Hijack This log: Computer freezes shortly after start-up

Went on a site and my Adobe suddenly tried to update and damn near froze my comp. Shortly after my comp restarted itself and when I logged back in it froze within 60 seconds. I can only get it to work while in safe mode. I am doing this now through safe mode with Networking enabled.

I appreciate your help in advance. If you find that it is not a virus for some reason, please direct me to the forum that can help me with this problem.

Thanks again!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:58 AM, on 3/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6ed149c9-c844-4f3c-8073-09e570bc9463} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176972845687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (daupdatersvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7662 bytes

Hello and welcome to Bleeping Computer!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Elle

To retiterate, my computer freezes very shortly after starting. It takes no longer than 60 seconds and that is if I pull up task manager quickly and end the readersl.exe (may not be exact name) process. I am using safe mode with networking to transmit this message.

Even in safe mode, if I leave it on long enough it will freeze. It usually takes a day or more. Two days is the record so far.

If I leave it for a while with the internet browser on, it will freeze much much quicker. Within a few hours. Maybe less.


I disabled my Cd emulations and tried 4 times to create a GMER log but after many hours I could not do it. It consistently sends my computer to a blue screen where it explains an error has occured and shows that it has dumped all physical memory.

I do however have a DDS log. Unfortunately, besdes the Hijack This log, that is all I can get for you in the current condition of my computer.

Thanks again!




DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 20:17:23.64 on Sat 03/27/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3268 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6ed149c9-c844-4f3c-8073-09e570bc9463} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [NWEReboot]
mRun: [GBB36X Configure] "c:\windows\system32\JMRaidTool.exe" boot
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus\AirPlus.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176972845687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\windows\system32\henebevi.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2009-11-20 20480]
S0 jseplndk;jseplndk;c:\windows\system32\drivers\eigi.sys --> c:\windows\system32\drivers\eigi.sys [?]
S1 a820d055;a820d055;c:\windows\system32\drivers\a820d055.sys [2009-8-30 0]
S1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2009-9-6 2915944]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-5 11608]
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
S2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-5 108289]
S2 antivirservice;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-5 185089]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\system32\appdrvrem01.exe svc --> c:\windows\system32\appdrvrem01.exe svc [?]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-5 56816]
S2 srenum;srenum;c:\windows\system32\drivers\srenum.sys --> c:\windows\system32\drivers\srenum.sys [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\user\locals~1\temp\cel90xbe.sys --> c:\docume~1\user\locals~1\temp\cel90xbe.sys [?]
S3 daupdatersvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-22 25832]
S3 npf;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S3 XDva009;XDva009;\??\c:\windows\system32\xdva009.sys --> c:\windows\system32\XDva009.sys [?]
S3 XDva016;XDva016;\??\c:\windows\system32\xdva016.sys --> c:\windows\system32\XDva016.sys [?]
S3 XDva032;XDva032;\??\c:\windows\system32\xdva032.sys --> c:\windows\system32\XDva032.sys [?]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2010-03-27 22:22:03 20 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-25 22:38:14 714 ----a-w- c:\windows\system32\iuenginr.dat
2010-03-24 16:38:58 810 --sha-r- c:\documents and settings\administrator\ntuser.pol
2010-03-24 16:14:32 714 ----a-w- c:\windows\system32\faultrzp.dat
2010-03-24 16:14:32 65 ----a-w- c:\windows\system32\WudfSvg.dat
2010-03-24 16:14:32 0 ----a-w- c:\windows\system32\kbduyxqk.dat
2010-03-24 05:06:57 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-03-24 04:20:29 966 ----a-w- c:\windows\system32\mag_hoof.dat
2010-03-24 04:20:29 301 ----a-w- c:\windows\system32\adptvf.dat
2010-03-24 04:20:29 130 ----a-w- c:\windows\system32\odbcp3gr.dat
2010-03-24 04:20:29 11483 ----a-w- c:\windows\system32\jgsdc00.dat
2010-03-24 04:20:29 0 ----a-w- c:\windows\system32\dpwsocyc.dat
2010-03-18 20:45:25 54156 ---ha-w- c:\windows\QTFont.qfn
2010-03-18 20:45:25 1409 ----a-w- c:\windows\QTFont.for
2010-03-09 03:28:15 0 d-----w- c:\program files\BoneTown
2010-02-28 04:52:57 0 d-----w- c:\program files\FOMS 2

==================== Find3M ====================

2010-02-28 01:45:10 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-01-18 22:11:49 4026 ----a-w- c:\windows\system32\tmp.reg
2010-01-12 06:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 06:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 06:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 06:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 06:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 06:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03:33 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2009-10-03 05:16:11 12880 ----a-w- c:\program files\common files\goragok._dl
2009-10-03 05:16:11 12262 ----a-w- c:\program files\common files\ylefaxogul.pif
2008-09-02 02:01:59 16434 ----a-w- c:\program files\common files\zymoxam.lib
2008-09-02 02:01:59 15147 ----a-w- c:\program files\common files\temab.scr
2008-09-02 02:01:59 13979 ----a-w- c:\program files\common files\ahodo.bin
2008-09-02 01:49:23 17562 ----a-w- c:\program files\common files\jeqes.dl
2008-09-02 01:49:23 17179 ----a-w- c:\program files\common files\birobaqer.dll
2008-09-02 01:49:23 12580 ----a-w- c:\program files\common files\uwipox._dl
2008-09-02 01:46:27 17878 ----a-w- c:\program files\common files\vyduda.ban
2009-08-02 08:39:31 2713 --sh--w- c:\windows\system32\babivaho.dll
2009-08-03 08:40:11 2713 --sh--w- c:\windows\system32\fanoziwo.dll
1601-01-01 00:12:31 0 --sha-w- c:\windows\system32\henebevi.dll
2009-08-02 08:39:30 2713 --sh--w- c:\windows\system32\lulivapa.dll
2009-08-03 08:40:12 2713 --sh--w- c:\windows\system32\redozese.dll
1601-01-01 00:12:31 0 --sha-w- c:\windows\system32\sohibesi.dll
1601-01-01 00:12:31 0 --sha-w- c:\windows\system32\tafivefi.dll
1601-01-01 00:12:31 0 --sha-w- c:\windows\system32\yawususi.dll

============= FINISH: 20:17:57.45 ===============

Hi lionheart5656,


Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum,
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
2. Please visit this webpage for download links, and instructions for running the tool:
   http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
   This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
5. Click Yes to allow Combofix to continue scanning for malware.
6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
7. Do not mouse click on Combofix while it is running. That may cause it to stall.

Step2

Please download Malwarebytes' Anti-Malware from Here or Here

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
5. The scan may take some time to finish,so please be patient.
6. When the scan is complete, click OK, then Show Results to view the results.
7. Make sure that everything is checked, and click Remove Selected.
8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

In your next reply, please post back:


1.ComboFix log
2.MBAM log
3.New DDS log Thanks

I uploaded all 3 files as attachments.

ComboFix got rid of what it decided were a few rootkits. That is included in the file.

I updated Malware and ran a quick scan. It got rid of about 11 infections.


While using google to get to this site, I was redirected once to some site that had nothing to do with my search. After retyping the search in google, I did not have this problem again. My guess is I still have something and so I still have not experimented to see if my comp works outside of safemode yet.

Thanks for your help and I hope this information is helpful to you.

Hi lionheart5656,



Please unplug your internet access after downloading the following necessary file. After performing the following steps, you may plug your internet access afterwards.

Besises that, your system seemed to have some files missing. If we can't locate those files in your system, you need to copy those files from another pc or get your installation disc handy. Advise me in next round. Thanks


Step1

1. Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
2. Close out all other open programs and windows.
3. Double click the file to run it and follow any prompts.
4. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
5. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
   
   helpasst -mbrt
   
   
6. Make sure you leave a space between helpasst and -mbrt !
7. When it completes, a log will open.
8. Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).


Step2

1. Close any open browsers
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE

FCopy::
c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
SRPeek::
c:\windows\system32\proquota.exe
c:\windows\System32\drivers\beep.sys
MIA::
c:\windows\system32\proquota.exe
c:\windows\System32\drivers\beep.sys
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3294:TCP"=-
"2397:TCP"=-
"3389:TCP"=-
"3383:TCP"=-
"5266:TCP"=-
Driver::
jseplndk
a820d055
srenum
cel90xbe
DDS::
BHO: {6ed149c9-c844-4f3c-8073-09e570bc9463} - No File

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply, please post back:

1.Helpasst.log
2.ComboFix log

Tell me if you have any remaining issues on your pc.

Here are the 2 logs. The one named log is the combo fix log.

Google still redirects my searches occasionally.

I haven't checked on the freezing issue. Though since nothing has seemingly changed, I can probably assume it's still there.



Also, does my attachment space allowance ever reset? Just curious.


Edit: Checked to see if the freezing issue is still there and it is.

Edited by lionheart5656, 29 March 2010 - 05:57 PM.

Hi lionheart5656,



Please report what i outlined above.

Please rerun my instruction of Step 1 as instructed in my previous post. You need to run as instructed in the following first:



After that, please proceed Step 1, and post the log in your next reply.

Ok looks like I forgot to mention the missing files. I don't have an installation disk handy. As long as the files have nothing to do with Microsoft Office 2007, I may have a computer I could retrieve the files from if you can tell me exactly where and how to get them and where to put them (which I imagine are the same place). Also, I will obviously need to know which files they are.


Also, as far as Step 1. I followed your instructions exactly the first time but I did it again and I made sure that I again closely followed your instructions. Please let me know if this log helps you more than the last.

Thanks again!

Edited by lionheart5656, 30 March 2010 - 01:19 AM.

Hi lionheart5656,



Is that pc the same OS as this one? That said, it should be Windows XP Professional. When running ComboFix, your system should have installed Recovery Console. Can you verfy it? Advise me in your next reply.


If you review the log, you might know it didn't work. You need to proceed the next move (mbr -f) as instructed in my previous post. Ok, let's try another approach.

If still not working, we need to boot into Recovery Console to fix your MBR. Please copy the following instructions into notepad and unplug your internet access one more time.


Step1

Please highlight and copy the contents of the code box below.

1. Click Start>Run and type cmd then hit Enter to open a command window.
2. Right click in the command window and select paste.
3. The commands will execute quickly and the command window will close on it's own.
4. Please close it afterwards.

Step2

1. Start button >Run and type cmd into the run box and press enter, and At the prompt type the following:
2. cd\ <----Press Enter, it will bring you to C drive.
3. At the C:\ command prompt type in mbr.exe -f (be sure to place a space after "mbr.exe") <---Press Enter
4. Then type Exit <--Press Enter
5. A log file will be produced and found at the root of the External HD where mbr.exe is saved (eg: C:\mbr.txt)

Step3

1. Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
2. Close out all other open programs and windows.
3. Double click the file to run it and follow any prompts.
4. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
5. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
   
   helpasst -mbrt
   
   
6. Make sure you leave a space between helpasst and -mbrt !
7. When it completes, a log will open.
8. Please post the contents of that log.

In your next reply, please post back:

1.MBR log
2.Helpasst.log Thanks

Edited by sundavis, 30 March 2010 - 02:20 AM.

The other computer does have XP professional, I was only worried because my comp has Office 2007 but the other one still has the older version of Office.

Also, yes I did install the Recovery Console in case we needed it which it seems we do.

Here are the other 2 logs.

I looked into the helpasst log and saw that it is having trouble removing termsv32.dll. I found termsv.dll but I could not find the one it mentioned in the system32 folder. It says it will remove on restart but it's not doing that for some reason.


Sorry I can't be of more help to you. This process is moving beyond my realm of understanding with computers.

Hi lionheart5656,




Your system infected a brand new variant rootkit which rewrote your MBR and the system will be infected again if the new critter still presents.

Looks better. but we still some work to do. For the peace of your mind, I would like you to do the following:


Step1

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console



4.You must enter which Windows installation to log onto. Type 1 and press enter.



5.At the C:\Windows prompt, type FIXMBR, and press Enter:



6.If the prompt asking "Are you sure you want to write a new MBR, type 'Y'



7.When done, type EXIT to reboot the pc to normal mode.


Step2

1. Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
2. Close out all other open programs and windows.
3. Double click the file to run it and follow any prompts.
4. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
5. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
   
   helpasst -mbrt
   
   
6. Make sure you leave a space between helpasst and -mbrt !
7. When it completes, a log will open.
8. Please post the contents of that log.

Step3

Please copy and paste the following bolded files from another pc to the following filepath.

c:\windows\system32\proquota.exe

c:\windows\System32\drivers\beep.sys

After that, please delete the current copy of ComboFix and download a new one to run it.



In your next reply, please post back:

1.Helpasst.log
2.ComboFix log

Let me know if you have any remaining issues on your pc.

I did everything I could from what you asked me to which leads me to having good and bad news.

The good news is I have been working on my computer for about 15 min and it's not freezing. I also have the helpasst log for you.




The bad news is 3 things. When going to Start>Programs the file is completely empty even though it shows in program files folder just fine. Unfortunately, besides my game I'm not sure how to access anything such as Microsoft Office.


Also, when going to Start>Search, it doesn't work anymore. I tried bypassing it by opening a folder and clicking on search. First it takes me to ask a question rather than search for something like it usually did. Than I tell it to search for something and it tells me "Unexpected Error Action Could not be completed". So my search function no longer works.


Lastly, whenever I try running Combo Fix it makes a new system restore point and then tries to scan. The computer then gives me a blue screen stating that windows needs to shutdown to prevent damage to my computer since an important process was terminated. So therefore I cannot get you a Combo Fix log.

I guess the good part here is we're making progress



Edit: I also seem to be missing a Recycle Bin and I can't install at least some things. To be specific, It will not let me update/install my Adobe Air.

Edited by lionheart5656, 30 March 2010 - 05:50 PM.

Hi lionheart5656,



Well done. The pesky rootkit is gone eventually. Let's try to troubleshoot your system problems.


Go to Start>> Run >> Copy/paste the follwoing bolded command into run box and press Enter.

regsvr32 /i shell32.dll

After that, restart your pc. Your programs should now be restored to the All Programs menu.


Please go to this thread , and proceed the Method2 and Method3. Reboot your pc afterwards.



Right click this thread and save this file to your desktop. Double click on this file and let it merge into registry. Restart your pc.



Start > Run, and type: MSConfig . Press Enter. In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services. Press OK until you are out of the program.

Please delete the current copy of CF, and download new one. Disable your antivirus before proceeding. Click Start button > Run > copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply. If still not working, please go to safe mode and run it.


In your next reply, please post back

1.ComboFix log
2.New DDS log

Let me know if you still have any concerns on your pc.

Good news! We fixed my search function and recycle bin.

Bad news. Start>Programs remains empty even after trying what you stated and restarting my computer twice.

Also, I tried to type MSConfig into the Start>Run. To make sure I copy and pasted what you typed. It tells me "Windows cannot Find Msconfig". I'm guessing that can't possibly be good. Because I was unable to complete this step, I did not continue into the following steps for this particular problem.

Also, unfortunately I have been running everything from Safe Mode. Combo Fix was crashing my comp IN safe mode. Still is.

Sadly, all I can get for you is a new DDS log. =/



P.S. I still can't install/update my Adobe Air. Does that have anything to do with my CD emulations being turned off? Or is there another way we should solve this problem?

Thanks!