Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Antivirus 2010 removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 tfsterminal

tfsterminal

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 February 2010 - 08:09 PM

My computer recently became infected with a malware program by the name of Vista Antivirus 2010. I had initially tried rebooting the computer, but on restarting, the program was back and had root access. I was able to download some anti-malware and anti-virus programs (Kaspersky, etc.), but the virus had blocked them from installing. Task Manager and System Restore were disabled. I was able to kill the process (av.exe) by using HJT. I also used ATF Cleaner to clean out all temp folders. After a reboot, everything seemed back to normal, except no programs or files could be opened. (Open with... window comes up)

After some research on this and other PC tech support sites, I found a registry entry that fixes this problem:

QUOTE
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


Didn't seem to work. Now the only program I can open is Firefox (default browser).

I was able to run D.D.S. Here is the log:

QUOTE
DDS (Ver_09-12-01.01) - NTFSX64
Run by Carlo at 18:34:50.99 on Sun 02/28/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.4093.2922 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
C:\Program Files (x86)\Adobe\acrotray .exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
C:\Program Files (x86)\Adobe\acrotray .exe
C:\Users\Carlo\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
mWinlogon: Userinit=userinit.exe
BHO: c:\windows\syswow64\o3b3q.dll: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\syswow64\o3b3q.dll
uRun: [Steam] "c:\program files (x86)\steam\steam.exe" -silent
uRun: [CurseClient] c:\program files (x86)\curse\CurseClient.exe -silent
uRun: [EA Core] "c:\program files (x86)\electronic arts\eadm\Core.exe" -silent
uRun: [Vidalia] "c:\program files (x86)\vidalia bundle\vidalia\vidalia.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\daemon.exe" -autorun
uRun: [AbacastDistributedOnDemand:11] c:\users\carlo\appdata\local\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
uRun: [Remote System Protection] rundll32.exe c:\windows\syswow64\o3b3q.dll, HUI_proc
uRun: [uishf9wuifwuh387fh3wufinhjfdwefe] c:\users\carlo\appdata\local\temp\i1fam .exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\users\carlo\appdata\local\temp\nvsvc32 .exe
uRun: [asr64_ldm.exe] c:\users\carlo\appdata\local\temp\asr64_ldm.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime alternative\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [madekibewi] Rundll32.exe "nisefuzi.dll",s
mRun: [ISTray] "c:\program files (x86)\spyware doctor\pctsTray.exe"
dRun: [Remote System Protection] rundll32.exe c:\windows\syswow64\o3b3q.dll, HUI_proc
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\win32.exe
StartupFolder: c:\users\carlo\appdata\roaming\micros~1\windows\startm~1\programs\startup\xfire.lnk - c:\program files (x86)\xfire\Xfire.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {1825D7F0-5899-49B9-A067-BC9FABA914F7} = 209.18.47.61,209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: app_dll.dll
STS: c:\windows\syswow64\o3b3q.dll: {a3ba40a2-74f0-42bd-f434-00b15a2c8953} - c:\windows\syswow64\o3b3q.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli vehugozu.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\carlo\appdata\roaming\mozilla\firefox\profiles\jf5p4guu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files (x86)\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\veetle\player\npvlc.dll
FF - plugin: c:\program files (x86)\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files (x86)\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\carlo\appdata\roaming\mozilla\firefox\profiles\jf5p4guu.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\carlo\appdata\roaming\mozilla\firefox\profiles\jf5p4guu.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\users\carlo\appdata\roaming\mozilla\plugins\npAbacast.dll
FF - plugin: c:\users\carlo\appdata\roaming\mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-2-28 218056]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 27648]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 202752]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2009-12-11 6228480]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2009-12-11 160256]
S2 gupdate1c9c8992405a7;Google Update Service (gupdate1c9c8992405a7);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-4-29 133104]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-11-12 93184]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-14 25832]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

=============== Created Last 30 ================

2010-03-01 00:28:33 1166 ----a-w- c:\users\carlo\reg_enable.vbs
2010-02-28 23:40:01 7357 ----a-w- c:\windows\system32\drivers\pctgntdi64.cat
2010-02-28 23:40:01 306648 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2010-02-28 23:40:01 133072 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2010-02-28 23:39:57 7353 ----a-w- c:\windows\system32\drivers\pctcore64.cat
2010-02-28 23:39:57 218056 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2010-02-28 23:39:51 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2010-02-28 23:39:51 7353 ----a-w- c:\windows\system32\drivers\pctplsg64.cat
2010-02-28 23:39:43 0 d-----w- c:\users\carlo\appdata\roaming\PC Tools
2010-02-28 23:39:43 0 d-----w- c:\programdata\PC Tools
2010-02-28 23:39:43 0 d-----w- c:\program files (x86)\Spyware Doctor
2010-02-28 23:39:43 0 d-----w- c:\program files (x86)\common files\PC Tools
2010-02-28 23:32:09 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-28 23:30:46 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-02-28 23:26:07 0 d-----w- c:\program files (x86)\Trend Micro
2010-02-28 23:18:33 94208 ----a-w- c:\windows\syswow64\app_dll.dll
2010-02-28 23:12:55 20000 ----a-w- c:\windows\syswow64\o3b3q.dll
2010-02-28 21:50:11 0 d-----w- c:\program files (x86)\Empire Total War
2010-02-26 16:18:20 0 d-----w- c:\program files (x86)\common files\Akamai
2010-02-26 09:11:28 0 d-----w- c:\program files (x86)\Napoleon Total War
2010-02-23 10:55:01 218 ----a-w- c:\users\carlo\.recently-used.xbel
2010-02-21 15:30:01 0 d-----w- c:\users\carlo\appdata\roaming\StreamTorrent
2010-02-21 15:30:01 0 d-----w- c:\program files (x86)\StreamTorrent 1.0
2010-02-21 13:22:47 0 d-----w- c:\program files (x86)\Gladiator Trials II Demo
2010-02-17 10:57:29 0 d-----w- c:\program files (x86)\Free M4a to MP3 Converter
2010-02-17 09:53:00 0 d-----w- c:\program files (x86)\common files\Macrovision Shared
2010-02-17 09:52:44 0 d-----w- c:\programdata\Rosetta Stone
2010-02-17 09:52:44 0 d-----w- c:\program files (x86)\Rosetta Stone
2010-02-16 22:35:41 65536 --sha-w- c:\users\carlo\ntuser.dat{7c0c049c-1b06-11df-a2bc-001fd0814d9b}.TM.blf
2010-02-16 22:35:41 524288 --sha-w- c:\users\carlo\ntuser.dat{7c0c049c-1b06-11df-a2bc-001fd0814d9b}.TMContainer00000000000000000002.regtrans-ms
2010-02-16 22:35:41 524288 --sha-w- c:\users\carlo\ntuser.dat{7c0c049c-1b06-11df-a2bc-001fd0814d9b}.TMContainer00000000000000000001.regtrans-ms
2010-02-14 08:25:01 0 d-----w- c:\users\carlo\appdata\roaming\XRay Engine
2010-02-14 04:15:32 0 d-----w- c:\program files (x86)\bitComposer Games
2010-02-11 03:40:10 254 ----a-w- c:\windows\RomeTW.ini
2010-02-11 03:16:10 41872 ----a-w- c:\windows\syswow64\xfcodec.dll
2010-02-11 03:16:10 27536 ----a-w- c:\windows\system32\xfcodec64.dll
2010-02-11 02:36:42 0 d-----w- c:\program files (x86)\Activision
2010-02-11 02:33:21 65536 --sha-w- c:\users\carlo\ntuser.dat{7737b7c8-16af-11df-921d-001fd0814d9b}.TM.blf
2010-02-11 02:33:21 524288 --sha-w- c:\users\carlo\ntuser.dat{7737b7c8-16af-11df-921d-001fd0814d9b}.TMContainer00000000000000000002.regtrans-ms
2010-02-11 02:33:21 524288 --sha-w- c:\users\carlo\ntuser.dat{7737b7c8-16af-11df-921d-001fd0814d9b}.TMContainer00000000000000000001.regtrans-ms
2010-02-11 01:07:08 0 d-----w- c:\programdata\ATI
2010-02-11 01:00:50 0 d-----w- c:\program files\Realtek
2010-02-11 00:59:58 78936 ----a-w- c:\windows\system32\MBWrp64.dll
2010-02-11 00:59:57 64600 ----a-w- c:\windows\system32\MBppld64.dll
2010-02-11 00:59:57 607832 ----a-w- c:\windows\system32\MBAPO64.dll
2010-02-11 00:59:57 60504 ----a-w- c:\windows\system32\MBPPCn64.dll
2010-02-11 00:59:57 531032 ----a-w- c:\windows\syswow64\MBAPO32.dll
2010-02-11 00:59:56 325904 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2010-02-11 00:59:56 2197264 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2010-02-11 00:59:51 328608 ----a-w- c:\windows\system32\FMAPO64.dll
2010-02-11 00:59:51 168864 ----a-w- c:\windows\system32\AERTAC64.dll
2010-02-11 00:59:51 108960 ----a-w- c:\windows\system32\AERTAR64.dll
2010-02-11 00:59:47 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-02-11 00:48:08 526184 ----a-w- c:\windows\syswow64\XceedCry.dll
2010-02-11 00:48:08 456536 ----a-w- c:\windows\syswow64\XCEEDZIP.DLL
2010-02-11 00:48:08 224016 ----a-w- c:\windows\syswow64\Tabctl32.ocx
2010-02-11 00:48:08 132880 ----a-w- c:\windows\syswow64\Msinet.ocx
2010-02-11 00:48:08 110602 ----a-w- c:\windows\syswow64\xcdsfx32.bin
2010-02-11 00:48:07 0 d-----w- c:\program files (x86)\Driver Magician

==================== Find3M ====================

2010-02-28 23:35:27 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-28 23:35:27 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-28 23:35:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-28 14:51:19 111928 ----a-w- c:\windows\syswow64\PnkBstrB.exe
2010-02-11 01:00:13 525792 ----a-w- c:\windows\DIFxAPI.dll
2010-01-28 19:33:28 2434856 ----a-w- c:\windows\syswow64\pbsvc_bc2.exe
2010-01-20 01:10:12 332320 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2010-01-20 01:10:06 1631264 ----a-w- c:\windows\system32\RtkAPO64.dll
2010-01-20 01:10:06 149536 ----a-w- c:\windows\system32\RtkCfg64.dll
2010-01-20 01:10:04 1814560 ----a-w- c:\windows\system32\RtPgEx64.dll
2010-01-20 01:10:00 477216 ----a-w- c:\windows\system32\RtkApi64.dll
2010-01-20 01:10:00 1206304 ----a-w- c:\windows\system32\RTCOM64.dll
2010-01-20 01:09:54 68640 ----a-w- c:\windows\system32\RCoInst64.dll
2010-01-20 00:42:22 2242720 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2010-01-04 21:29:21 75064 ----a-w- c:\windows\syswow64\PnkBstrA.exe
2009-12-16 00:26:40 99016 ----a-w- c:\windows\system32\RTEEL64A.dll
2009-12-16 00:26:40 76488 ----a-w- c:\windows\system32\RTEEG64A.dll
2009-12-16 00:26:40 372936 ----a-w- c:\windows\system32\RTEEP64A.dll
2009-12-16 00:26:40 201928 ----a-w- c:\windows\system32\RTEED64A.dll
2009-12-11 20:45:40 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-12-11 20:45:28 450048 ----a-w- c:\windows\system32\atieclxx.exe
2009-12-11 20:44:52 202752 ----a-w- c:\windows\system32\atiesrxx.exe
2009-12-11 20:43:40 17560576 ----a-w- c:\windows\system32\atio6axx.dll
2009-12-11 20:43:26 120320 ----a-w- c:\windows\system32\atitmm64.dll
2009-12-11 20:43:06 421376 ----a-w- c:\windows\system32\atipdl64.dll
2009-12-11 20:42:58 356352 ----a-w- c:\windows\syswow64\atipdlxx.dll
2009-12-11 20:42:44 274432 ----a-w- c:\windows\syswow64\Oemdspif.dll
2009-12-11 20:42:38 12288 ----a-w- c:\windows\system32\atimuixx.dll
2009-12-11 20:42:34 59392 ----a-w- c:\windows\system32\atiedu64.dll
2009-12-11 20:42:28 43520 ----a-w- c:\windows\syswow64\ati2edxx.dll
2009-12-11 20:39:38 3060224 ----a-w- c:\windows\syswow64\atidxx32.dll
2009-12-11 20:35:34 400384 ----a-w- c:\windows\syswow64\aticfx32.dll
2009-12-11 20:34:46 434176 ----a-w- c:\windows\system32\aticfx64.dll
2009-12-11 20:31:50 3671040 ----a-w- c:\windows\system32\atidxx64.dll
2009-12-11 20:26:00 13383168 ----a-w- c:\windows\syswow64\atioglxx.dll
2009-12-11 20:22:58 3601920 ----a-w- c:\windows\syswow64\atiumdag.dll
2009-12-11 20:17:10 4668416 ----a-w- c:\windows\system32\atiumd64.dll
2009-12-11 20:11:30 55296 ----a-w- c:\windows\system32\coinst.dll
2009-12-11 20:10:48 2617344 ----a-w- c:\windows\system32\atiumd6a.dll
2009-12-11 20:04:52 43008 ----a-w- c:\windows\system32\aticalrt64.dll
2009-12-11 20:04:50 53248 ----a-w- c:\windows\syswow64\aticalrt.dll
2009-12-11 20:04:50 2912768 ----a-w- c:\windows\syswow64\atiumdva.dll
2009-12-11 20:04:38 39936 ----a-w- c:\windows\system32\aticalcl64.dll
2009-12-11 20:04:34 53248 ----a-w- c:\windows\syswow64\aticalcl.dll
2009-12-11 20:04:22 4748288 ----a-w- c:\windows\system32\aticaldd64.dll
2009-12-11 20:03:22 3641344 ----a-w- c:\windows\syswow64\aticaldd.dll
2009-12-11 19:52:22 53248 ----a-w- c:\windows\system32\atimpc64.dll
2009-12-11 19:52:22 53248 ----a-w- c:\windows\system32\amdpcom64.dll
2009-12-11 19:52:16 52224 ----a-w- c:\windows\syswow64\atimpc32.dll
2009-12-11 19:52:16 52224 ----a-w- c:\windows\syswow64\amdpcom32.dll
2009-12-11 19:51:46 314880 ----a-w- c:\windows\system32\atiadlxx.dll
2009-12-11 19:51:38 225280 ----a-w- c:\windows\syswow64\atiadlxy.dll
2009-12-11 19:51:26 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2009-12-11 19:51:22 12800 ----a-w- c:\windows\syswow64\atiglpxx.dll
2009-12-11 19:51:22 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2009-12-11 19:51:18 16896 ----a-w- c:\windows\system32\atig6txx.dll
2009-12-11 19:51:12 15360 ----a-w- c:\windows\syswow64\atigktxx.dll
2009-12-11 19:50:34 35840 ----a-w- c:\windows\system32\atiuxp64.dll
2009-12-11 19:50:28 27136 ----a-w- c:\windows\syswow64\atiuxpag.dll
2009-12-11 19:50:20 28160 ----a-w- c:\windows\system32\atiu9p64.dll
2009-12-11 19:50:12 20480 ----a-w- c:\windows\syswow64\atiu9pag.dll
2009-12-11 19:49:52 26112 ----a-w- c:\windows\system32\atitmp64.dll
2009-12-11 15:55:46 307920 ----a-w- c:\windows\system32\RP3DHT64.dll
2009-12-11 15:55:46 307920 ----a-w- c:\windows\system32\RP3DAA64.dll
2008-12-12 06:42:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:14 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:14 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1601-01-01 00:03:16 95232 --sha-w- c:\windows\syswow64\hutikovu.dll
2009-07-11 19:26:08 4184 --sha-w- c:\windows\syswow64\KGyGaAvL.sys
1601-01-01 00:00:00 64000 --sha-w- c:\windows\syswow64\nisefuzi.dll
1601-01-01 00:03:16 40960 --sha-w- c:\windows\syswow64\togitata.dll
1601-01-01 00:00:00 64000 --sha-w- c:\windows\syswow64\vehugozu.dll
1601-01-01 00:00:00 64000 --sha-w- c:\windows\syswow64\zunudolu.dll
2008-12-12 06:39:13 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:36:53.49 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 28 February 2010 - 09:16 PM

Update:

I am able to run programs now by right-clicking and selecting run as administrator. (There is a menu option just below "run as administrator" that says only "start". Virus must have caused this, haven't seen this before.)

I have an HJT log attached. GMER is scanning as I post this, I will update with the logs when it completes.

Attached Files


Edited by tfsterminal, 28 February 2010 - 09:16 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 06 March 2010 - 05:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 13 March 2010 - 07:46 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 17 March 2010 - 03:33 AM

Hi,

topic reopened please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 18 March 2010 - 01:59 AM

hi, here are the logs

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 19 March 2010 - 03:59 PM

Hi,

please run a scan with Malwarebytes next:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 20 March 2010 - 11:55 PM

Thanks for the reply myrti.

I had not been able to install or run Malware Bytes because of the virus, but after running rkill, unlocking permissions, and changing the name of the MBAM exe, I was able to run the program. I have attached the log from the MBAM scan. After this scan, I did a full scan with my anti-virus (avast!) and it came up clean. At this point, my computer seemed to be running like normal again, except some Windows services (Backup & Restore Center) were still disabled or would not run correctly. Now just a few days ago the virus popped up again. I ran rkill and did a scan with MBAM. I have attached the log for this as well as the rkill log.

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 21 March 2010 - 03:18 PM

Hi,

please run a fix with OTL, there are still entries left:
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :otl
    O20 - AppInit_DLLs: (app_dll.dll) -  File not found
    O21 - SSODL: fesawidiw - {c4a5e313-7770-4d39-a9c4-c83e2ebed3ae} - c:\windows\SysWow64\wobezozu.dll File not found
    O22 - SharedTaskScheduler: {c4a5e313-7770-4d39-a9c4-c83e2ebed3ae} - mujuzedij - c:\windows\SysWow64\wobezozu.dll File not found
    O37:[b]64bit:[/b] - HKU\S-1-5-21-314044067-2092175804-3535847563-1000\...exe [@ = secfile] -- "C:\Users\Carlo\AppData\Local\ave.exe" /START "%1" %* ()
    O37 - HKU\S-1-5-21-314044067-2092175804-3535847563-1000\...exe [@ = secfile] -- "C:\Users\Carlo\AppData\Local\ave.exe" /START "%1" %* ()
    [2099/01/01 12:00:00 | 000,000,008 | -HS- | M] () -- C:\Windows\SysWow64\desoyahi.exe
    [2010/03/15 21:58:34 | 002,359,296 | -HS- | M] () -- C:\Users\Carlo\ntuser.dat
    [2010/03/15 21:55:58 | 000,204,288 | -HS- | M] () -- C:\Users\Carlo\AppData\Local\2524945609.dll
    [2010/03/15 21:52:32 | 000,013,748 | -HS- | M] () -- C:\Users\Carlo\AppData\Local\oY0vtai
    [2010/03/15 21:52:32 | 000,013,748 | -HS- | M] () -- C:\ProgramData\oY0vtai
    [2010/03/15 21:34:55 | 000,000,388 | ---- | M] () -- C:\Windows\tasks\At25.job
    [2010/03/15 21:34:25 | 000,204,288 | -HS- | M] () -- C:\Users\Carlo\AppData\Local\ave.exe
    [2010/03/01 22:07:19 | 000,006,456 | -H-- | M] () -- C:\Windows\SysWow64\wagejoyu
    :files
    C:\Windows\tasks\at*.job
    :commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 22 March 2010 - 09:36 PM

Okay, I ran the fix and it asked me to restart. When the computer restarted, it was like Windows was being run for the first time. I had to re enter all my saved passwords and I lost the contents of My Documents and other important folders. Is this normal? Is there any way to get these files back? I tried system restore but it is still disabled. (So is Windows Security Center)

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 24 March 2010 - 04:16 PM

Hi,

this may have been caused by an error in the script. Do you have your windows cd, we need to copy a file back to see if that fixes your problem.

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :dir
    C:\_OTL /s
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 24 March 2010 - 10:46 PM

I have attached the log. I do not have my Windows CD. Is there another way?

Attached Files



#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 26 March 2010 - 01:00 PM

Hi,
first please create a backup of your registry:

Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).

please create an OTLPE boot cd:After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
Access your hard-drive and go to C:\users\carlo and rename the ntuser.dat there to ntuser.dat.backup. Then C:\_OTL\MovedFiles\03212010_224349\C_Users\Carlo and copy ntuser.dat. Then paste the file into C:\users\carlo. Reboot and let me know if your settings are back.

regards myrti

Edited by myrti, 03 April 2010 - 11:36 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 tfsterminal

tfsterminal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 30 March 2010 - 11:11 AM

ok, i burned the image to a cd, but my keyboard doesn't function until windows boots up. i think it has something to do with it being a usb keyboard?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:10 AM

Posted 03 April 2010 - 11:36 AM

Hi,

do you have an alternative keyboard by any chance?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users