Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


crypt.xpack.gen3 infection

  • This topic is locked This topic is locked
3 replies to this topic

#1 Basacag


  • Members
  • 3 posts
  • Local time:01:59 PM

Posted 31 October 2010 - 03:33 PM

Hi Folks

I picked up on this with AVG, it started running some auto function and may have removed some files. I think they were just game files.
I have since run malwarebytes and trojan remover which isolated about 30 files. Then my PC started acting up even more. AVG runs ID shield and tells me I have several infected files. Meanwhile everything goes slow and I see svchost taking 99% of the cpu in task manager. (posting from my sons PC)

So in safe mode I ran malwarebytes and TR again and no more reports. However Paretologic Health advisor picked up 900+ issues.

I have followed the prep guide and have attached the files as requested. They were run in safe mode. Not sure if I can start my PC normally, will give it a try if the logs need to be rn in normal mode.

Gratefully awaiting your assistance


DDS (Ver_10-10-31.01) - NTFSx86 NETWORK
Run by Ian Hayward at 19:06:19.43 on 31/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.684 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\Windows\system32\svchost -k DcomLaunch
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k NetworkService
C:\Documents and Settings\Ian Hayward\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\microsoft\watermark.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {7FB0B515-5C6C-4EA4-8E21-041E356A6A2B} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: FreecycleMemberBHO Class: {c3e5e149-27b7-49d1-8420-b02ac52af663} - c:\program files\freecycle\FreecycleMember.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\7.0.517.43\npchrome_frame.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Windows Registers] winservicess.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Raptr] c:\progra~1\raptr\raptrstub.exe --startup
uRun: [{A55DA669-AEDA-82F2-0C66-D714FDB3A657}] "c:\documents and settings\ian hayward\application data\amewo\udrio.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [EPSON Stylus Photo RX620 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9HE.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\documents and settings\ian hayward\start menu\programs\startup\logtec32.exe
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - c:\program files\gamingclubmpp\MPPoker.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: photographersdirect.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1B735B98-8010-11D5-AD0B-00500463D885} - hxxp://www.partsarena.com/baxi/Plugins/IMIESRCH.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} - hxxp://www.partsarena.com/baxi/Plugins/GFXVIEW.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\7.0.517.43\npchrome_frame.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-1 390528]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-15 54752]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\google\update\GoogleUpdate.exe [2009-4-20 133104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
S3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2004-9-17 36256]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-20 517448]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 BDA_Capture_225;USB Digital-TV receiver Driver;c:\windows\system32\drivers\bda_capture_225.sys --> c:\windows\system32\drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader;c:\windows\system32\drivers\BDA_Loader_225.sys [2008-6-17 18944]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\ianhay~1\locals~1\temp\gusbstoi.sys --> c:\docume~1\ianhay~1\locals~1\temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\drivers\umss.sys --> c:\windows\system32\drivers\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\wpro_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]

=============== Created Last 30 ================

2010-10-31 18:54:17 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Zaawq
2010-10-31 18:54:17 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Amewo
2010-10-31 17:36:04 -------- d-----w- c:\docume~1\ianhay~1\applic~1\DriverCure
2010-10-31 17:36:02 -------- d-----w- c:\docume~1\ianhay~1\applic~1\ParetoLogic
2010-10-31 17:35:56 -------- d-----w- c:\program files\common files\ParetoLogic
2010-10-31 17:35:54 -------- d-----w- c:\program files\ParetoLogic
2010-10-31 17:35:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-10-31 13:50:31 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Cytuqa
2010-10-31 13:50:31 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Adla
2010-10-30 23:29:32 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Okug
2010-10-30 23:29:32 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Eruhke
2010-10-30 18:26:19 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Louggu
2010-10-30 18:26:19 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Dyoh
2010-10-30 18:26:11 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ofuq
2010-10-30 18:26:11 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Efos
2010-10-30 13:22:04 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ezopa
2010-10-30 13:22:04 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Bozau
2010-10-29 17:11:34 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ipysg
2010-10-29 17:11:34 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Etvawa
2010-10-29 08:44:53 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ypciy
2010-10-29 08:44:53 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Uxyko
2010-10-28 22:09:06 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Omiko
2010-10-28 22:09:06 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Diyxo
2010-10-28 17:04:06 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Oniry
2010-10-28 17:04:06 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Eful
2010-10-28 11:41:24 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ruvyhi
2010-10-28 11:41:24 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Imgyku
2010-10-28 08:30:27 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Taasdy
2010-10-28 08:30:27 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Ikfo
2010-10-27 16:41:09 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Owgaul
2010-10-27 16:41:09 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Azxuog
2010-10-27 16:32:24 -------- d-----w- c:\program files\temp
2010-10-26 22:09:54 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Malwarebytes
2010-10-26 22:09:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 22:09:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-26 22:09:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 22:09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 22:06:35 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-26 22:06:35 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-26 22:06:35 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-26 22:06:35 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-26 22:06:34 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-26 22:06:33 -------- d-----w- c:\program files\Trojan Remover
2010-10-26 22:06:33 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Simply Super Software
2010-10-26 22:06:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-10-26 19:00:05 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Yxeziz
2010-10-26 19:00:05 -------- d-----w- c:\docume~1\ianhay~1\applic~1\Avys
2010-10-26 13:54:51 -------- d-----w- c:\program files\tmp
2010-10-20 09:45:30 -------- d-----w- c:\docume~1\ianhay~1\applic~1\AVG10
2010-10-20 09:09:46 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-20 09:08:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-10-20 09:03:18 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-20 09:03:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-20 00:24:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-14 20:16:28 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 20:16:28 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 20:15:59 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-03 22:43:44 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:09:11.60 ===============

I am away until Monday, so if anyone picks this up please be aware I am not ignoring you. I will check again when I get back.



EDIT: Posts merged ~BP

Attached Files

Edited by Budapest, 04 November 2010 - 04:14 PM.

BC AdBot (Login to Remove)


#2 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:59 AM

Posted 08 November 2010 - 01:11 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Do not Attach logs unless I ask you to.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop


    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Posted Image
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

information and logs:

In your next post I need the following

1.logs from DDS
2.log from GMER
3.let me know of any problems you may have had

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:59 AM

Posted 11 November 2010 - 12:40 AM


three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:59 AM

Posted 14 November 2010 - 12:39 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.

With Regards,
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users