Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

INU.exe instead of MSConfig.exe, redirects, hidden files/folders


  • This topic is locked This topic is locked
13 replies to this topic

#1 Catimmiptwax

Catimmiptwax

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2011 - 08:08 PM

OS: Windows XP Pro SP3

Alright, sorry if I don't have 100% of the information on what went on with the computer, since I wasn't the first to work on it. However I will fill you in on what I've figured out so far.

Under Normal Boot I am unable to access MSConfig.exe, instead it loads INU.EXE under task manager, which if allowed to continue to run, starts random letter .exe files that I cannot locate on the computer.

Under Safe Mode I am able to run MSConfig.exe, however I see nothing in the start-up programs/processes that appear to be threatening.

Also, This infection also was a hider. It hid every program in the start-menu, and every folder/file on the computer. I was able to un-hide the files, however they still don't appear in the start menu.

I've ran the most updated version of MalwareBytes under safemode, but once the computer boots in regularly, the infection reoccurs.

It also re-directs browsers, however it isn't doing so by internet options/tools/proxys.

Any chance ya'll have ran into issues such as these before and can assist me in fixing it? I'm about to pull my hair out.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:49 PM

Posted 11 August 2011 - 08:21 PM

have you tried running RKILL, which is available the top of this forum?

Also can you post the logs from Malwarebytes so we can see what is being detected?

Edited by cryptodan, 11 August 2011 - 08:25 PM.


#3 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2011 - 08:30 PM

Rkill I have not yet, however I will do so now, and then run an MBAM after it runs as well. It usually takes 20 mins to run MBAM on the system on a full scan, so expect a reply in 30 mins or so.

#4 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2011 - 09:08 PM

Rkill ended a program called GRPConv.EXE

Here is the log from MBAM.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/11/2011 6:54:19 PM
mbam-log-2011-08-11 (18-54-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 206671
Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



**********************************

These were both ran under safe mode.

#5 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2011 - 09:37 PM

Also of note, I am currently running a fully updated vr of MBAM a this time on a normal boot. I noticed that I am unable to access my CD-ROM drive (non-existant), also I am unable to see my system restore partition. Ran RKILL on a normal boot and no items were canceled, however MS Sec. Essentials did notice 2 trojan downloaders that were 'not found' when attempting to remove them through MSSE.

One file name is Unruy.H the other I can't recall.

#6 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 August 2011 - 10:06 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7439

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2011 8:03:13 PM
mbam-log-2011-08-11 (20-03-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 211303
Time elapsed: 22 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{e2be6d43-7b49-468b-aa48-da2441c269ec}\RP413\A0016360.DLL (Trojan.Proxy) -> No action taken.
************************************************************

I've removed the infected file. I was unable to move this log to a thumb drive by normal means and had to keep removing and replugging the drive until the computer gave me the choice of how to view the files on the drive.

I am still unable to access my CD-ROM, Drive D: (backup partition), or any thumb drives through Windows Explorer. It only shows the C:


From what the computer owner has stated, I've found a recently added/deleted program (He removed it before I had access to the system) named "Zentom System Guard".. I don't know if this program has a history with ya'll.

Edited by Catimmiptwax, 11 August 2011 - 11:06 PM.


#7 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 13 August 2011 - 01:55 AM

On a whim I decided to rename the GRPConv.exe file, which is supposted to be used to convert windows 3.1 files to windows 95 files...

I named it GRPConv.exe.old and then rebooted to safe mode and ran RKill. I got 5+ msgs showing an error that it couldn't find grpconv.exe but rkill continued to run.

Just something I figured I would see if it helped and knew to update ya'll bout it too :)

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:49 PM

Posted 13 August 2011 - 04:51 AM

So can you now run Malwarebytes and stuff like it?

#9 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 13 August 2011 - 05:16 AM

Yes, I am able to access the files. MBam isn't detecting anything, however the infection has caused the cd-rom, D drive (backup partition), g drive (thumb drive) to not appear under windows explorer. However they are reachable by other means. Rkill.exe still finds the grpconv.exe file and turns it off, if the file is not renamed. But since I renamed the file, after disabling it, rkill.exe shows an error that it is not able to be found. Which leads me to believe that something is attempting to innitiate it after its disabled, or attempting to run it as part of the rkill.exe process.

Forgive my late replies. It appears you are located in EST, I'm PST, so it's still 3am here :)

Edited by Catimmiptwax, 13 August 2011 - 05:16 AM.


#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:49 PM

Posted 13 August 2011 - 12:48 PM

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

No installation required.

Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.

Go File>Save, and save it as AutoRuns.txt file to know location.

You must select Text from drop-down menu as a file type:

Posted Image

Attach the file to your next reply.

Compliments of Broni

#11 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 13 August 2011 - 01:40 PM

Sorry for the wait, I actually fell asleep waiting, lol... Here ya go

Hope this is what you ment, cant find an option to attach a file..

"C:\Documents and Settings\Owner\Start Menu\Programs\Startup" "" "" ""
+ "Wallpaper Changer.lnk" "Wallpaper Changer" "Microsoft Corp." "c:\program files\wallpapertoy\wallpapertoy.exe"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
+ "Address Book 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
+ "Microsoft Outlook Express 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "\\FLOYDXP\WorkForce 310(Network)" "EPSON Status Monitor 3" "SEIKO EPSON CORPORATION" "c:\windows\system32\spool\drivers\w32x86\3\e_fatifha.exe"
+ "SUPERAntiSpyware" "SUPERAntiSpyware Application" "SUPERAntiSpyware.com" "c:\documents and settings\owner\local settings\temp\sas_selfextract\program.com"
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
+ "wot" "" "" "c:\program files\wot\wot.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
+ "0" "" "" "File not found: About:Home"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "7-Zip" "7-Zip Shell Extension" "Igor Pavlov" "c:\program files\7-zip\7-zip.dll"
+ "EPP" "Microsoft Security Client Shell Extension" "Microsoft Corporation" "c:\program files\microsoft security client\shellext.dll"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "7-Zip" "7-Zip Shell Extension" "Igor Pavlov" "c:\program files\7-zip\7-zip.dll"
+ "EPP" "Microsoft Security Client Shell Extension" "Microsoft Corporation" "c:\program files\microsoft security client\shellext.dll"
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
+ "7-Zip" "7-Zip Shell Extension" "Igor Pavlov" "c:\program files\7-zip\7-zip.dll"
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" "" "OpenOffice.org" "c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Java™ Plug-In 2 SSV Helper" "Java™ Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jp2ssv.dll"
+ "JQSIEStartDetectorImpl Class" "Java™ Quick Starter binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll"
+ "Spybot-S&D IE Protection" "SBSD IE Protection" "Safer Networking Limited" "c:\program files\spybot - search & destroy\sdhelper.dll"
+ "WOT Helper" "" "" "c:\program files\wot\wot.dll"
+ "Yontoo Layers" "Yontoo Layers Runtime" "Yontoo LLC" "c:\program files\yontoo layers runtime\yontooieclient_2.dll"
"HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" ""
+ "WOT" "" "" "c:\program files\wot\wot.dll"
"Task Scheduler" "" "" ""
+ "At1.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At10.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At11.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At12.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At13.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At14.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At15.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At16.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At17.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At18.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At19.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At2.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At20.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At21.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At22.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At23.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At24.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At25.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At26.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At27.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At28.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At29.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At3.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At30.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At31.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At32.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At33.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At34.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At35.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At4.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At5.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At6.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At7.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At8.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "At9.job" "" "" "File not found: C:\WINDOWS\Fonts\p3l80.com"
+ "MP Scheduled Scan.job" "Microsoft Malware Protection Command Line Utility" "Microsoft Corporation" "c:\program files\microsoft security client\antimalware\mpcmdrun.exe"
+ "SmartDefrag.job" "Smart Defrag" "IObit" "c:\program files\iobit\iobit smartdefrag\iobit smartdefrag.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "Ati HotKey Poller" "ATI External Event Utility EXE Module" "ATI Technologies Inc." "c:\windows\system32\ati2evxx.exe"
+ "hpqcxs08" "HP CUE Context Manager Objects" "Hewlett-Packard Co." "c:\program files\hp\digital imaging\bin\hpqcxs08.dll"
+ "MsMpSvc" "Helps protect users from malware and other potentially unwanted software" "Microsoft Corporation" "c:\program files\microsoft security client\antimalware\msmpeng.exe"
+ "Net Driver HPZ12" "Dot4Net Module" "Hewlett-Packard" "c:\windows\system32\hpzinw12.dll"
+ "Pml Driver HPZ12" "PmlDrv Module" "Hewlett-Packard" "c:\windows\system32\hpzipm12.dll"
+ "STacSV" "Manages audio jack configurations." "" "File not found: d:\d\s\zi\STacSV.exe"
+ "TermServices" "Manages and control Remote. If this service is stopped, Remote Assistance will be unavailable." "Intel Corporation " "c:\windows\system32\terdsw32.dll"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ ".redbook" "" "" "File not found: \*"
+ "ati2mtag" "ATI Radeon WindowsNT Miniport Driver" "ATI Technologies Inc." "c:\windows\system32\drivers\ati2mtag.sys"
+ "AVG Anti-Rootkit" "AVG Anti-Rootkit Driver" "GRISOFT, s.r.o." "c:\windows\system32\drivers\avgarkt.sys"
+ "AvgArCln" "AVG7 Clean Driver" "GRISOFT, s.r.o." "c:\windows\system32\drivers\avgarcln.sys"
+ "b57w2k" "Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver." "Broadcom Corporation" "c:\windows\system32\drivers\b57xp32.sys"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "E100B" "Intel® PRO/100 Adapter NDIS 5.1 driver" "Intel Corporation" "c:\windows\system32\drivers\e100b325.sys"
+ "HDAudBus" "High Definition Audio Bus Driver v1.0a" "Windows ® Server 2003 DDK provider" "c:\windows\system32\drivers\hdaudbus.sys"
+ "HPZid412" "IEEE-1284.4-1999 Driver (Windows 2000)" "HP" "c:\windows\system32\drivers\hpzid412.sys"
+ "HPZipr12" "IEEE-1284.4-1999 Print Class Driver" "HP" "c:\windows\system32\drivers\hpzipr12.sys"
+ "HPZius12" "1284.4<->Usb Datalink Driver (Windows 2000)" "HP" "c:\windows\system32\drivers\hpzius12.sys"
+ "HSF_DP" "HSF_DP driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsf_dp.sys"
+ "HSFHWBS2" "HSF_HWB2 WDM driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsfhwbs2.sys"
+ "i2omgmt" "" "" "File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
+ "iaStor" "Intel Matrix Storage Manager driver - ia32" "Intel Corporation" "c:\windows\system32\drivers\iastor.sys"
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "LNE100" "Linksys LNE100TX(v5) Fast Ethernet Adapter NDIS5 Driver" "LinkSys Group Inc." "c:\windows\system32\drivers\lne100v5.sys"
+ "mdmxsdk" "Diagnostic Interface DRIVER" "Conexant" "c:\windows\system32\drivers\mdmxsdk.sys"
+ "MpKsl274356e4" "KSLDriver" "Microsoft Corporation" "c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ef4270e6-f128-4951-a6e2-756dae118c0d}\mpksl274356e4.sys"
+ "MpKsl49971d6c" "" "" "File not found: c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{059823FF-74B8-4ECA-8CFF-23715D7E7C5E}\MpKsl49971d6c.sys"
+ "MpKslb8a20eee" "" "" "File not found: c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{58345CE7-E02B-428D-893E-9EB7408BC57E}\MpKslb8a20eee.sys"
+ "MpKslcfb2cc16" "KSLDriver" "Microsoft Corporation" "c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ef4270e6-f128-4951-a6e2-756dae118c0d}\mpkslcfb2cc16.sys"
+ "pavboot" "Panda Boot Driver" "Panda Security, S.L." "c:\windows\system32\drivers\pavboot.sys"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "Ptilink" "Direct Parallel Link Driver" "Parallel Technologies, Inc." "c:\windows\system32\drivers\ptilink.sys"
+ "SASDIFSV" "SASDIFSV.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\documents and settings\owner\local settings\temp\sas_selfextract\sasdifsv.sys"
+ "SASKUTIL" "SASKUTIL.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\documents and settings\owner\local settings\temp\sas_selfextract\saskutil.sys"
+ "Secdrv" "SafeDisc driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys"
+ "STHDA" "NDRC" "IDT, Inc." "c:\windows\system32\drivers\sthda.sys"
+ "ultra" "Promise Ultra66 Miniport Driver" "Promise Technology, Inc." "c:\windows\system32\drivers\ultra.sys"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
+ "winachsf" "HSF_CNXT driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\hsf_cnxt.sys"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
+ "msacm.iac2" "IndeoŽ audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm"
+ "msacm.sl_anet" "Audio codec for MS ACM" "Sipro Lab Telecom Inc." "c:\windows\system32\sl_anet.acm"
+ "msacm.trspch" "DSP Group TrueSpeech™ Audio Codec for MSACM V3.50" "DSP GROUP, INC." "c:\windows\system32\tssoft32.acm"
+ "vidc.cvid" "CinepakŽ Codec" "Radius Inc." "c:\windows\system32\iccvid.dll"
+ "vidc.iv31" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv32" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv41" "Intel IndeoŽ Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "vidc.iv50" "Intel IndeoŽ video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
"HKLM\Software\Classes\Filter" "" "" ""
+ "IndeoŽ video 4.4 Compression Filter" "Intel IndeoŽ Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "IndeoŽ video 4.4 Decompression Filter" "Intel IndeoŽ Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "9x8Resize" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ACELP.net Audio Decoder" "ACELP.net Audio Decoder" "Sipro Lab Telecom Inc." "c:\windows\system32\acelpdec.ax"
+ "Allocator Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Bitmap" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "CyberLink Video/SP Decoder (PDVD10)" "CyberLink Video/SP Filter" "CyberLink Corp." "c:\program files\k-lite codec pack\filters\clvsd.ax"
+ "DirectVobSub" "VobSub & TextSub filter for DirectShow/VirtualDub/Avisynth" "Gabest" "c:\program files\k-lite codec pack\filters\vsfilter.dll"
+ "DirectVobSub (auto-loading version)" "VobSub & TextSub filter for DirectShow/VirtualDub/Avisynth" "Gabest" "c:\program files\k-lite codec pack\filters\vsfilter.dll"
+ "DivX H.264 Decoder" "DivX H.264 Decoder Filter" "DivX, Inc." "c:\program files\k-lite codec pack\filters\divxdech264.ax"
+ "ffdshow Audio Decoder" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "ffdshow Audio Processor" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "ffdshow DXVA Video Decoder" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "ffdshow raw video filter" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "ffdshow subtitles filter" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "ffdshow Video Decoder" "DirectShow and VFW video and audio decoding/encoding/processing filter" "" "c:\program files\k-lite codec pack\ffdshow\ffdshow.ax"
+ "Frame Eater" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Haali Matroska Muxer" "Haali Media Splitter" "" "c:\program files\k-lite codec pack\filters\haali\splitter.ax"
+ "Haali Media Splitter" "Haali Media Splitter" "" "c:\program files\k-lite codec pack\filters\haali\splitter.ax"
+ "Haali Media Splitter (AR)" "Haali Media Splitter" "" "c:\program files\k-lite codec pack\filters\haali\splitter.ax"
+ "Haali Simple Media Splitter" "Haali Media Splitter" "" "c:\program files\k-lite codec pack\filters\haali\splitter.ax"
+ "Haali Video Renderer" "" "" "c:\program files\k-lite codec pack\filters\haali\dxr.dll"
+ "Haali Video Sink" "Haali Media Splitter" "" "c:\program files\k-lite codec pack\filters\haali\splitter.ax"
+ "IndeoŽ audio software" "IndeoŽ audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "IndeoŽ video 5.10 Compression Filter" "Intel IndeoŽ video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "IndeoŽ video 5.10 Decompression Filter" "Intel IndeoŽ video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "madFlac Decoder" "DirectShow FLAC Decoder" "www.madshi.net" "c:\program files\k-lite codec pack\filters\madflac.ax"
+ "madFlac Source" "DirectShow FLAC Decoder" "www.madshi.net" "c:\program files\k-lite codec pack\filters\madflac.ax"
+ "MONOGRAM AMR Decoder" "AMR Filter Pack" "MONOGRAM Multimedia, s.r.o." "c:\program files\k-lite codec pack\filters\mmamr.ax"
+ "MONOGRAM AMR Encoder" "AMR Filter Pack" "MONOGRAM Multimedia, s.r.o." "c:\program files\k-lite codec pack\filters\mmamr.ax"
+ "MONOGRAM AMR Mux" "AMR Filter Pack" "MONOGRAM Multimedia, s.r.o." "c:\program files\k-lite codec pack\filters\mmamr.ax"
+ "MONOGRAM AMR Splitter" "AMR Filter Pack" "MONOGRAM Multimedia, s.r.o." "c:\program files\k-lite codec pack\filters\mmamr.ax"
+ "MPC - FLV Source (Gabest)" "FLV Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\flvsplitter.ax"
+ "MPC - FLV Splitter (Gabest)" "FLV Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\flvsplitter.ax"
+ "MPC - MP4 Source" "MP4 Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mp4splitter.ax"
+ "MPC - MP4 Splitter" "MP4 Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mp4splitter.ax"
+ "MPC - Mpeg Source (Gabest)" "Mpeg Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mpegsplitter.ax"
+ "MPC - Mpeg Splitter (Gabest)" "Mpeg Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mpegsplitter.ax"
+ "MPC - MPEG4 Video Source" "MP4 Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mp4splitter.ax"
+ "MPC - MPEG4 Video Splitter" "MP4 Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\filters\mp4splitter.ax"
+ "MPC - RealAudio Decoder" "RealMedia Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\real\realmediasplitter.ax"
+ "MPC - RealMedia Source" "RealMedia Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\real\realmediasplitter.ax"
+ "MPC - RealMedia Splitter" "RealMedia Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\real\realmediasplitter.ax"
+ "MPC - RealVideo Decoder" "RealMedia Splitter" "MPC-HC Team" "c:\program files\k-lite codec pack\real\realmediasplitter.ax"
+ "MPEG Layer-3 Decoder" "MPEG Layer-3 Audio Decoder" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codecx.ax"
+ "Record Queue" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ShotDetect" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Stetch" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WavPack Audio Decoder" "WavPack Audio DirectShow Decoder" "-" "c:\program files\k-lite codec pack\filters\wavpackdsdecoder.ax"
+ "WavPack Audio Splitter" "WavPack Audio DirectShow Splitter" "-" "c:\program files\k-lite codec pack\filters\wavpackdssplitter.ax"
+ "WebM VP8 Decoder Filter" "WebM VP8 Decoder Filter" "Google" "c:\program files\k-lite codec pack\filters\vp8decoder.dll"
+ "WIA Stream Snapshot Filter" "WIA Stream Snapshot Filter" "MyCompanyName" "c:\windows\system32\wiasf.ax"
+ "WM VIH2 Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Audio Analyzer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Black Frame Generator" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DirectX Transform Wrapper" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DV Extract Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT FormatConversion" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Import Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Interlacer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Log Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT MuxDeMux Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Sample Info Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Screen capture Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Switch Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Renderer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Source" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Volume" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
+ "AtiExtEvent" "ATI External Event Utility DLL Module" "ATI Technologies Inc." "c:\windows\system32\ati2evxx.dll"
+ "temsvw32" "" "" "c:\windows\system32\temsvw32.dll"
+ "termfsvses" "" "" "c:\windows\system32\temsvw32.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "PCL hpz3l5ha" "LanguageMonitor" "Hewlett-Packard Company" "c:\windows\system32\hpz3l5ha.dll"

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:49 PM

Posted 13 August 2011 - 02:24 PM

Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#13 Catimmiptwax

Catimmiptwax
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 13 August 2011 - 03:10 PM

http://www.bleepingcomputer.com/forums/topic414261.html

Above is the link to the new thread in the other forum.

Thank you for your assistance :) And I will try to be patient.. ;)

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,062 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:49 AM

Posted 13 August 2011 - 03:15 PM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users