Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected by google redirect virus.


  • This topic is locked This topic is locked
18 replies to this topic

#1 True_Computer_Rookie

True_Computer_Rookie

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 14 August 2011 - 06:41 AM

Hi admins, I did not use firewalls nor anti-virus programs for gaming purpose, and so I think my computer was infected when I tried to go online streaming and clicked into some random sites. And since yesterday whenever I search anything on google, it took me to some totally different sites.

I tried to solve this problem by following steps on other topics, and probably this made thing worse as my situation may not be the same.

After trying to use some programs like TDC, ComFix, SDFix, Malwarebytes, I found out sometimes when I tried to run an anti-malware program, it shuts down automatically and when I try to open it again, it says 'windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.' This happens on HiJackThis as well, therefore I cannot produce a log using it at the moment, so I would like to ask what procedures can I take to clean up my computer please?

Edited by True_Computer_Rookie, 14 August 2011 - 09:28 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 19 August 2011 - 04:21 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 19 August 2011 - 01:42 PM

Thank you very much for helpong :thumbsup:

Here is the log produced (DDS.txt):

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by robert at 19:28:40 on 2011-08-19
Microsoft Windows XP Professional 5.1.2600.3.950.852.1033.18.1023.467 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\886306369:3188272331.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: ThunderAtOnce Class: {01443aec-0fd1-40fd-9c87-e93d1494c233} - c:\program files\thunder network\thunder\comdlls\TDAtOnce_Now.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: 迅雷下?支持: {889d2feb-5411-4565-8998-1dd2c5261283} - c:\program files\thunder network\thunder\bho\XunleiBHO7.1.4.2104.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Foxy ?U﹐u - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy ∑jíM - c:\program files\foxy\Foxy.exe/search.htm
IE: Foxy 下載 - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\foxy\Foxy.exe/search.htm
IE: 使用迅雷下? - c:\program files\thunder network\thunder\bho\geturl.htm
IE: 使用迅雷下?全部?接 - c:\program files\thunder network\thunder\bho\GetAllUrl.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{C4A3B53E-0FCC-49A1-B183-3942EFE9A7BD} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, digest.dll
mASetup: {FC88681F-4735-4f2f-9514-C21BAC737CF8} - rundll32.exe advpack.dll,LaunchINFSection MU.inf,MUWeb.Install
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\robert\application data\mozilla\firefox\profiles\3lq90t99.default\
FF - plugin: c:\documents and settings\robert\application data\mozilla\firefox\profiles\3lq90t99.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\documents and settings\robert\application data\mozilla\firefox\profiles\3lq90t99.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\common files\thunder network\kankan\npDapCtrlFirefox.2.0.5901.12.(831).dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBFPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\windows media player\np-mswmp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-5-13 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-5-13 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-5-13 13616]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-14 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-14 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-7-21 2151640]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-4-15 146312]
S3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\drivers\btmcom.sys --> c:\windows\system32\drivers\btmcom.sys [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2011-8-12 25088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 XLDoctor Services;XLDoctor Services;c:\program files\thunder network\thunder\program\DctSer.exe [2011-8-10 38704]
.
=============== Created Last 30 ================
.
2011-08-15 03:11:56 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-14 22:18:55 -------- d-----w- c:\program files\Tansee iPod Transfer
2011-08-14 15:31:22 388096 ----a-r- c:\documents and settings\robert\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-14 15:31:19 -------- d-----w- c:\program files\Trend Micro
2011-08-14 14:52:30 -------- d-----w- c:\documents and settings\robert\application data\BitDefender
2011-08-14 14:50:15 -------- d-----w- c:\program files\BitDefender
2011-08-14 14:50:15 -------- d-----w- c:\documents and settings\all users\application data\BitDefender
2011-08-14 14:46:36 -------- d-----w- c:\program files\common files\BitDefender
2011-08-14 14:30:07 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-14 14:25:58 -------- d-----w- c:\program files\Lavasoft
2011-08-14 13:48:56 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-14 13:48:56 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-14 13:40:38 709968 ----a-w- c:\windows\is-2KHTK.exe
2011-08-14 12:50:20 69632 ------w- c:\windows\system32\bcm41.tmp
2011-08-14 12:50:20 176128 ------w- c:\windows\system32\bcm42.tmp
2011-08-14 12:50:05 -------- d-----w- C:\SWSetup
2011-08-14 11:12:27 -------- d-s---w- C:\ComboFix
2011-08-14 01:56:05 -------- d-sha-r- C:\cmdcons
2011-08-14 01:54:52 98816 ----a-w- c:\windows\sed.exe
2011-08-14 01:54:52 518144 ----a-w- c:\windows\SWREG.exe
2011-08-14 01:54:52 256000 ----a-w- c:\windows\PEV.exe
2011-08-14 01:54:52 208896 ----a-w- c:\windows\MBR.exe
2011-08-14 01:45:04 -------- d-----w- c:\windows\system32\wbem\snmp
2011-08-14 01:45:03 -------- d-----w- c:\windows\system32\xircom
2011-08-14 01:39:35 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2011-08-14 01:37:58 -------- d-----w- c:\windows\ERUNT
2011-08-14 01:37:24 -------- d-----w- C:\SDFix
2011-08-14 01:25:13 -------- d--h--w- c:\windows\PIF
2011-08-13 23:23:05 -------- d-----w- c:\documents and settings\robert\application data\Malwarebytes
2011-08-13 23:23:00 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-13 23:22:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-13 23:22:56 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-13 23:22:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-13 21:01:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-13 21:01:14 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-08-13 20:51:53 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-13 20:51:44 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-13 15:08:57 -------- d-----w- c:\documents and settings\robert\local settings\application data\LogiShrd
2011-08-13 15:07:40 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-08-13 15:07:40 539160 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-08-13 15:07:40 539160 ----a-w- c:\windows\system32\LVUI2.dll
2011-08-13 15:07:40 416280 ----a-w- c:\windows\system32\lvcodec2.dll
2011-08-13 15:07:40 199192 ----a-w- c:\windows\system32\lvci12101110.dll
2011-08-13 15:07:31 34068 ----a-w- c:\windows\system32\Repository.reg
2011-08-13 15:07:30 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-08-13 15:07:04 23832 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys
2011-08-13 00:29:34 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts
2011-08-13 00:29:34 -------- d-----w- c:\documents and settings\all users\application data\EA Core
2011-08-13 00:13:12 -------- d-----w- c:\documents and settings\robert\local settings\application data\WMTools Downloaded Files
2011-08-12 23:33:21 608448 ----a-w- c:\windows\system32\comctl32.ocx
2011-08-12 23:33:11 -------- d-----w- c:\program files\Total Video Converter
2011-08-12 21:06:54 1671168 ----a-w- c:\windows\system32\W29MLRES.DLL
2011-08-12 21:05:27 74496 ----a-w- c:\windows\system32\drivers\Rtlnicxp.sys
2011-08-12 21:05:24 -------- d-----w- c:\windows\OPTIONS
2011-08-12 21:02:24 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2011-08-12 21:02:24 176128 ------w- c:\windows\system32\bcmwlu00.EXE
2011-08-12 21:02:21 376320 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2011-08-12 20:42:18 -------- d-----w- c:\program files\EA SPORTS
2011-08-12 20:39:51 -------- d-----w- c:\documents and settings\all users\application data\Solidshield
2011-08-12 20:29:19 -------- d-----w- C:\cabs
2011-08-12 19:47:58 -------- d-----w- c:\program files\SystemRequirementsLab
2011-08-12 19:44:26 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-08-12 01:39:11 -------- d-----w- c:\documents and settings\robert\application data\PPStream
2011-08-12 01:39:00 -------- d-----w- c:\program files\PPStream
2011-08-11 23:07:49 -------- d-----w- c:\documents and settings\robert\application data\Dropbox
2011-08-11 23:04:22 -------- d-----w- c:\documents and settings\robert\application data\TeamViewer
2011-08-11 23:03:41 25088 ----a-w- c:\windows\system32\drivers\teamviewervpn.sys
2011-08-11 23:03:32 -------- d-----w- c:\program files\TeamViewer
2011-08-11 11:46:36 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2011-08-11 11:46:31 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2011-08-11 11:46:28 16384 ----a-w- c:\windows\system32\ipsink.ax
2011-08-11 11:46:28 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2011-08-11 11:46:26 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2011-08-11 11:46:22 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2011-08-11 11:46:14 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2011-08-11 11:46:10 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2011-08-11 11:45:58 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2011-08-11 11:45:49 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2011-08-11 11:45:49 61952 ----a-w- c:\windows\system32\kstvtune.ax
2011-08-11 11:45:49 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2011-08-11 11:45:49 43008 ----a-w- c:\windows\system32\ksxbar.ax
2011-08-11 11:45:49 28672 ----a-w- c:\windows\system32\vidcap.ax
2011-08-11 11:45:49 20992 ----a-w- c:\windows\system32\dshowext.ax
2011-08-11 11:45:49 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2011-08-10 20:36:49 -------- d-----w- c:\program files\Veetle
2011-08-10 17:45:04 45056 ------w- c:\windows\system32\KmRemove.exe
2011-08-10 17:45:03 -------- d-----w- c:\program files\HP Wireless Keyboard
2011-08-10 17:44:49 6060 ----a-w- c:\windows\system32\SetupKey.exe
2011-08-10 17:44:49 4504 ----a-w- c:\windows\system32\Coinstal.dll
2011-08-10 17:43:26 221184 ----a-w- c:\windows\system32\UCI32M22.dll
2011-08-10 17:43:25 989312 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2011-08-10 17:36:43 -------- d-----w- c:\program files\Uniblue
2011-08-10 17:36:43 -------- d-----w- c:\documents and settings\robert\application data\Uniblue
2011-08-10 17:36:43 -------- d-----w- c:\documents and settings\all users\application data\DriverScanner
2011-08-10 17:35:07 -------- dc-h--w- c:\documents and settings\all users\application data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2011-08-10 14:05:00 -------- d-----w- c:\program files\Gamania
2011-08-09 23:43:28 -------- d-----w- c:\documents and settings\all users\application data\TSLOG
2011-08-09 23:43:11 -------- d-----w- c:\documents and settings\all users\application data\Xunlei
2011-08-09 23:38:51 -------- d-----w- c:\documents and settings\robert\local settings\application data\Thunder Network
2011-08-09 23:12:09 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 23:11:54 105984 ------w- c:\windows\system32\dllcache\url.dll
2011-08-09 23:10:49 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 22:59:06 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-09 22:58:41 178176 ------w- c:\windows\system32\dllcache\wintrust.dll
2011-08-09 18:29:57 14744 ----a-w- c:\documents and settings\robert\application data\microsoft\identitycrl\production\ppcrlconfig.dll
2011-08-09 18:09:36 -------- d-----w- c:\windows\system32\LogFiles
2011-08-09 17:20:36 -------- d-----w- c:\documents and settings\robert\application data\Lionhead Studios
2011-08-09 17:16:39 -------- d-----w- c:\windows\system32\appmgmt
2011-08-09 16:44:18 -------- d-----w- c:\program files\Microsoft Games
2011-08-09 11:42:31 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-09 11:34:23 -------- d-----w- c:\windows\pss
2011-08-08 20:31:48 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-08 20:31:48 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-08-08 20:31:47 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-08 20:04:20 -------- d-----w- c:\documents and settings\all users\Real
2011-08-08 20:04:13 163256 ----a-w- c:\program files\windows media player\np-mswmp.dll
2011-08-08 20:03:59 79664 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
2011-08-08 20:03:47 -------- d-----w- c:\program files\common files\Thunder Network
2011-08-08 20:03:39 -------- d-----w- c:\documents and settings\all users\application data\Thunder Network
2011-08-08 20:03:17 -------- d-----w- c:\program files\Thunder Network
2011-08-08 20:01:42 -------- d-----w- c:\documents and settings\robert\application data\Foxy
2011-08-08 20:01:29 -------- d-----w- c:\documents and settings\robert\application data\Baidu
2011-08-08 20:00:59 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-08-08 18:29:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-08 18:29:52 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-08 18:29:52 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-08 18:29:52 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-08-08 18:29:52 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-08 18:29:52 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-08 18:29:52 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-08 18:29:52 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-08 18:29:52 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-08-08 18:29:52 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-08 18:14:52 -------- d-----w- c:\program files\Foxy
2011-08-08 15:38:21 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-08-08 15:36:45 -------- d-----w- c:\documents and settings\robert\application data\DAEMON Tools Lite
2011-08-08 15:36:40 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2011-08-08 15:35:20 -------- d-----w- c:\documents and settings\robert\local settings\application data\Apple
2011-08-08 15:33:13 -------- d-----w- c:\documents and settings\robert\local settings\application data\Apple Computer
2011-08-08 15:31:28 -------- d-----w- c:\program files\The KMPlayer
2011-08-08 15:31:06 -------- d-----w- c:\program files\SopCast
2011-08-08 15:30:19 -------- d-----w- c:\program files\iRotate
2011-08-08 15:30:10 -------- d-----w- c:\program files\FlashGet
2011-08-08 15:21:38 -------- d-----w- c:\documents and settings\robert\local settings\application data\Mozilla
2011-08-08 15:12:49 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-08-08 15:12:37 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-08-08 15:12:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-08-08 15:12:13 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-08-08 15:12:06 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-29 09:15:29 -------- d-----w- c:\documents and settings\robert\Tracing
2011-07-29 09:12:46 -------- d-----w- c:\program files\Microsoft
2011-07-29 09:12:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-07-29 09:08:56 -------- d-----w- c:\program files\common files\Windows Live
2011-07-29 09:07:07 -------- d-----w- c:\program files\CONEXANT
2011-07-29 09:05:27 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-07-29 09:05:24 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-07-29 09:05:21 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2011-07-29 09:05:19 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-07-29 09:05:16 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2011-07-29 09:05:13 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2011-07-29 09:05:11 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2011-07-29 09:05:09 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2011-07-29 09:05:07 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2011-07-29 09:05:05 -------- d-----w- c:\documents and settings\robert\local settings\application data\PCHealth
2011-07-29 09:05:04 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2011-07-29 09:05:02 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2011-07-29 09:03:44 -------- d-sh--w- c:\documents and settings\robert\PrivacIE
2011-07-28 23:07:48 -------- d-----w- C:\94c0082d62e007b1aef62a9a9c
2011-07-28 23:06:49 -------- d-----w- c:\windows\ie8updates
2011-07-28 23:03:49 -------- d-----w- c:\documents and settings\robert\local settings\application data\ATI
2011-07-28 23:02:24 0 ----a-w- c:\windows\ativpsrm.bin
2011-07-28 22:52:42 -------- d-----w- c:\documents and settings\robert\application data\Intel
2011-07-28 22:52:22 2216064 ----a-r- c:\windows\system32\drivers\w29n51.sys
2011-07-28 22:52:18 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2011-07-28 22:52:18 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2011-07-28 22:51:51 -------- d-----w- c:\program files\common files\Intel
2011-07-28 22:46:39 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-07-28 22:44:56 -------- d-----w- C:\Intel
2011-07-28 22:42:12 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-07-28 22:42:10 27136 ----a-w- c:\windows\system32\drivers\risdptsk.sys
2011-07-28 22:42:00 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-07-28 22:42:00 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-07-28 22:42:00 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-07-28 22:42:00 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-07-28 22:42:00 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-07-28 22:42:00 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-07-28 22:41:59 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-07-28 22:41:40 307456 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2011-07-28 22:41:40 16480 ----a-w- c:\windows\system32\rixdicon.dll
2011-07-28 22:41:37 90112 ----a-w- c:\windows\system32\snymsico.dll
2011-07-28 22:41:37 51328 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2011-07-28 22:41:34 114688 ----a-w- c:\windows\system32\RicohMediadriverVer.dll
2011-07-28 22:33:23 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-07-28 22:33:23 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-07-28 22:33:23 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-07-28 22:33:23 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-07-28 22:33:23 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-07-28 22:33:22 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-07-28 22:33:22 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-07-28 22:33:22 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-07-28 22:33:13 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-07-28 22:32:50 -------- d-----w- c:\program files\ATI Technologies
2011-07-28 22:24:38 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-07-28 22:24:38 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-07-28 22:24:38 225280 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2011-07-28 22:24:38 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-07-28 22:24:38 176128 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-07-28 22:24:13 -------- d-----w- C:\ATI
2011-07-28 22:14:56 -------- d-----w- c:\windows\ATK0100
2011-07-28 20:54:03 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2011-07-28 20:54:03 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2011-07-28 20:54:01 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-07-28 20:54:00 151552 ------w- c:\windows\system32\dllcache\schannel.dll
2011-07-28 20:53:58 1858944 ------w- c:\windows\system32\dllcache\win32k.sys
2011-07-28 20:52:42 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-07-28 20:49:58 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-07-28 20:49:43 758784 ------w- c:\windows\system32\dllcache\vgx.dll
2011-07-28 18:02:29 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-28 18:01:18 26488 ----a-w- c:\windows\system32\spupdsvc.exe
.
==================== Find3M ====================
.
2011-08-14 16:59:32 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
2011-08-08 20:01:16 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-07-28 17:47:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:33:49 919552 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:33:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:33:49 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:19:29 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:33:48.21 ===============


And this is another log (Attach.txt):

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 28/7/2011 18:49:08
System Uptime: 19/8/2011 19:20:15 (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30AF
Processor: Intel® Pentium® M processor 1.86GHz | Socket 478 | 1862/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 19 GiB total, 2.623 GiB free.
D: is CDROM (CDFS)
E: is FIXED (FAT32) - 233 GiB total, 20.785 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: USB Device
Device ID: USB\VID_0B05&PID_1712\0194E8-5B-0002
Manufacturer:
Name: USB Device
PNP Device ID: USB\VID_0B05&PID_1712\0194E8-5B-0002
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F6103C&REV_05\4&F971712&0&28F0
Manufacturer: Intel Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_12F6103C&REV_05\4&F971712&0&28F0
Service: w29n51
.
==== System Restore Points ===================
.
RP85: 17/8/2011 18:48:55 - System Checkpoint
RP86: 19/8/2011 17:11:59 - System Checkpoint
.
==== Installed Programs ======================
.
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
ATI - 璃迠婥妗蚚最唗
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
ATI 控制台
ATK0100 ACPI UTILITY
beanfun!
BitDefender Free Edition 2009
Broadcom 802.11 Wireless LAN Adapter
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
DAEMON Tools Lite
Dropbox
EA Installer
Fable III
FIFA MANAGER 11
FlashGet 1.9.4.1063
Foxy v1.9.9
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976002-v5)
HP Wireless Keyboard Driver V1.7 (2.0.W-127AU MUL)
Intel PROSet Wireless
Intel® PROSet/Wireless WiFi Software
iRotate
Java Auto Updater
Java™ 6 Update 26
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
mabinogi
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft AppLocale
Microsoft Choice Guard
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Windows Application Compatibility Database
Mozilla Firefox 6.0 (x86 zh-TW)
MSVCRT
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
PPStream V2.7.0.1132 Final
REALTEK Gigabit and Fast Ethernet NIC Driver
RICOH Media Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB978601)
Segoe UI
Skins
SopCast 3.0.3
SoundMAX
Spybot - Search & Destroy
System Requirements Lab
The KMPlayer (remove only)
Total Video Converter 3.50
Uniblue DriverScanner 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2541763)
Update for Windows XP (KB961503)
Veetle TV
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Live Writer
WinRAR 壓縮工具
Yahoo! Detect
千千靜聽 5.6Beta3
迅雷7
迅雷看看播放器
.
==== Event Viewer Messages From Past Week ========
.
19/8/2011 18:21:55, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.100 with the system having network hardware address 7C:C5:37:87:04:98. Network operations on this system may be disrupted as a result.
19/8/2011 14:20:53, error: Dhcp [1002] - The IP address lease 192.168.0.102 for the Network Card with network address 00156030154C has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
18/8/2011 13:27:43, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
18/8/2011 13:27:04, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
18/8/2011 13:25:35, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
18/8/2011 13:25:35, error: Service Control Manager [7000] - The BitDefender Virus Shield service failed to start due to the following error: Access is denied.
17/8/2011 23:05:14, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).
17/8/2011 23:04:55, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
17/8/2011 23:04:49, error: Service Control Manager [7034] - The BitDefender Desktop Update Service service terminated unexpectedly. It has done this 1 time(s).
17/8/2011 23:04:44, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
17/8/2011 23:04:43, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
16/8/2011 3:11:14, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
16/8/2011 23:08:19, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
15/8/2011 23:11:59, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
15/8/2011 17:53:19, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
15/8/2011 17:53:12, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
15/8/2011 17:53:10, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

After running DDS, I am going to install itunes, will it affect the log report? If so do I need to run the program again please?

Thanks again for helping me! :lol:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 19 August 2011 - 02:21 PM

Please refrain from installing iTunes or any other application (if you already did, leave it like it is now). You ahve a serious rootkit infection, part of which removes permissions on files, which can cause different errors.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 19 August 2011 - 09:01 PM

I am currently out of my home town, and so I decide to reformat my computer when I go back, but before that can happen I would need to use this computer for the remaining time, so could you please still help me?

I tried to run ComboFix, it tried to run, with a window with a black background and green text, and it shut down automatically, and I tried to open it again, it says that sentence:'windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.'

Fortunately, as soon as I knew my computer was infected, I stopped using it for online purchasing or anything of this sort.

Please advice me with further directions.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 20 August 2011 - 03:20 AM

Try to run the following. If it doesn't run the first time, do not try to run it again, as you'll get Access Denied there as well.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 August 2011 - 04:32 AM

I tried to run it and it worked initially, but after some twenty seconds when the scan was still going on, the window of the scan shut down like ComboFix did, then I renamed the file's name as you told me to, it had the same result.

As I can see, any types of scan seem to be blocked automatically when I try to run them...

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 20 August 2011 - 04:47 AM

Hi again, lets restore a few file permissions first.


We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 August 2011 - 10:54 AM

Bravo! finally a log can be produced, it is as follow:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


..
Failed to open \\?\c:\\ComboFix\pev.cfxxe: Access is denied.



Failed to open \\?\c:\\ComboFix\PV.cfxxe: Access is denied.


.

...

...
Failed to open \\?\c:\\Documents and Settings\robert\Desktop\4jbqz2i7.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\robert\Desktop\ComboFix.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\robert\Desktop\tbvf.com: Access is denied.



Failed to open \\?\c:\\Documents and Settings\robert\Desktop\wjrsb8l3.exe: Access is denied.




...

.
Failed to open \\?\c:\\Program Files\BitDefender\BitDefender 2009\uiscan.exe: Access is denied.



Failed to open \\?\c:\\Program Files\BitDefender\BitDefender 2009\vsserv.exe: Access is denied.


..

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware\AAWService.exe: Access is denied.


.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


.

...

.
Failed to open \\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.


..

...


Failed to open \\?\c:\\WINDOWS\$NtUninstallKB27965$: Access is denied.


..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790


Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.


\\?\c:\\WINDOWS\assembly\GAC_MSIL\CCC\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_CCC_90ba9c70f846762e_2.0.0.0_x-ww_c7ed2bb0
Substitute Name: C:\WINDOWS\WinSxS\MSIL_CCC_90ba9c70f846762e_2.0.0.0_x-ww_c7ed2bb0

\\?\c:\\WINDOWS\assembly\GAC_MSIL\CLI\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_CLI_90ba9c70f846762e_2.0.0.0_x-ww_42656733
Substitute Name: C:\WINDOWS\WinSxS\MSIL_CLI_90ba9c70f846762e_2.0.0.0_x-ww_42656733

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\LOG\2.0.3343.28329__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_LOG_90ba9c70f846762e_2.0.3343.28329_x-ww_2d908276
Substitute Name: C:\WINDOWS\WinSxS\MSIL_LOG_90ba9c70f846762e_2.0.3343.28329_x-ww_2d908276

\\?\c:\\WINDOWS\assembly\GAC_MSIL\MOM\2.0.0.0__90ba9c70f846762e: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_MOM_90ba9c70f846762e_2.0.0.0_x-ww_a60193a8
Substitute Name: C:\WINDOWS\WinSxS\MSIL_MOM_90ba9c70f846762e_2.0.0.0_x-ww_a60193a8



...

...\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492



...

...

...

..

Thank you for taking time to help me again!

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 20 August 2011 - 11:20 AM

Hi again, please restart your computer in safe mode, and do the following fix. Immediately afterwards, click Start > Run, type combofix /killall and press enter.

Please download GrantPerms.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\ComboFix\pev.cfxxe
c:\ComboFix\PV.cfxxe
c:\Documents and Settings\robert\Desktop\4jbqz2i7.exe
c:\Documents and Settings\robert\Desktop\ComboFix.exe
c:\Documents and Settings\robert\Desktop\tbvf.com
c:\Documents and Settings\robert\Desktop\wjrsb8l3.exe
c:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
c:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 August 2011 - 11:31 AM

GrantPerms by Farbar
Ran by Administrator at 2011-08-20 17:28:43

===============================================
\\?\c:\ComboFix\pev.cfxxe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\ComboFix\PV.cfxxe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\robert\Desktop\4jbqz2i7.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\robert\Desktop\ComboFix.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\robert\Desktop\tbvf.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\robert\Desktop\wjrsb8l3.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\BitDefender\BitDefender 2009\uiscan.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 20 August 2011 - 11:50 AM

Please run combofix now as instructed in my last post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 August 2011 - 11:58 AM

I have run that in safe mode after unlocking those programs, and I am not quite sure if it ran successfully as the window closed when the green status bar was up to about 3/4. And after restart, the computer becomes slower, but some of the anti-virus programs start to run again.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:14 AM

Posted 20 August 2011 - 12:09 PM

Please rename combofix to random.exe (right click > rename). Try to run it again. If it doesn't run, rerun the GrantPerms script, this will restore the file access.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 True_Computer_Rookie

True_Computer_Rookie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 20 August 2011 - 01:33 PM

the same thing happens again and again, I have entered into safe mode and renamed ComboFix, and tried to run it, when the green status bar went up to about 50%, it stopped working and got restricted again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users