Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown virus/malware etc. problem


  • This topic is locked This topic is locked

#1
Ryan123911

Ryan123911

    Member

  • Member
  • PipPip
  • 13 posts
A few days ago I came across a problem with my comp, figured it was some sort of virus. I ran malware bytes, spybot s&d, ad-aware and SUPERantispyware. Managed to find a fix some things but still some problems. Example: started my comp up today and after logging into a user account the screen was just all black except for my cursor. After a few restarts I finally got on and all my icons are missing except for Control Panel, Network, Computer, MICROSOFT (folder). When I go to start > programs, it shows as (Empty). Also when I go into the harddrive, Computer > Local Disk (C:), the only thing in there is BOOTSECT.BAK. It still shows my harddrive as being used up space-wise so I know everything is still there. Safe Mode will do the same thing usually with the black screen and all I can see is "Safe Mode" on top in the corners of my screen.

Also I wasn't able to use the first OTL download because of a "not a valid Win32 application" error, so this was ran with the OTL.scr

OTL logfile created on: 5/10/2011 3:18:05 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\KA\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 28.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 64.29 Gb Free Space | 27.61% Space Free | Partition Type: NTFS

Computer Name: KA2-PC | User Name: KA | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/10 15:17:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\KA\Desktop\OTL.scr
PRC - [2011/04/25 13:07:33 | 000,307,376 | -H-- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2010/10/27 20:17:52 | 000,207,424 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/15 06:38:40 | 001,029,456 | -H-- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/10/28 22:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/28 11:43:32 | 000,810,320 | -H-- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | -H-- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2006/11/28 06:34:38 | 000,134,808 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/11/28 06:34:00 | 000,030,872 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/11/22 17:12:36 | 000,107,112 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/11/22 17:12:16 | 000,107,624 | -H-- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2006/11/03 12:01:16 | 000,319,488 | -H-- | M] (PixArt Imaging Incorporation) -- C:\Windows\PixArt\PAC7302\Monitor.exe


========== Modules (SafeList) ==========

MOD - [2011/05/10 15:17:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\KA\Desktop\OTL.scr
MOD - [2010/08/31 07:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/25 10:25:22 | 030,969,208 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2010/03/18 11:19:26 | 000,113,152 | -H-- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/15 06:38:40 | 001,029,456 | -H-- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/03/16 14:48:00 | 002,849,757 | -H-- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2008/01/28 11:43:32 | 000,810,320 | -H-- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/01/18 23:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/24 11:15:14 | 000,185,632 | -H-- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2006/11/28 06:34:26 | 000,122,008 | -H-- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/11/28 06:34:18 | 001,962,136 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/11/28 06:34:00 | 000,030,872 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/11/22 17:12:16 | 000,107,624 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2006/11/22 17:12:16 | 000,107,624 | -H-- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2006/10/31 10:32:09 | 002,541,248 | -H-- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)


========== Driver Services (SafeList) ==========

DRV - [2010/12/20 19:09:00 | 000,038,224 | -H-- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/05/10 10:41:30 | 000,067,656 | -H-- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 10:25:48 | 000,012,872 | -H-- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/08/27 00:00:00 | 001,323,568 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20091211.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/08/27 00:00:00 | 000,371,248 | -H-- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/27 00:00:00 | 000,084,912 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20091211.002\NAVENG.SYS -- (NAVENG)
DRV - [2009/07/03 06:49:08 | 000,064,160 | -H-- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/09/17 23:55:00 | 007,379,872 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/04/05 12:46:51 | 000,109,744 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/01/18 23:42:48 | 000,227,896 | -H-- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\drivers\volsnap.sys -- (volsnap)
DRV - [2007/11/08 11:29:52 | 000,458,752 | -H-- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/02/06 16:05:14 | 000,016,512 | -H-- | M] (Adaptec) [Kernel | System | Running] -- C:\Windows\System32\drivers\aspi32.sys -- (ASPI32)
DRV - [2006/11/22 16:17:06 | 000,274,328 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2006/11/22 16:17:06 | 000,247,144 | -H-- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2006/11/22 16:17:06 | 000,025,448 | -H-- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2006/11/07 23:02:40 | 000,024,064 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2006/11/01 23:41:50 | 000,983,552 | -H-- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/01 23:30:56 | 000,044,544 | -H-- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/10/26 12:01:34 | 000,185,744 | -H-- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/10/26 12:01:34 | 000,026,384 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/10/06 14:26:16 | 000,406,672 | -H-- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..browser.startup.homepage: "http://www.foxnews.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}:1.9.1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}: C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}\ [2011/05/07 20:39:09 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 16:38:55 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 16:38:56 | 000,000,000 | -H-D | M]

[2009/10/22 20:44:00 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\KA\AppData\Roaming\mozilla\Extensions
[2009/06/26 05:04:24 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\KA\AppData\Roaming\mozilla\Extensions\[email protected]
[2009/03/08 22:20:08 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\KA\AppData\Roaming\mozilla\Extensions\[email protected]
[2011/05/08 18:28:44 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\KA\AppData\Roaming\mozilla\Firefox\Profiles\wkah0xlw.default\extensions
[2009/10/22 23:29:27 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\KA\AppData\Roaming\mozilla\Firefox\Profiles\wkah0xlw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/08 18:28:44 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/09 14:49:59 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/18 18:40:48 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/05/07 20:39:09 | 000,000,000 | -H-D | M] (XULRunner) -- C:\USERS\KA\APPDATA\LOCAL\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}
[2011/01/18 18:40:30 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/12/18 13:59:21 | 000,001,210 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml

O1 HOSTS File: ([2009/12/18 13:58:19 | 000,292,080 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 10058 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\Windows\PixArt\PAC7302\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\RunOnce: [Shockwave Updater] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll (Google Inc.)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/10 15:17:27 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\KA\Desktop\OTL.scr
[2011/05/09 23:08:26 | 000,000,000 | -H-D | C] -- C:\Windows Recovery
[2011/05/09 22:58:02 | 000,510,976 | -H-- | C] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
[2011/05/09 02:18:14 | 000,000,000 | -H-D | C] -- C:\Windows\System32\EventProviders
[2011/05/07 21:31:29 | 000,000,000 | -H-D | C] -- C:\ProgramData\fN28601JjBdB28601
[2011/05/07 20:39:08 | 000,000,000 | -H-D | C] -- C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}
[2011/05/07 03:01:05 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games for Windows Marketplace
[2011/05/01 01:48:38 | 000,000,000 | -H-D | C] -- C:\Users\KA\Documents\Supertintin Records for Skype
[2011/05/01 01:48:28 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Supertintin for Skype
[2011/05/01 01:48:26 | 000,070,656 | -H-- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
[2011/05/01 01:48:24 | 000,000,000 | -H-D | C] -- C:\Program Files\Supertintin for Skype
[2011/04/26 04:26:34 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Download Toolz

========== Files - Modified Within 30 Days ==========

[2011/05/10 15:22:03 | 000,000,886 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/10 15:17:39 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\KA\Desktop\OTL.scr
[2011/05/10 15:16:27 | 000,204,510 | ---- | M] () -- C:\Users\KA\Desktop\OTL.exe
[2011/05/10 14:34:47 | 000,000,882 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/10 14:34:46 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\zlns.job
[2011/05/10 14:13:27 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/10 14:13:26 | 000,003,648 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/10 14:12:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/09 23:35:04 | 211,784,186 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/05/09 23:08:31 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~25288440r
[2011/05/09 23:08:31 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~25288440
[2011/05/09 23:08:26 | 000,000,515 | -H-- | M] () -- C:\Windows Recovery.lnk
[2011/05/09 23:07:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\25288440
[2011/05/09 23:07:06 | 000,438,784 | -H-- | M] () -- C:\ProgramData\25288440.exe
[2011/05/09 22:58:02 | 000,510,976 | -H-- | M] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
[2011/05/09 21:09:42 | 000,002,557 | -H-- | M] () -- C:\Users\KA\Desktop\Power Tab Editor 1.7.lnk
[2011/05/08 22:27:46 | 000,020,992 | -H-- | M] () -- C:\Users\KA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/08 18:00:01 | 000,000,402 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for KA.job
[2011/05/08 02:13:29 | 000,002,032 | -H-- | M] () -- C:\Users\KA\AppData\Local\d3d9caps.dat
[2011/05/07 20:43:12 | 000,000,058 | -HS- | M] () -- C:\Windows\System32\User.ini
[2011/05/07 20:39:18 | 000,000,120 | -H-- | M] () -- C:\Users\KA\AppData\Local\Jxacodob.dat
[2011/05/07 20:39:18 | 000,000,000 | -H-- | M] () -- C:\Users\KA\AppData\Local\Lkitulasejad.bin
[2011/05/06 12:20:08 | 000,120,320 | -H-- | M] () -- C:\Windows\taskmanager.exe
[2011/04/15 13:20:08 | 000,008,570 | -H-- | M] () -- C:\Users\KA\Documents\studyguide3.rtf
[2011/04/13 03:41:35 | 000,379,232 | -H-- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/13 03:07:09 | 000,607,168 | -H-- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/13 03:07:09 | 000,104,808 | -H-- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2011/05/10 15:16:17 | 000,204,510 | ---- | C] () -- C:\Users\KA\Desktop\OTL.exe
[2011/05/09 23:08:31 | 000,000,160 | -H-- | C] () -- C:\ProgramData\~25288440r
[2011/05/09 23:08:31 | 000,000,152 | -H-- | C] () -- C:\ProgramData\~25288440
[2011/05/09 23:08:26 | 000,000,515 | -H-- | C] () -- C:\Windows Recovery.lnk
[2011/05/09 23:07:21 | 000,000,336 | -H-- | C] () -- C:\ProgramData\25288440
[2011/05/09 23:07:05 | 000,438,784 | -H-- | C] () -- C:\ProgramData\25288440.exe
[2011/05/08 05:42:40 | 211,784,186 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/05/07 20:58:55 | 000,006,731 | -H-- | C] () -- C:\Users\KA\Desktop\Secondhand Serenade - Fall For You - Copy.mp3
[2011/05/07 20:43:12 | 000,000,058 | -HS- | C] () -- C:\Windows\System32\User.ini
[2011/05/07 20:42:52 | 000,120,320 | -H-- | C] () -- C:\Windows\taskmanager.exe
[2011/05/07 20:39:18 | 000,000,120 | -H-- | C] () -- C:\Users\KA\AppData\Local\Jxacodob.dat
[2011/05/07 20:39:18 | 000,000,000 | -H-- | C] () -- C:\Users\KA\AppData\Local\Lkitulasejad.bin
[2011/05/01 01:48:28 | 000,352,256 | -H-- | C] () -- C:\Windows\System32\lame.ax
[2011/04/15 13:20:08 | 000,008,570 | -H-- | C] () -- C:\Users\KA\Documents\studyguide3.rtf
[2011/04/09 18:55:28 | 000,179,261 | -H-- | C] () -- C:\Windows\System32\xlive.dll.cat
[2011/02/16 19:32:55 | 000,000,023 | -H-- | C] () -- C:\Windows\BlendSettings.ini
[2011/01/26 22:08:38 | 000,021,840 | -H-- | C] () -- C:\Windows\System32\SIntfNT.dll
[2011/01/26 22:08:38 | 000,017,212 | -H-- | C] () -- C:\Windows\System32\SIntf32.dll
[2011/01/26 22:08:38 | 000,012,067 | -H-- | C] () -- C:\Windows\System32\SIntf16.dll
[2010/11/17 16:17:12 | 000,295,565 | -H-- | C] () -- C:\Windows\System32\shimg.dll
[2010/08/31 23:09:21 | 000,174,160 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2010/03/03 23:40:18 | 000,002,191 | -H-- | C] () -- C:\Windows\cdplayer.ini
[2009/12/12 17:15:27 | 000,000,323 | -H-- | C] () -- C:\Windows\System32\Remover.ini
[2009/12/12 17:15:18 | 000,040,960 | -H-- | C] () -- C:\Windows\98Setup.exe
[2009/12/12 17:15:13 | 000,000,566 | -H-- | C] () -- C:\Windows\System32\SP7302.ini
[2009/10/22 20:43:38 | 000,000,000 | -H-- | C] () -- C:\Windows\nsreg.dat
[2009/08/03 16:07:42 | 000,403,816 | -H-- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | -H-- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/15 10:26:01 | 000,015,688 | -H-- | C] () -- C:\Windows\System32\lsdelete.exe
[2009/07/13 11:30:05 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009/04/17 20:32:19 | 000,000,168 | RHS- | C] () -- C:\ProgramData\C7B1681844.sys
[2009/04/17 20:32:18 | 000,002,828 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2008/12/13 17:53:55 | 000,761,856 | -H-- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/12/13 17:53:55 | 000,180,224 | -H-- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/12/13 17:53:54 | 003,596,288 | -H-- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/09/26 03:01:03 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/09/26 03:01:03 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/06/14 00:07:40 | 000,002,032 | -H-- | C] () -- C:\Users\KA\AppData\Local\d3d9caps.dat
[2008/06/06 20:33:51 | 000,000,000 | -H-- | C] () -- C:\Windows\PowerReg.dat
[2008/06/06 20:33:43 | 000,197,120 | -H-- | C] () -- C:\Windows\patchw32.dll
[2008/05/28 05:34:57 | 000,227,896 | -H-- | C] () -- C:\Windows\System32\drivers\volsnap.sys
[2008/05/28 05:33:25 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/05/28 05:33:00 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2008/04/06 15:34:25 | 000,020,992 | -H-- | C] () -- C:\Users\KA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/31 15:48:36 | 000,000,518 | -H-- | C] () -- C:\Windows\System32\SP7311.ini
[2006/11/02 04:55:52 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:46:27 | 000,379,232 | -H-- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 04:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:33:01 | 000,607,168 | -H-- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,287,440 | -H-- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,104,808 | -H-- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,030,674 | -H-- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:25:21 | 000,061,440 | -H-- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 02:23:21 | 000,215,943 | -H-- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | -H-- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | -H-- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | -H-- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/02/21 15:56:07 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\.minecraft
[2009/07/12 22:42:16 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\acccore
[2009/07/28 12:31:39 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\BitTorrent
[2009/07/30 03:34:02 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\FMZilla
[2009/07/30 03:33:13 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\ijjigame
[2011/02/22 04:44:10 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Leawo
[2011/02/01 17:57:04 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\LimeWire
[2010/12/07 13:03:37 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Livi
[2011/02/22 04:44:11 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Moyea
[2009/12/24 22:55:01 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\MusicNet
[2009/06/25 20:34:20 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Raptr
[2009/10/17 15:02:05 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Skinux
[2009/10/23 00:12:50 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\TeamViewer
[2009/10/04 13:46:19 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Tibia
[2009/09/10 00:49:04 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\TibiaTestserver
[2011/04/26 15:38:53 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\uTorrent
[2010/12/07 20:48:46 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\Ykgyid
[2008/12/13 18:28:55 | 000,000,000 | -H-D | M] -- C:\Users\KA\AppData\Roaming\zweitgeist
[2011/03/28 06:39:03 | 000,000,472 | -H-- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2011/05/10 14:33:42 | 000,032,550 | -H-- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/05/10 14:34:46 | 000,000,300 | -HS- | M] () -- C:\Windows\Tasks\zlns.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract2.JPG:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract.JPG:3or4kl4x13tuuug3Byamue2s4b

< End of report >
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello Ryan123911 and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 50370
    FF - prefs.js..network.proxy.type: 4
    FF - HKLM\software\mozilla\Firefox\Extensions\\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}: C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}\ [2011/05/07 20:39:09 | 000,000,000 | -H-D | M]
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | C] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 21:31:29 | 000,000,000 | -H-D | C] -- C:\ProgramData\fN28601JjBdB28601
    [2011/05/07 20:39:08 | 000,000,000 | -H-D | C] -- C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}
    [2011/05/01 01:48:26 | 000,070,656 | -H-- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
    [2011/05/10 14:34:46 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\zlns.job
    [2011/05/09 23:08:31 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~25288440r
    [2011/05/09 23:08:31 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~25288440
    [2011/05/09 23:08:26 | 000,000,515 | -H-- | M] () -- C:\Windows Recovery.lnk
    [2011/05/09 23:08:26 | 000,000,000 | -H-D | C] -- C:\Windows Recovery
    [2011/05/09 23:07:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\25288440
    [2011/05/09 23:07:06 | 000,438,784 | -H-- | M] () -- C:\ProgramData\25288440.exe
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | M] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 20:39:18 | 000,000,120 | -H-- | M] () -- C:\Users\KA\AppData\Local\Jxacodob.dat
    [2011/05/07 20:39:18 | 000,000,000 | -H-- | M] () -- C:\Users\KA\AppData\Local\Lkitulasejad.bin
    [2011/05/06 12:20:08 | 000,120,320 | -H-- | M] () -- C:\Windows\taskmanager.exe
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract2.JPG:3or4kl4x13tuuug3Byamue2s4b
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract.JPG:3or4kl4x13tuuug3Byamue2s4b

    :Files
    attrib -h /s /d c:\*.* /c

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [restart]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

Step 2

Update your Malwarebytes and do Quick scan then post log here for me.

Step 3

Please don't forget to include these items in your reply:

  • OTL fix log
  • Malwarebytes log
It would be helpful if you could post each log in separate post
  • 0

#3
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
So I tried to do what you instructed twice in normal mode and once in safe mode. After I paste and click "Run Fix" this pops up:

"Cannot create file
C:\Users\KA\AppData\Roaming\Mozilla\Profiles\wkah0xlw.default\profs.js."


Also after clicking "Run Fix" the entire screen goes black like I mentioned in my first post, except for the OTL screen, but I think that it just freezes or something because then it gets stuck on this:

"Processing FF-profs.js..network.proxy.http:"127.0.0.1"..."


The first try I waited about 6-7 hours. I don't know if that's normal and if it is I'll let it run longer. Also don't know if this will help but upon logging in I get a pop-up saying "Windows host process (Rundll32) has stopped working". I am not able to update my video card driver or any other optional windows updates.

***EDIT*** I was able to get the driver updated so I'm not getting the rundll32 error at the start. It seems that my folders are all hidden but when I go to Folder Options > View, the option to show hidden files and folders is not there like the one in the picture below.

Posted Image


I also checked the registry for "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Current Version/Explorer/Advanced/Folder/Hidden/" but the Hidden folder was missing.

Edited by Ryan123911, 11 May 2011 - 07:51 PM.

  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Ryan123911,

OTL Fix doesn't take more that 10 - 15 min Max. Let's try little different Fix for your situation.

I must warn you, please don't take any removing process on your own. Especially from the registry. We'll take one step at the time.

Make sure all other applocation are closed before running OTL. Including Firefox.

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | C] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 21:31:29 | 000,000,000 | -H-D | C] -- C:\ProgramData\fN28601JjBdB28601
    [2011/05/07 20:39:08 | 000,000,000 | -H-D | C] -- C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}
    [2011/05/01 01:48:26 | 000,070,656 | -H-- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
    [2011/05/10 14:34:46 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\zlns.job
    [2011/05/09 23:08:31 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~25288440r
    [2011/05/09 23:08:31 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~25288440
    [2011/05/09 23:08:26 | 000,000,515 | -H-- | M] () -- C:\Windows Recovery.lnk
    [2011/05/09 23:08:26 | 000,000,000 | -H-D | C] -- C:\Windows Recovery
    [2011/05/09 23:07:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\25288440
    [2011/05/09 23:07:06 | 000,438,784 | -H-- | M] () -- C:\ProgramData\25288440.exe
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | M] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 20:39:18 | 000,000,120 | -H-- | M] () -- C:\Users\KA\AppData\Local\Jxacodob.dat
    [2011/05/07 20:39:18 | 000,000,000 | -H-- | M] () -- C:\Users\KA\AppData\Local\Lkitulasejad.bin
    [2011/05/06 12:20:08 | 000,120,320 | -H-- | M] () -- C:\Windows\taskmanager.exe
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract2.JPG:3or4kl4x13tuuug3Byamue2s4b
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract.JPG:3or4kl4x13tuuug3Byamue2s4b

    :Files
    attrib -h /s /d c:\*.* /c

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [restart]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

  • 0

#5
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Tried running OTL again, screen went black again but OTL was able to run to an extent. During the scan a command prompt popped up and stopped the scan. I proceeded to exit the cmd and the scan went on until I got an error pop up saying: "Cannot Create File C:\Windows\System32\drivers\etc\Hosts." After this OTL was stuck on the process, "Resetting Hosts file. DO NOT INTERRUPT...", which of course I had to interrupt because at that point it was frozen.

After restarting my PC and logging back in this was in the notepad:


Files\Folders moved on Reboot...
C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XI7AW1RA\300552-unknown-virusmalware-etc-problem[1].txt moved successfully.
C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XI7AW1RA\search[1].htm moved successfully.
C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XI7AW1RA\search[2].htm moved successfully.
File\Folder C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSXV0AFK\search[1].htm not found!
File\Folder C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSXV0AFK\search[2].htm not found!
File\Folder C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSXV0AFK\search[3].htm not found!
File\Folder C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSXV0AFK\search[4].htm not found!
File\Folder C:\Users\KA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSXV0AFK\search[5].htm not found!
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot...
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Ryan123911,

OK. OTL fix didn't work. Can you try OTL Fix again but in Windows Safe mode?

Please restart in safe mode:
  • If the computer is running, shut down Windows, and then turn off the power
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.

  • 0

#7
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Same result as before. The command prompt thing that came up was "C:\Windows\system32\cmd.exe" and it said "C:\Users\KA\Desktop>attrib -h /s /d c:\*.* 1>"C:\Users\KA\Desktop\cmd.txt""

Upon restarting this was opened in notepad:

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot...
  • 0

#8
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Ryan123911,

OK. Let's try step by step removal. Please try this step in normal and if it fails start it in Safe mode.

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | C] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 21:31:29 | 000,000,000 | -H-D | C] -- C:\ProgramData\fN28601JjBdB28601
    [2011/05/07 20:39:08 | 000,000,000 | -H-D | C] -- C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}
    [2011/05/01 01:48:26 | 000,070,656 | -H-- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
    [2011/05/10 14:34:46 | 000,000,300 | -HS- | M] () -- C:\Windows\tasks\zlns.job
    [2011/05/09 23:08:31 | 000,000,160 | -H-- | M] () -- C:\ProgramData\~25288440r
    [2011/05/09 23:08:31 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~25288440
    [2011/05/09 23:08:26 | 000,000,515 | -H-- | M] () -- C:\Windows Recovery.lnk
    [2011/05/09 23:08:26 | 000,000,000 | -H-D | C] -- C:\Windows Recovery
    [2011/05/09 23:07:21 | 000,000,336 | -H-- | M] () -- C:\ProgramData\25288440
    [2011/05/09 23:07:06 | 000,438,784 | -H-- | M] () -- C:\ProgramData\25288440.exe
    [2011/05/09 22:58:02 | 000,510,976 | -H-- | M] (QNP) -- C:\ProgramData\FEuLFLOIGw.exe
    [2011/05/07 20:39:18 | 000,000,120 | -H-- | M] () -- C:\Users\KA\AppData\Local\Jxacodob.dat
    [2011/05/07 20:39:18 | 000,000,000 | -H-- | M] () -- C:\Users\KA\AppData\Local\Lkitulasejad.bin
    [2011/05/06 12:20:08 | 000,120,320 | -H-- | M] () -- C:\Windows\taskmanager.exe
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract2.JPG:3or4kl4x13tuuug3Byamue2s4b
    @Alternate Data Stream - 168 bytes -> C:\Users\KA\Documents\contract.JPG:3or4kl4x13tuuug3Byamue2s4b

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [restart]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

  • 0

#9
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\\WallPaper not found.
File C:\Windows\Web\Wallpaper\img17.jpg not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\\BackupWallPaper not found.
File C:\Windows\Web\Wallpaper\img17.jpg not found.
File C:\ProgramData\FEuLFLOIGw.exe not found.
Folder C:\ProgramData\fN28601JjBdB28601\ not found.
Folder C:\Users\KA\AppData\Local\{9165E24D-9AEA-4C70-A05C-F4D9FF5F1FE4}\ not found.
File C:\Windows\System32\yv12vfw.dll not found.
File C:\Windows\tasks\zlns.job not found.
File C:\ProgramData\~25288440r not found.
File C:\ProgramData\~25288440 not found.
File C:\Windows Recovery.lnk not found.
Folder C:\Windows Recovery\ not found.
File C:\ProgramData\25288440 not found.
File C:\ProgramData\25288440.exe not found.
File C:\ProgramData\FEuLFLOIGw.exe not found.
File C:\Users\KA\AppData\Local\Jxacodob.dat not found.
File C:\Users\KA\AppData\Local\Lkitulasejad.bin not found.
File C:\Windows\taskmanager.exe not found.
Unable to delete ADS C:\Users\KA\Documents\contract2.JPG:3or4kl4x13tuuug3Byamue2s4b .
Unable to delete ADS C:\Users\KA\Documents\contract.JPG:3or4kl4x13tuuug3Byamue2s4b .
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: KA
->Temp folder emptied: 743611 bytes
->Temporary Internet Files folder emptied: 5243629 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3470327 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2608 bytes

User: Public

User: Thee
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 88963285 bytes

Total Files Cleaned = 94.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: KA
->Flash cache emptied: 0 bytes

User: Public

User: Thee
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <[restart]> in the current context!

OTL by OldTimer - Version 3.2.22.3 log created on 05152011_145919

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Ryan123911,

Let's try to get back your documents:

Please download Unhide to your PC and run it.

How is your system now? Problems?
  • 0

#11
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I believe I have all my files back but everyhting under Start > Programs, still shows up as (empty) in every folder. So far it seems my PC is running fine. Not sure if it's 100% clean or not but we'll see.
  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Nice. This fix could take some time. Please be patient.

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Files
    attrib -h /s /d c:\*.* /c

    :Commands
    [restart]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

  • 0

#13
Ryan123911

Ryan123911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
After pressing Run Fix the command prompt opens. After the process is complete I get this in notepad:

========== OTL ==========
========== FILES ==========
< attrib -h /s /d c:\*.* /c >
Error opening cmd.txt file...
C:\Users\KA\Desktop\cmd.bat deleted successfully.
C:\Users\KA\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Error: Unable to interpret <[restart]> in the current context!

OTL by OldTimer - Version 3.2.22.3 log created on 05162011_135705


It did not prompt me to restart, but I restarted anyway.
  • 0

#14
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Ryan123911,

Looks like that malware has permanently removed some of your shortcuts. You can add your self shortcuts in start menu if you follow this article and read To Add or Delete a Shortcut or Folder part.

The best way is to install software again to repair all your shortcuts.

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.
  • 0

#15
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP