Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! HELP! HELP!


  • Please log in to reply
1 reply to this topic

#1 buzmeg

buzmeg

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 13 October 2009 - 10:49 AM

My problem started with the following error message:
USERINIT logon application
Data Execution Prevention
To help protect your computer
Windows has closed this program.

Since then it has gotten progressively worse, although I can run in "SAFE MODE WITH NETWORKING"
If I attempt to run normally I receive all kinds of virus/malware messages.
Additionally, I cannot access many sites performing a Google search.

My log file follows. The log was produced from "Safe Mode"


DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by bobC at 10:40:36.35 on Fri 10/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.387 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091007-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\i0d95f06.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\debug.exe
svchost.exe C:\WINDOWS\TEMP\VRT12.tmp
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\American Systems\EZ Macros\EZMacros.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bobC.BUZMEG\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,c:\windows\system32\ntos.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [MSGTAG] "c:\program files\msgtag\MSGTAG.exe" /startup
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [SansaDispatch] c:\documents and settings\bobc.buzmeg\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [Google Update] "c:\documents and settings\bobc.buzmeg\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m
uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s
uRun: [CursorFX] "c:\program files\stardock\cursorfx\CursorFX.exe"
uRun: [restorer64_a] c:\documents and settings\bobc.buzmeg\restorer64_a.exe
uRun: [mserv] c:\documents and settings\bobc.buzmeg\application data\seres.exe
uRun: [ttool] c:\windows\srcssc.exe
uRun: [svchost] c:\documents and settings\bobc.buzmeg\application data\svcst.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpotmauSecretary] c:\program files\spotmau\desktop_secretary\Spotmau_S.exe
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EZ Macros] c:\program files\american systems\ez macros\EZMacros.exe /m
mRun: [restorer64_a] c:\windows\system32\restorer64_a.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysgif32] c:\windows\temp\wpv621254983689.exe
mRun: [PromoReg] c:\windows\temp\_ex-08.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-DFHNT.exe" /REG
dRun: [reader_s] c:\documents and settings\bobc.buzmeg\reader_s.exe
dRun: [Login Software 2009] c:\windows\temp\i0d95f06.exe
dRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\windows\temp\debug.exe
StartupFolder: c:\docume~1\bobc~1.buz\startm~1\programs\startup\audio caller id.lnk - c:\program files\audio caller id\acid.exe
StartupFolder: c:\docume~1\bobc~1.buz\startm~1\programs\startup\clipcache pro.lnk - c:\program files\clipcache\clipc.exe
StartupFolder: c:\documents and settings\bobc.buzmeg\start menu\programs\startup\CreateRP.VBS
StartupFolder: c:\docume~1\bobc~1.buz\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\bobc~1.buz\startm~1\programs\startup\printk~1.lnk - c:\PRINTKEY.EXE
StartupFolder: c:\docume~1\bobc~1.buz\startm~1\programs\startup\sleeper.lnk - c:\sleep\sleeper.exe
StartupFolder: c:\documents and settings\bobc.buzmeg\start menu\programs\startup\uecupd32.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\audio caller id.lnk - c:\program files\audio caller id\acid.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\clipcache pro.lnk - c:\program files\clipcache\clipc.exe
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\CreateRP.VBS
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\erunt autobackup.lnk - c:\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\firefox preloader.lnk - c:\program files\firefoxpreloader\FirefoxPreloader.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\hp digital imaging monitor.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\printkey.exe.lnk - c:\PRINTKEY.EXE
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\sleeper.lnk - c:\sleep\sleeper.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247792677359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = dokakuru.dll scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bobc~1.buz\applic~1\mozilla\firefox\profiles\epoa9nma.my new test profile\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/reader/view/#stream/user%2F11001229006748558114%2Flabel%2FSPORTS
FF - component: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\{a2049def-a235-488f-878c-b41f8071fa9c}\components\BossKey.dll
FF - component: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\{e22e8d11-0f3e-4d46-8fc1-7264b4d5ea01}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\bobc.buzmeg\application data\mozilla\firefox\profiles\epoa9nma.my new test profile\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('...ri.enabled', 'allAccess');FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-9-25 114768]
S1 FolderProtectDriver;FolderProtectDriver;\??\c:\program files\spotmau wincare 2008\sub\fsdriver\folderprotectdriver.sys --> c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectDriver.sys [?]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/07/09 08:50:10];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
S2 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" --> c:\program files\a-squared free\a2service.exe [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-25 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-9-25 138680]
S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 115200]
S2 FolderProtectService;FolderProtectService;c:\program files\spotmau wincare 2008\sub\fsdriver\folderprotectservice.exe --> c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectService.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 supersafer;supersafer;\??\c:\windows\system32\drivers\supersafer.sys --> c:\windows\system32\drivers\supersafer.sys [?]
S2 W32TimeCOMSysApp;Windows Time W32TimeCOMSysApp;c:\windows\system32\abalezipj.exe srv --> c:\windows\system32\AbaleZipj.exe srv [?]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\bobc~1.buz\locals~1\temp\aticdsdr.sys --> c:\docume~1\bobc~1.buz\locals~1\temp\ATICDSDr.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-9-25 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-9-25 352920]
S3 isasdk;isasdk;c:\windows\system32\isasdk.sys [2004-8-4 2304]
S3 mdtdisk;mdtdisk;c:\windows\system32\mdtdisk.sys [2004-8-4 2304]
S3 mndisk;mndisk;c:\windows\system32\mndisk.sys [2004-8-4 2304]
S3 OICB;OICB;c:\docume~1\bobc~1.buz\locals~1\temp\oicb.exe --> c:\docume~1\bobc~1.buz\locals~1\temp\OICB.exe [?]
S3 tcpsr;tcpsr;c:\windows\system32\drivers\tcpsr.sys [2009-10-9 6016]
S3 XoftSpyService;XoftSpyService;"c:\program files\common files\xoftspyse\6\xoftspyservice.exe" --> c:\program files\common files\xoftspyse\6\xoftspyservice.exe [?]
S3 YLF;YLF;c:\docume~1\bobc~1.buz\locals~1\temp\ylf.exe --> c:\docume~1\bobc~1.buz\locals~1\temp\YLF.exe [?]

=============== Created Last 30 ================

2009-10-09 10:23 92 a------- c:\windows\system32\18.tmp
2009-10-09 10:23 38 a------- C:\11.tmp
2009-10-09 10:23 15,000 a------- c:\windows\system32\yrs4x4.dll
2009-10-09 10:23 50,688 a------- C:\F.tmp
2009-10-09 10:17 714,240 a------- c:\windows\is-DFHNT.exe
2009-10-09 10:17 10,498 a------- c:\windows\is-DFHNT.msg
2009-10-09 10:17 408 a------- c:\windows\is-DFHNT.lst
2009-10-09 10:16 40,960 a------- c:\docume~1\bobc~1.buz\applic~1\svcst.exe
2009-10-09 10:16 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\45584834
2009-10-09 10:15 38,912 a------- c:\documents and settings\bobc.buzmeg\reader_s.exe
2009-10-09 10:10 6,016 a------- c:\windows\system32\drivers\tcpsr.sys
2009-10-09 09:53 <DIR> --d----- c:\docume~1\bobc~1.buz\applic~1\Malwarebytes
2009-10-09 09:53 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 09:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-09 09:53 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2009-10-09 08:51 182,784 a------- c:\docume~1\bobc~1.buz\applic~1\lizkavd.exe
2009-10-09 08:51 81,372 a------- c:\windows\srcssc.exe
2009-10-09 08:50 40,960 a------- c:\docume~1\bobc~1.buz\applic~1\seres.exe
2009-10-09 08:50 71,168 a------- c:\documents and settings\bobc.buzmeg\restorer64_a.exe
2009-10-08 08:35 <DIR> --d----- c:\windows\system32\CatRoot2
2009-10-07 11:07 89,600 a------- c:\windows\system32\14.tmp
2009-10-07 11:07 0 a------- c:\windows\system32\13.tmp
2009-10-07 11:07 100 a------- c:\windows\system32\12.tmp
2009-10-07 09:27 22 a------- c:\windows\system32\ati64hlp.stb
2009-10-06 11:26 <DIR> --d----- C:\MOZbak
2009-10-05 12:32 89,600 a------- c:\windows\system32\70.tmp
2009-10-05 12:32 52 a------- c:\windows\system32\6F.tmp
2009-10-05 11:56 89,600 a------- c:\windows\system32\63.tmp
2009-10-05 11:56 52 a------- c:\windows\system32\62.tmp
2009-10-05 11:19 89,600 a------- c:\windows\system32\52.tmp
2009-10-05 11:19 52 a------- c:\windows\system32\51.tmp
2009-10-05 10:44 89,600 a------- c:\windows\system32\1D.tmp
2009-10-05 10:44 52 a------- c:\windows\system32\1C.tmp
2009-10-05 10:33 89,600 a------- c:\windows\system32\16.tmp
2009-10-05 10:33 52 a------- c:\windows\system32\15.tmp
2009-10-05 10:23 89,600 a------- c:\windows\system32\11.tmp
2009-10-05 10:23 52 a------- c:\windows\system32\10.tmp
2009-10-05 00:14 89,600 a------- c:\windows\system32\13A.tmp
2009-10-05 00:14 52 a------- c:\windows\system32\139.tmp
2009-10-03 07:54 <DIR> --d----- c:\docume~1\bobc~1.buz\applic~1\Foxit
2009-10-03 07:53 <DIR> --d----- c:\program files\Foxit Software
2009-10-03 06:33 163,840 -------- c:\windows\system32\fpres532.dll
2009-10-03 06:09 <DIR> --d----- c:\program files\Nsasoft
2009-09-30 01:04 8,242 a--s---- c:\windows\system32\766254181.dat
2009-09-28 12:10 <DIR> --d----- c:\program files\WinNc
2009-09-28 12:10 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\Tarma Installer
2009-09-28 07:59 <DIR> --d----- C:\Keyfinder.2.0.1
2009-09-27 03:26 89,600 a------- c:\windows\system32\51C.tmp
2009-09-27 03:25 52 a------- c:\windows\system32\51B.tmp
2009-09-27 02:54 0 a------- c:\windows\system32\4E3.tmp
2009-09-27 02:54 89,600 a------- c:\windows\system32\4E2.tmp
2009-09-27 02:54 52 a------- c:\windows\system32\4E1.tmp
2009-09-26 21:10 <DIR> --d----- C:\##WOOF Upload
2009-09-26 20:54 <DIR> --d----- c:\program files\VS Revo Group
2009-09-26 11:20 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-26 06:48 76,800 ac------ c:\windows\system32\dllcache\wam51.dll
2009-09-26 06:47 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-09-26 06:46 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-09-26 06:45 29,184 ac------ c:\windows\system32\dllcache\asptxn.dll
2009-09-26 06:45 <DIR> --d----- c:\program files\msn gaming zone
2009-09-26 06:44 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-26 06:44 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-26 06:44 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-26 06:44 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-26 06:44 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-26 06:44 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-26 06:28 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-09-25 23:02 1,005,146,112 a------- c:\windows\MEMORY.DMP
2009-09-25 21:36 1,266,380 a------- c:\windows\system32\drivers\AGRSM.sys
2009-09-25 21:36 88,363 a------- c:\windows\AGRSMMSG.exe
2009-09-25 21:36 84,992 a------- c:\windows\agrsmdel.exe
2009-09-25 21:03 2,206 a------- c:\windows\system32\wpa.dbl
2009-09-25 19:21 64 a------- c:\windows\system32\config.nt
2009-09-25 10:22 33,792 a------- c:\windows\system32\agrsmsvc.exe
2009-09-25 09:08 <DIR> --d----- c:\docume~1\bobc~1.buz\applic~1\abelhadigital.com
2009-09-25 09:08 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\abelhadigital.com
2009-09-25 09:08 <DIR> --d----- c:\program files\HostsMan
2009-09-25 06:44 <DIR> --d----- C:\APPLE
2009-09-25 05:44 <DIR> --d----- c:\program files\Wise Registry Cleaner
2009-09-24 19:26 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\XoftSpySE
2009-09-24 19:26 <DIR> --d----- c:\program files\XoftSpySE6
2009-09-24 08:58 <DIR> --d----- c:\docume~1\bobc~1.buz\applic~1\SUPERAntiSpyware.com
2009-09-24 07:27 <DIR> -cd----- c:\docume~1\alluse~2.win\applic~1\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-09-23 19:31 <DIR> --d----- c:\program files\TweakXP 2
2009-09-23 16:21 0 a------- c:\windows\SC.INS
2009-09-23 16:15 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\RegCure
2009-09-23 16:15 <DIR> --d----- C:\RegCure
2009-09-23 12:39 0 a------- c:\windows\wcx_ftp.ini
2009-09-23 12:08 151,040 a------- c:\windows\sv3.exe
2009-09-23 12:06 883,200 a------- c:\windows\isvchost.exe
2009-09-23 08:47 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-09-23 08:46 108,336 a------- c:\windows\system32winsck.ocx
2009-09-23 08:43 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\Corel
2009-09-20 09:21 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-18 19:04 <DIR> --d----- c:\docume~1\bobc~1.buz\applic~1\XnView
2009-09-18 18:17 <DIR> --d----- c:\program files\XnView
2009-09-10 13:14 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 13:02 <DIR> --d----- C:\iTUNES

==================== Find3M ====================

2009-10-09 10:23 59,392 a------- c:\windows\system32\reader_s.exe
2009-10-09 10:15 94,432 a------- c:\windows\system32\drivers\agp440.sys
2009-10-09 10:15 71,168 a------- c:\windows\system32\restorer64_a.exe
2009-10-09 08:50 804 a------- C:\9311335.exe
2009-10-09 08:50 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-10-09 08:50 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-09-26 06:42 22,704 a------- c:\windows\system32\emptyregdb.dat
2009-09-25 22:09 2,083,831 a--sh--- c:\windows\system32\zesupoma.exe
2009-09-25 22:09 37,888 a--sh--- c:\windows\system32\vabazaja.dll
2009-09-03 09:04 5,640,880 a------- c:\windows\system32\SpoonUninstall.exe
2009-09-03 06:40 466,944 a------- c:\windows\system32\BSTIEPrintCtl1.dll
2009-08-22 12:44 103,372 a------- c:\windows\hpqins11.dat
2009-08-22 12:44 130,330 a------- c:\windows\hpoins13.dat
2009-08-22 12:42 103,994 a------- c:\windows\hpqins01.dat
2009-08-22 12:24 139,537 a------- c:\windows\hpoins15.dat
2009-08-22 09:04 146,771 a------- c:\windows\hpoins31.dat
2009-08-21 15:39 18,270 a------- c:\windows\HPHins01.dat
2009-08-15 07:56 102,400 a------- c:\docume~1\bobc~1.buz\applic~1\ezpinst.exe
2009-08-15 07:56 47,360 a------- c:\docume~1\bobc~1.buz\applic~1\pcouffin.sys
2009-08-03 18:39 119,363 a------- c:\windows\hpqins00.dat
2009-08-03 16:48 19,502 a------- c:\windows\hpqins13.dat
2009-08-03 13:09 103,835 a------- c:\windows\hpqins05.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-12 14:31 87,608 a------- c:\docume~1\bobc~1.buz\applic~1\inst.exe
2000-12-11 09:57 21,841 a------- c:\program files\common files\tppupd2k.dll

============= FINISH: 10:41:18.62 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:38 PM

Posted 18 October 2009 - 02:09 PM

Hello buzmeg,

I am sorry to give you some very bad news! :(

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html

Edited by SifuMike, 18 October 2009 - 02:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users