Users\Application Data\Setting.dat

====== HKLM\~\ShellServiceObjectDelayLoad======

PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll

CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll

SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


====== HKLM\~\SharedTaskScheduler======

Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\system32\browseui.dll

Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKLM\Software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Alcmtr
HKLM\Software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent
HKLM\Software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd
HKLM\Software\microsoft\shared tools\msconfig\startupreg\ControlCenter3
HKLM\Software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
HKLM\Software\microsoft\shared tools\msconfig\startupreg\DivXUpdate
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Google Update
HKLM\Software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor
HKLM\Software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKLM\Software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKLM\Software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Macro Manager
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)
HKLM\Software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKLM\Software\microsoft\shared tools\msconfig\startupreg\msnmsgr
HKLM\Software\microsoft\shared tools\msconfig\startupreg\mspaint
HKLM\Software\microsoft\shared tools\msconfig\startupreg\nwiz
HKLM\Software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster
HKLM\Software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKLM\Software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKLM\Software\microsoft\shared tools\msconfig\startupreg\RTHDCPL
HKLM\Software\microsoft\shared tools\msconfig\startupreg\SkyTel
HKLM\Software\microsoft\shared tools\msconfig\startupreg\StartCCC
HKLM\Software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKLM\Software\microsoft\shared tools\msconfig\startupreg\tcp2
HKLM\Software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKLM\Software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant
HKLM\Software\microsoft\shared tools\msconfig\startupreg\VMSnap3
HKLM\Software\microsoft\shared tools\msconfig\startupreg\vmware-tray

====== Services ( Services that are Whitelisted are not shown) ======

33734291 (33734291)- C:\Windows\system32\DRIVERS\33734291.sys - System/Running
33734292 (33734292 Boot Guard Driver)- C:\Windows\system32\DRIVERS\33734292.sys - Boot/Running
AtiHdmiService (ATI Function Driver for High Definition Audio Service)- C:\Windows\system32\drivers\AtiHdmi.sys - Manual/Stopped
BthEnum (Bluetooth Request Block Driver)- C:\Windows\system32\DRIVERS\BthEnum.sys - Manual/Stopped
BthPan (Bluetooth Device (Personal Area Network))- C:\Windows\system32\DRIVERS\bthpan.sys - Manual/Stopped
BTHPORT (Bluetooth Port Driver)- C:\Windows\system32\Drivers\BTHport.sys - Manual/Stopped
BTHUSB (Bluetooth Radio USB Driver)- C:\Windows\system32\Drivers\BTHUSB.sys - Manual/Stopped
EagleNT (EagleNT)- \??\C:\WINDOWS\system32\drivers\EagleNT.sys - Manual/Stopped
GarenaPEngine (GarenaPEngine)- \??\C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\HIAC8.tmp - Manual/Stopped
GGSAFERDriver (GGSAFER Driver)- \??\C:\Program Files\Garena\safedrv.sys - Manual/Stopped
hwdatacard (Huawei DataCard USB Modem and USB Serial)- C:\Windows\system32\DRIVERS\ewusbmdm.sys - Manual/Stopped
IDMTDI (IDMTDI)- C:\Windows\system32\DRIVERS\idmtdi.sys - System/Running
KIKIDRIVER (KIKIDRIVER)- \??\C:\Documents and Settings\WINDOWS XP\Desktop\Downloaded Files\Kiki Engine 1.41 [Unpacked]\Kiki Engine 1.41 [Unpacked]\kiki.sys - Manual/Stopped
LLRING0 (LLRING0)- \??\C:\Program Files\ZhyperMU\ZMU2010SMALL R3\zhypermu small r3\MuGuard\llck1.sys - Manual/Stopped
Mkd2kfNt (Mkd2kfNt)- C:\Windows\system32\drivers\Mkd2kfNt.sys - Manual/Stopped
Mkd2Nadr (Mkd2Nadr)- C:\Windows\system32\drivers\Mkd2Nadr.sys - Manual/Stopped
MP4ConverterAudio (MP4ConverterAudio)- C:\Windows\system32\drivers\MP4ConverterAudio.sys - Manual/Stopped
NdisIP (Microsoft TV/Video Connection)- C:\Windows\system32\DRIVERS\NdisIP.sys - Manual/Stopped
npkcrypt (npkcrypt)- \??\D:\Gravity\RO\npkcrypt.sys - Manual/Stopped
oreans32 (oreans32)- \??\C:\WINDOWS\system32\drivers\oreans32.sys - System/Running
pccsmcfd (PCCS Mode Change Filter Driver)- C:\Windows\system32\DRIVERS\pccsmcfd.sys - Manual/Stopped
qcusbser (Mobile Connector USB Device for Legacy Serial Communication)- C:\Windows\system32\DRIVERS\cmusbser.sys - Manual/Stopped
RFCOMM (Bluetooth Device (RFCOMM Protocol TDI))- C:\Windows\system32\DRIVERS\rfcomm.sys - Manual/Stopped
RTLE8023xp (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)- C:\Windows\system32\DRIVERS\Rtenicxp.sys - Manual/Stopped
setup_9.0.0.722_29.11.2010_06-15drv (setup_9.0.0.722_29.11.2010_06-15drv)- C:\Windows\system32\DRIVERS\3373429.sys - System/Running
SLIP (BDA Slip De-Framer)- C:\Windows\system32\DRIVERS\SLIP.sys - Manual/Stopped
spuce1 (spuce1)- \??\C:\Documents and Settings\WINDOWS XP\Desktop\Downloaded Files\Spuc3ngine\Spuc3nginef\spuce.sys - Manual/Stopped
StillCam (Still Serial Digital Camera Driver)- C:\Windows\system32\DRIVERS\serscan.sys - Manual/Running
upperdev (upperdev)- C:\Windows\system32\DRIVERS\usbser_lowerflt.sys - Manual/Stopped
USBAAPL (Apple Mobile USB Driver)- C:\Windows\system32\Drivers\usbaapl.sys - Manual/Stopped
vbma3ff2 (Virtual Bus for Microsoft ACPI-Compliant System)- C:\Windows\system32\drivers\vbma3ff2.sys - Manual/Running
vmfilter303 (vmfilter303)- C:\Windows\system32\drivers\vmfilter303.sys - Manual/Stopped
Wdf01000 (Wdf01000)- C:\Windows\system32\DRIVERS\Wdf01000.sys - Manual/Stopped
WpdUsb (WpdUsb)- C:\Windows\system32\DRIVERS\wpdusb.sys - Manual/Stopped
XDva309 (XDva309)- \??\C:\WINDOWS\system32\XDva309.sys - Manual/Stopped
XDva313 (XDva313)- \??\C:\WINDOWS\system32\XDva313.sys - Manual/Stopped
XDva326 (XDva326)- \??\C:\WINDOWS\system32\XDva326.sys - Manual/Stopped
XDva328 (XDva328)- \??\C:\WINDOWS\system32\XDva328.sys - Manual/Stopped
Yonline (Yonline)- \??\C:\WINDOWS\system32\drivers\Yonline.ahc - Manual/Stopped
ZSMC303 (A4 TECH PC Camera H)- C:\Windows\system32\Drivers\usbVM303.sys - Manual/Stopped
ZTEusbmdm6k (ZTE Proprietary USB Driver)- C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys - Manual/Stopped
ZTEusbnmea (ZTE NMEA Port)- C:\Windows\system32\DRIVERS\ZTEusbnmea.sys - Manual/Stopped
ZTEusbser6k (ZTE Diagnostic Port)- C:\Windows\system32\DRIVERS\ZTEusbser6k.sys - Manual/Stopped

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 3355 MB

Boot Info

[Boot Loader]
timeout=1
Default=multi(0)disk(0)rdisk(1)partition(1)\Windows

[Operating Systems]
multi(0)disk(0)rdisk(1)partition(1)\Windows="2ND TRY THIS essayez ceci en deuzieme" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\Windows="1ST TRY THIS seleccione esto primero" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\Windows="3RD TRY THIS wahlen Sie diesen Third" /fastdetect
multi(0)disk(0)rdisk(1)partition(2)\Windows="4TH TRY THIS selezioni questo fourth" /fastdetect
multi(0)disk(0)rdisk(0)partition(3)\Windows="5TH TRY THIS selecione este fifth" /fastdetect
multi(0)disk(0)rdisk(1)partition(3)\Windows="6TH TRY THIS seleccione este sexto" /fastdetect
multi(0)disk(0)rdisk(0)partition(4)\Windows="7TH TRY THIS essayez ceci en septieme" /fastdetect
multi(0)disk(0)rdisk(1)partition(4)\Windows="8TH TRY THIS wahlen Sie dieses achte" /fastdetect
C:\="9TH TRY THIS selezioni questo nono"
D:\="10TH TRY THIS selecione este decimo"

OS Type: Microsoft Windows XP Home Edition
Build: 5.1.2600
Service Pack: 3.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==



I don't have another working PC but it's weird that my taskmanager was never been disabled. let me post pictures after this post

[nijisan]

Edited by nijisan, 29 November 2010 - 04:02 AM.