Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defintely Infected - Need some expert help


  • Please log in to reply
84 replies to this topic

#1 obmar

obmar

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:14 AM

Picked up Vista Security 2012 last night somewhere.

I've been infected by this before - and I had been successful removing it - not this time...

I seemed to get rid of it last night after using Rkill and then malwarebytes scan - picked up some things and removed them - seemed fine, rebooted and went to bed.

This morning everything is back. AND malwarebytes won't run - it says i dont have permission. AND im getting nasty redirects in my browsers too.

Things I have tried:
safemode mwarebytes - wot run - dont have permissions - tried renaming but i dont have rights to do that either it seems..
noeset online scan - found nothing
rkill only kills svchost

Would someone be willing to work with me on this?

Vista 32

Edited by obmar, 06 August 2011 - 10:16 AM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 10:27 AM

Hi obmar,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

:step2: Let's try rebooting into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.

:step3: This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)

Once that file is downloaded and saved on a removable devices, insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer. You should now be able to run your normal executable programs and can proceed to the next step.

If you do not have any removable media or another clean computer that you can download the FixNCR.reg file onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password.

Once you enter the password, your browser will start and you can download the above FixNCR.reg file. When saving it, make sure you save it to a folder that can be accessed by your normal account. Remember, that you will be launching the browser as another user, so if you save it to a My Documents folder, it will not be your normal My Documents folder that it is downloaded into. Instead it will be the My Documents folder that belongs to the user you ran the browser as. Once the download has finished, close your browser and find the FixNCR.reg file that you downloaded. Now double-click on it and allow the data to be merged. You should now be able to run your normal executable programs and can proceed to the next step.

:step4: Use Inherit.exe to fix inappropriate permissions.
Use this fix, when you see a box that states “Windows cannot not access the specified device, path, or file. You may have inappropriate permissions to access the item”.

Download This File
Save it next to mbam.exe (this file is located in the Malwarebytes Anti-malware home folder). Once done, drag and drop mbam.exe into Inherit.exe. Click OK and attempt to run Malwarebytes Anti-malware once again.

:step5: Rerun Malwarebytes
Still in Safe Mode with Networking, open Malwarebytes, click on the Update tab, and click the check for Updates button. (The latest update is 7393)
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

Edited by jntkwx, 06 August 2011 - 10:31 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:31 AM

Thanks for the reply - quick question - I have a restore point from every day the last 4 days - A scheduled checkpoint - should i simply try that?

In the meantime I'll pull down these apps and ready in case.

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 10:32 AM

Thanks for the reply - quick question - I have a restore point from every day the last 4 days - A scheduled checkpoint - should i simply try that?

In the meantime I'll pull down these apps and ready in case.


That's an option, but malware tends to infect restore points, so I don't suggest trying that. Also note, I edited my original post to include some extra steps.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:40 AM

minitoolbox: got an error nslookup.exe - "the ordinal 1108 could not be located in the dynamic library wsock32.dll but it finished:

MiniToolBox by Farbar 
Ran by Derek (administrator) on 06-08-2011 at 10:35:40
Windows Vista (TM) Ultimate Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ============================== 

Hosts file not detected in the default diroctory========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DerekVista
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : austin.rr.com

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : austin.rr.com
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 6C-F0-49-74-EB-EB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:adac:6307:0:3da3:b91d:39a8:a361(Preferred) 
   Temporary IPv6 Address. . . . . . : 2002:adac:6307:0:592f:5801:c885:a6ef(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::3da3:b91d:39a8:a361%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, August 06, 2011 10:16:55 AM
   Lease Expires . . . . . . . . . . : Sunday, August 07, 2011 10:16:56 AM
   Default Gateway . . . . . . . . . : fe80::222:6bff:fe56:9eea%13
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 242020425
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0D-D5-86-3B-00-1A-92-83-00-BD
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       209.18.47.61
                                       209.18.47.62
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.austin.rr.com
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Pinging google.com [74.125.73.104] with 32 bytes of data:Reply from 74.125.73.104: bytes=32 time=24ms TTL=50Reply from 74.125.73.104: bytes=32 time=36ms TTL=50Ping statistics for 74.125.73.104:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 24ms, Maximum = 36ms, Average = 30msPinging yahoo.com [209.191.122.70] with 32 bytes of data:Reply from 209.191.122.70: bytes=32 time=17ms TTL=52Reply from 209.191.122.70: bytes=32 time=18ms TTL=52Ping statistics for 209.191.122.70:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 17ms, Maximum = 18ms, Average = 17msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
 13 ...6c f0 49 74 eb eb ...... Realtek PCIe GBE Family Controller
  1 ........................... Software Loopback Interface 1
 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 15 ...00 00 00 00 00 00 00 e0  isatap.austin.rr.com
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.101    266
    192.168.1.101  255.255.255.255         On-link     192.168.1.101    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.101    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.101    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.101    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13   4106 ::/0                     fe80::222:6bff:fe56:9eea
  1    306 ::1/128                  On-link
 13     18 2002:adac:6307::/64      On-link
 13    266 2002:adac:6307:0:3da3:b91d:39a8:a361/128
                                    On-link
 13    266 2002:adac:6307:0:592f:5801:c885:a6ef/128
                                    On-link
 13    266 fe80::/64                On-link
 13    266 fe80::3da3:b91d:39a8:a361/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/06/2011 10:17:15 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 10:07:10 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:55:49 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:53:29 AM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:34:53 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0x112c, application start time 0xGoogleToolbarUser_32.exe0.

Error: (08/06/2011 09:34:47 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0xea0, application start time 0xGoogleToolbarUser_32.exe0.

Error: (08/06/2011 09:34:46 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0x14fc, application start time 0xGoogleToolbarUser_32.exe0.

Error: (08/06/2011 09:34:44 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0x20c, application start time 0xGoogleToolbarUser_32.exe0.

Error: (08/06/2011 09:34:42 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0xa78, application start time 0xGoogleToolbarUser_32.exe0.

Error: (08/06/2011 09:34:39 AM) (Source: Application Error) (User: )
Description: Faulting application GoogleToolbarUser_32.exe, version 7.1.1920.1238, time stamp 0x4e26d3f7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0041cd10,
process id 0x5a8, application start time 0xGoogleToolbarUser_32.exe0.


System errors:
=============
Error: (08/06/2011 10:27:16 AM) (Source: DCOM) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (08/06/2011 10:18:09 AM) (Source: Service Control Manager) (User: )
Description: AsIO
i8042prt
SCDEmu
spldr
Wanarpv6

Error: (08/06/2011 10:18:09 AM) (Source: Service Control Manager) (User: )
Description: Computer BrowserServer%%1068

Error: (08/06/2011 10:18:09 AM) (Source: Service Control Manager) (User: )
Description: NVIDIA Display Driver Servicenvlddmkm

Error: (08/06/2011 10:17:33 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (08/06/2011 10:17:23 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (08/06/2011 10:17:17 AM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (08/06/2011 10:17:15 AM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/06/2011 10:17:08 AM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/06/2011 09:54:24 AM) (Source: Service Control Manager) (User: )
Description: AsIO
i8042prt
SCDEmu
spldr
Wanarpv6


Microsoft Office Sessions:
=========================
Error: (08/06/2011 10:17:15 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 10:07:10 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:55:49 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:53:29 AM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (08/06/2011 09:34:53 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd10112c01cc5446014b88a2

Error: (08/06/2011 09:34:47 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd10ea001cc5445fdfcd2d2

Error: (08/06/2011 09:34:46 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd1014fc01cc5445fcfdd962

Error: (08/06/2011 09:34:44 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd1020c01cc5445fbbd9132

Error: (08/06/2011 09:34:42 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd10a7801cc5445fab41072

Error: (08/06/2011 09:34:39 AM) (Source: Application Error)(User: )
Description: GoogleToolbarUser_32.exe7.1.1920.12384e26d3f7unknown0.0.0.000000000c00000050041cd105a801cc5445f9118402


=========================== Installed Programs ============================

µTorrent (Version: 1.6)
1310 (Version: 82.0.242.000)
1310_Help (Version: 82.0.58.000)
1310Trb (Version: 82.0.242.000)
32 Bit HP CIO Components Installer (Version: 1.0.0)
AC3Filter (remove only)
Adobe AIR (Version: 1.5.2.8900)
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Photoshop Lightroom 3 (Version: 3.0.2)
Adobe Reader 8.1.1 (Version: 8.1.1)
Adobe Shockwave Player 11.5 (Version: 11.5.2.602)
AIO_CDB_ProductContext (Version: 82.0.242.000)
AIO_CDB_Software (Version: 82.0.242.000)
AIO_Scan (Version: 82.0.173.000)
Alien Swarm
Amazon Games & Software Downloader (Version: 2.0.2.0)
AMD APP SDK Runtime (Version: 2.4.595.10)
ATI Catalyst Install Manager (Version: 3.0.820.0)
Bandisoft MPEG-1 Decoder
BufferChm (Version: 82.0.173.000)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 2011.0405.2218.38205)
Catalyst Control Center Graphics Previews Common (Version: 2011.0405.2218.38205)
Catalyst Control Center InstallProxy (Version: 2008.1003.1759.30358)
Catalyst Control Center InstallProxy (Version: 2011.0405.2218.38205)
ccc-core-static (Version: 2009.1124.2131.38610)
ccc-core-static (Version: 2010.0406.2133.36843)
ccc-core-static (Version: 2010.0803.2125.36577)
ccc-utility (Version: 2011.0405.2218.38205)
CCC Help English (Version: 2011.0405.2217.38205)
Comical 0.8
Copy (Version: 82.0.188.000)
Creative ALchemy
Creative Audio Console
Creative Software AutoUpdate
CustomerResearchQFolder (Version: 1.00.0000)
dBpoweramp [Arrange Audio] Codec (Version: Release 3)
dBpoweramp [Audio Info] Codec (Version: Release 1)
dBpoweramp [Calculate Audio CRC] Codec
dBpoweramp [Channel Split] Codec
dBpoweramp [ID Tag Update] Codec
dBpoweramp [Length Split] Codec
dBpoweramp [Multi Encoder] Codec (Version: Release 2)
dBpoweramp [ReplayGain] Codec (Version: Release 2)
dBpoweramp [Tag From Filename] Codec (Version: Release 1)
dBpoweramp Dalet Codec
dBpoweramp DSP Effects (Version: Release 3)
dBpoweramp FLAC Codec (Version: Release 12 (FLAC 1.2.1))
dBpoweramp m4a Codec (Version: Release 8)
dBpoweramp Monkeys Audio Codec
dBpoweramp Mp2 and BwfMp2 codec
dBpoweramp mp3 (Fraunhofer IIS) Codec (Version: Release 2a (v4.0.3))
dBpoweramp Music Converter (Version: Release 13)
dBpoweramp Ogg Vorbis Codec (Version: Release 19 (Vorbis v1.2.0))
dBpoweramp Real Audio (Helix) Encoder
dBPoweramp tooLame MP2 codec
dBpoweramp Wave64 Codec
dBpoweramp WavPack Codec
dBpoweramp Windows Media Audio 10 Codec (Version: Release 5)
Destinations (Version: 82.0.173.000)
DeviceManagementQFolder (Version: 1.00.0000)
DivX Setup (Version: 2.1.2.2)
DocProc (Version: 8.1.0.0)
DocProcQFolder (Version: 1.00.0000)
Dungeons & Dragons: Daggerdale
DVD Shrink 3.2
EA Download Manager (Version: 5.1.0.4)
EA Shared Game Component: Activation (Version: 2.2.0)
EA Shared Game Component: Activation (Version: 2.2.0.19)
ESET Online Scanner v3
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 82.0.188.000)
ffdshow [rev 1324] [2007-07-01] (Version: 1.0)
Flickr Uploadr 3.2.1
Fraps (remove only)
Global Agenda
Google Update Helper (Version: 1.3.21.65)
Gravis Xperience 4.5
Grotesque Tactics: Evil Heroes
Heroes of Might and Magic V - Tribes of the East
HP Customer Participation Program 8.0 (Version: 8.0)
HP Imaging Device Functions 8.0 (Version: 8.0)
HP OCR Software 8.0 (Version: 8.0)
HP Photosmart Essential (Version: 1.12.0.46)
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B (Version: 8.0)
HP Solution Center 8.0 (Version: 8.0)
HP Update (Version: 4.000.005.006)
HPProductAssistant (Version: 82.0.173.000)
HPSSupply (Version: 2.1.3.0000)
Java Auto Updater (Version: 2.0.2.1)
Java(TM) 6 Update 20 (Version: 6.0.200)
Java(TM) 6 Update 3 (Version: 1.6.0.30)
King Arthur: Collection
League of Legends (Version: 1.0020)
Linksys EasyLink Advisor (Version: 3.0.8165.32)
Logitech GamePanel Software 3.06.109 (Version: 3.06.109)
Magic: The Gathering — Duels of the Planeswalkers 2012
MagicDisc 2.6.93
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MarketResearch (Version: 82.0.174.000)
Microsoft  File Transfer Manager (Version: 5.00.34)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office Live Meeting 2005 (Version: 7.9.2419.0)
Microsoft Silverlight (Version: 4.0.50917.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Microsoft XNA Framework Redistributable 4.0 (Version: 4.0.20823.0)
Mozilla Firefox 5.0 (x86 en-US) (Version: 5.0)
Mozilla Thunderbird (3.1.11) (Version: 3.1.11 (en-US))
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
NEF Codec (Version: 1.00.0000)
NTI Backup Now EZ (Version: 1.1.2.97)
NVIDIA PhysX (Version: 9.10.0129)
Ogg Codecs 0.81.15562 (Version: 0.81.15562)
OpenAL
Picasa 3 (Version: 3.8)
PlayNC Launcher (Version: 1.1.9000)
PowerISO
Pure Networks Platform (Version: 10.2.8148.0)
Realtek 8136 8168 8169 Ethernet Driver (Version: 1.00.0007)
Realtek High Definition Audio Driver (Version: 6.0.1.5874)
RIFT (Version: 1.0.0)
RivaTuner v2.24 (Version: v2.24)
Scan (Version: 8.1.0.0)
SEGA Genesis & Mega Drive Classics
SolutionCenter (Version: 82.0.188.000)
Space Rangers 2: Reboot
Star Trek Online
Status (Version: 82.0.173.000)
Steam (Version: 1.0.0.0)
TeamSpeak 3 Client
Terraria
The Witcher 2 (Version: 1.00.0000)
Toolbox (Version: 82.0.173.000)
Total War: SHOGUN 2
TrayApp (Version: 82.0.188.000)
TurboTax 2008
TurboTax 2008 WinPerFedFormset (Version: 008.000.0341)
TurboTax 2008 WinPerProgramHelp (Version: 008.000.0219)
TurboTax 2008 WinPerReleaseEngine (Version: 008.000.0197)
TurboTax 2008 WinPerTaxSupport (Version: 008.000.1007)
TurboTax 2008 WinPerUserEducation (Version: 008.000.0433)
TurboTax 2008 wrapper (Version: 008.000.0065)
TurboTax 2009
TurboTax 2009 WinPerFedFormset (Version: 009.000.1645)
TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0298)
TurboTax 2009 WinPerTaxSupport (Version: 009.000.0222)
TurboTax 2009 wrapper (Version: 009.000.0145)
TurboTax Premier 2007
TVersity Codec Pack 1.4 (Version: 1.4)
TVersity Media Server 1.9.3 (Version: 1.9.3)
UnloadSupport (Version: 1.00.0000)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
Ventrilo Client (Version: 3.0.4)
Ventrilo Server (Version: 3.0.2)
War Inc. Battlezone
WebEx Support Manager for Internet Explorer (Version: 6.5.47)
WebReg (Version: 82.0.173.000)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinRAR archiver
Xvid 1.1.2 final uninstall (Version: 1.1)

========================= Memory info: ===================================

Percentage of memory in use: 15%
Total physical RAM: 3581.58 MB
Available physical RAM: 3022.66 MB
Total Pagefile: 7348.12 MB
Available Pagefile: 6976.8 MB
Total Virtual: 2047.88 MB
Available Virtual: 1985.73 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:74.5 GB) (Free:23.55 GB) NTFS
4 Drive e: () (Fixed) (Total:683.59 GB) (Free:513.57 GB) NTFS
5 Drive f: (New Volume) (Fixed) (Total:297.96 GB) (Free:278.96 GB) NTFS
6 Drive g: (New Volume) (Fixed) (Total:1179.3 GB) (Free:1146.73 GB) NTFS
7 Drive h: () (Fixed) (Total:298.09 GB) (Free:260.69 GB) NTFS
11 Drive n: () (Removable) (Total:1.91 GB) (Free:1.68 GB) FAT

========================= Users: ========================================

User accounts for \\DEREKVISTA

Administrator            Derek                    Guest                    


== End of log == 


#6 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:50 AM

in safe mode - ran the inherit (worked) updated (had last night's file but there is a new one this morning) - running scan

#7 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:52 AM

scan shuts down (mwbytes window closes) with no prompt and without finishing

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 10:52 AM

Are you running a Quick Scan?

Edited by jntkwx, 06 August 2011 - 10:52 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:54 AM

yep - each time i try to launch i get permission error - i use Inherit (works) launch MWBytes and start a quick scan - first file it closes - repeats every time

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 10:56 AM

Did you download and run FixNCR.reg? (that was one of my edits to my first post)
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 10:57 AM

I did - tha application launches fine - it only closes when i try to scan..?

confirmed - malwarebytes is fine until i try to run a scan...

Edited by obmar, 06 August 2011 - 10:59 AM.


#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 11:02 AM

:step1: Please download SystemLook and save it to your Desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    %AllUsersProfile% /t7
    %LocalAppData%\ /t7
    %windir%\system32 /t7
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by jntkwx, 06 August 2011 - 11:02 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 11:09 AM

SystemLook 30.07.11 by jpshortstuff

Log created at 11:06 on 06/08/2011 by Derek

Administrator - Elevation successful



========== dir ==========



C:\ProgramData - Parameters: "/t7"



---Files---

1043375438	--ahs-- 10262 bytes	[08:59 06/08/2011]	[08:59 06/08/2011]

75pg32uc86hns2rqtr4c	--ahs-- 11676 bytes	[03:43 06/08/2011]	[04:25 06/08/2011]

jayd.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

jy6cbs1t3n12s636j33wub36654our40e272at7p8	--ahs-- 10952 bytes	[07:56 06/08/2011]	[14:34 06/08/2011]

kxjn.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

nNXHF4.dat	--a---- 112 bytes	[12:01 06/08/2011]	[14:08 06/08/2011]

pwob.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

pxnq.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]



---Folders---

Adobe	d------	[00:53 18/05/2007]

Amazon	d------	[22:15 08/12/2009]

Application Data	d--hs--	[13:00 02/11/2006]

ATI	d------	[20:22 29/04/2011]

BioWare	d------	[21:24 04/01/2010]

Creative	d------	[02:00 30/04/2008]

Creative Labs	d------	[16:21 24/05/2008]

DAEMON Tools Pro	d------	[22:05 13/02/2008]

Desktop	d--hs--	[13:00 02/11/2006]

DivX	d------	[21:37 04/07/2010]

Documents	d--hs--	[13:00 02/11/2006]

DVD Shrink	d------	[06:15 09/06/2007]

Electronic Arts	d------	[18:24 04/01/2010]

Favorites	d--hs--	[13:00 02/11/2006]

Funcom	d------	[03:17 19/04/2008]

Google	d------	[03:21 11/05/2007]

HP	d------	[22:41 20/06/2008]

HPSSUPPLY	d------	[22:47 20/06/2008]

Intuit	d------	[00:57 20/02/2008]

Linksys	d------	[16:57 30/06/2009]

LogiShrd	d------	[14:02 07/12/2010]

Logitech	d------	[14:03 07/12/2010]

Malwarebytes	d------	[16:29 03/01/2010]

McAfee	d------	[21:03 23/06/2010]

Media Center Programs	d------	[15:48 10/02/2008]

Microsoft	d---s--	[11:18 02/11/2006]

Nexon	d------	[23:42 16/09/2010]

NexonUS	d------	[23:38 16/09/2010]

NTIReg	d------	[19:47 21/01/2011]

PC Drivers HeadQuarters Inc	d------	[22:15 11/09/2010]

Pure Networks	d------	[16:55 30/06/2009]

SlySoft	d------	[06:33 09/06/2007]

Start Menu	d--hs--	[13:00 02/11/2006]

Sun	d------	[10:19 09/05/2010]

TEMP	d-a----	[01:24 16/05/2010]

Templates	d--hs--	[13:00 02/11/2006]

TVersity	d------	[16:58 05/03/2011]

Ubisoft	d------	[01:03 17/04/2008]

webex	d------	[16:57 30/06/2009]

WEBREG	d------	[22:47 20/06/2008]

WLInstaller	d------	[14:34 04/04/2008]



C:\Users\Derek\AppData\Local - Parameters: "/t7"



---Files---

75pg32uc86hns2rqtr4c	--ahs-- 11676 bytes	[03:43 06/08/2011]	[04:25 06/08/2011]

eugi.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

jy6cbs1t3n12s636j33wub36654our40e272at7p8	--ahs-- 10952 bytes	[08:59 06/08/2011]	[14:34 06/08/2011]

kdwf.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

kych.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]

nbrt.exe	--a---- 0 bytes	[03:43 06/08/2011]	[03:43 06/08/2011]



---Folders---

AA3DeployClient	d------	[01:09 05/07/2009]

Adobe	d------	[00:53 18/05/2007]

Application Data	d--hs--	[02:06 11/05/2007]

Apps	d------	[01:08 05/07/2009]

Arktos	d------	[01:39 02/08/2011]

assembly	d------	[03:32 22/09/2007]

ATI	d------	[22:28 10/07/2009]

Chromium	d------	[13:41 10/07/2011]

CrashRpt	d------	[02:14 11/02/2011]

Deployment	d------	[01:08 05/07/2009]

EA Core	d------	[21:21 04/01/2010]

ESET	d------	[21:44 14/03/2011]

Fallout3	d------	[16:07 14/02/2009]

Flickr	d------	[23:41 26/12/2010]

Funcom	d------	[14:23 04/04/2008]

Google	d------	[03:21 11/05/2007]

History	d--hs--	[02:06 11/05/2007]

IsolatedStorage	d------	[20:27 15/02/2010]

Linksys_LLC_-_A_Division_	d------	[16:58 30/06/2009]

Logitech	d------	[21:57 16/07/2008]

Microsoft	d------	[02:06 11/05/2007]

MigWiz	d------	[02:08 11/05/2007]

Mozilla	d------	[16:28 11/05/2007]

My Games	d------	[23:36 24/09/2010]

Paint.NET	d------	[01:12 25/02/2011]

Pando_Temp	d------	[15:50 14/06/2011]

PunkBuster	d------	[03:15 05/07/2009]

Sidhe	d------	[21:00 07/04/2010]

SKIDROW	d------	[21:01 07/04/2010]

Stardock	d------	[03:12 30/03/2010]

Star_Vault_&_Paratus	d------	[21:54 09/04/2010]

Steam	d------	[12:54 13/09/2007]

Temp	d------	[02:06 11/05/2007]

Temporary Internet Files	d--hs--	[02:06 11/05/2007]

The Witcher	d------	[17:22 26/02/2008]

The Witcher 2	d------	[19:43 20/05/2011]

Thunderbird	d------	[16:10 11/05/2007]

VirtualStore	d------	[02:06 11/05/2007]



%winddir%\ system32 - Unable to find folder.



-= EOF =-



#14 obmar

obmar
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 06 August 2011 - 11:14 AM

typo didnt grab the system32 - here it is

SystemLook 30.07.11 by jpshortstuff
Log created at 11:12 on 06/08/2011 by Derek
Administrator - Elevation successful

========== dir ==========

C:\Windows\system32 - Parameters: "/t7"

---Files---
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0	--ah--- 5344 bytes	[12:46 02/11/2006]	[14:51 06/08/2011]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0	--ah--- 5344 bytes	[12:46 02/11/2006]	[14:51 06/08/2011]
FastUv32.dll	--a---- 53248 bytes	[11:59 06/08/2011]	[11:59 06/08/2011]
FNTCACHE.DAT	--a---- 239632 bytes	[12:46 02/11/2006]	[15:17 06/08/2011]
perfc009.dat	--a---- 118156 bytes	[10:33 02/11/2006]	[14:11 06/08/2011]
perfh009.dat	--a---- 639904 bytes	[10:33 02/11/2006]	[14:11 06/08/2011]
PerfStringBackup.INI	--a---- 755222 bytes	[10:33 02/11/2006]	[14:11 06/08/2011]
terdvw32.dll	--a---- 218624 bytes	[11:59 06/08/2011]	[11:59 06/08/2011]
tversity.cookies	--a---- 3382 bytes	[18:17 05/03/2011]	[14:05 06/08/2011]

---Folders---
0409	d------	[12:41 02/11/2006]
Adobe	d------	[00:15 30/12/2009]
AdvancedInstallers	d------	[11:18 02/11/2006]
appmgmt	d------	[13:39 08/07/2007]
ar-SA	d------	[11:18 02/11/2006]
bg-BG	d------	[11:18 02/11/2006]
Boot	d------	[11:18 02/11/2006]
Branding	d------	[12:41 02/11/2006]
ca-ES	d------	[14:41 31/08/2010]
catroot	d------	[11:18 02/11/2006]
catroot2	d------	[11:18 02/11/2006]
CodeIntegrity	d------	[11:18 02/11/2006]
com	d------	[11:18 02/11/2006]
config	d------	[11:18 02/11/2006]
cs-CZ	d------	[11:18 02/11/2006]
da-DK	d------	[11:18 02/11/2006]
de-DE	d------	[11:18 02/11/2006]
Defaults	d------	[23:05 10/07/2007]
directx	d------	[14:29 30/06/2009]
drivers	d------	[11:18 02/11/2006]
DriverStore	d------	[11:18 02/11/2006]
DRVSTORE	d----c-	[16:55 30/06/2009]
el-GR	d------	[11:18 02/11/2006]
en	d------	[12:41 02/11/2006]
en-US	d------	[11:18 02/11/2006]
es-ES	d------	[11:18 02/11/2006]
et-EE	d------	[11:18 02/11/2006]
eu-ES	d------	[14:41 31/08/2010]
EventProviders	d------	[14:16 31/08/2010]
fi-FI	d------	[11:18 02/11/2006]
fr-FR	d------	[11:18 02/11/2006]
FxsTmp	d------	[12:35 02/11/2006]
GroupPolicy	d------	[11:18 02/11/2006]
GroupPolicyUsers	d------	[11:18 02/11/2006]
he-IL	d------	[11:18 02/11/2006]
hr-HR	d------	[11:18 02/11/2006]
hu-HU	d------	[11:18 02/11/2006]
ias	d------	[11:18 02/11/2006]
icsxml	d------	[11:18 02/11/2006]
IME	d------	[11:18 02/11/2006]
inetsrv	d------	[11:18 02/11/2006]
it-IT	d------	[11:18 02/11/2006]
ja-JP	d------	[11:18 02/11/2006]
ko-KR	d------	[11:18 02/11/2006]
licensing	d------	[11:18 02/11/2006]
LogFiles	d------	[11:18 02/11/2006]
lt-LT	d------	[11:18 02/11/2006]
lv-LV	d------	[11:18 02/11/2006]
Macromed	d------	[03:21 11/05/2007]
manifeststore	d------	[11:18 02/11/2006]
Microsoft	d---s--	[12:46 02/11/2006]
migration	d------	[11:18 02/11/2006]
migwiz	d------	[11:18 02/11/2006]
Msdtc	d------	[11:18 02/11/2006]
MUI	d------	[11:18 02/11/2006]
nb-NO	d------	[11:18 02/11/2006]
NDF	d------	[11:18 02/11/2006]
networklist	d------	[11:18 02/11/2006]
nl-NL	d------	[11:18 02/11/2006]
oobe	d------	[11:18 02/11/2006]
pl-PL	d------	[11:18 02/11/2006]
Printing_Admin_Scripts	d------	[12:41 02/11/2006]
pt-BR	d------	[11:18 02/11/2006]
pt-PT	d------	[11:18 02/11/2006]
ras	d------	[11:18 02/11/2006]
RemInst	d------	[11:18 02/11/2006]
restore	d------	[12:35 02/11/2006]
ro-RO	d------	[11:18 02/11/2006]
RTCOM	d------	[18:15 15/05/2010]
ru-RU	d------	[11:18 02/11/2006]
setup	d------	[11:18 02/11/2006]
sk-SK	d------	[11:18 02/11/2006]
sl-SI	d------	[11:18 02/11/2006]
slmgr	d------	[12:41 02/11/2006]
SLUI	d------	[11:18 02/11/2006]
SMI	d------	[11:18 02/11/2006]
Speech	d------	[11:18 02/11/2006]
spool	d------	[11:18 02/11/2006]
SPReview	d------	[14:29 31/08/2010]
sr-Latn-CS	d------	[11:18 02/11/2006]
sv-SE	d------	[11:18 02/11/2006]
sysprep	d------	[11:18 02/11/2006]
Tasks	d------	[11:18 02/11/2006]
th-TH	d------	[11:18 02/11/2006]
tr-TR	d------	[11:18 02/11/2006]
uk-UA	d------	[11:18 02/11/2006]
vi-VN	d------	[14:41 31/08/2010]
wbem	d------	[11:18 02/11/2006]
WCN	d------	[12:41 02/11/2006]
WDI	d------	[11:18 02/11/2006]
wfp	d------	[11:18 02/11/2006]
winevt	d------	[11:18 02/11/2006]
winrm	d------	[12:41 02/11/2006]
XPSViewer	d------	[12:35 02/11/2006]
zh-CN	d------	[11:18 02/11/2006]
zh-HK	d------	[11:18 02/11/2006]
zh-TW	d------	[11:18 02/11/2006]



#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:27 AM

Posted 06 August 2011 - 11:41 AM

:step1:
  • Click on the Start menu
  • In the Search box, type in: cmd
  • Right click on the cmd.exe, and select Run As Administrator
  • in the command prompt window that opens, type each of the following lines, followed by pressing the Enter key:

    cd C:\ProgramData\

    attrib -s -h /s

  • Then close the Command Prompt window.


:step2: Let's upload a couple files for a second opinion on what they actually are.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to each of the following files, click Open, and click Send File.

C:\ProgramData\1043375438
C:\ProgramData\75pg32uc86hns2rqtr4c
C:\ProgramData\jy6cbs1t3n12s636j33wub36654our40e272at7p8
C:\Windows\system32\FastUv32.dll
C:\Windows\system32\terdvw32.dll


If prompted to reanalyze a file, please do so.

Please post back the website addresses (URLs) of the Virustotal result in your next post.

Edited by jntkwx, 06 August 2011 - 11:46 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users