Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Fix and DDS Rootkit bundle


  • This topic is locked This topic is locked
18 replies to this topic

#1 dopefish2112

dopefish2112

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 28 November 2011 - 11:58 PM

So it was my birthday a few days a ago and someone was kind enough to give me this nice shinny virus. Thanks! However I have decided that I can't accept such a fine gift and need help finding a new home for it. OK all jokes aside, this virus combo is being a real bleep and I can't get rid of it. I screwed around and got Rkill to run, however I can tell that whatever processes it kills seems to be causing some bit of maliscious code to open more processes. No matter how many times I run Rkill it keeps finding things to close. I do get some improvement in the system when I run it, like access to the task manager, however every time I boot the system and System Fix pops up again, I run Rkill and all my taskbar setting are reset and all files are set to hidden again. Ok, so ran rkill with that level of success. Reinstalled the DSS tool a few times and eventually it removed 5 items. Then ran malwarebytes, full scan, every hard drive. It keeps comping up with 2 last bits of malware that i have to reboot to remove according to the log. When I reboot, bam system fix comes up and the process starts all over. I have heard a rumor that the code my have flashed itself into my bios and is being loaded from there upon boot up. Here is my log. Running win7 64 so only post and attached logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Chandler at 20:43:34 on 2011-11-28
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.867 [GMT -8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
H:\Windows\system32\wininit.exe
H:\Windows\system32\lsm.exe
H:\Windows\system32\svchost.exe -k DcomLaunch
H:\Windows\system32\svchost.exe -k RPCSS
H:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
H:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
H:\Windows\system32\svchost.exe -k netsvcs
H:\Windows\system32\svchost.exe -k LocalService
H:\Windows\system32\svchost.exe -k NetworkService
H:\Windows\System32\spoolsv.exe
H:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
H:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
H:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
H:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
H:\Windows\system32\conhost.exe
H:\Windows\system32\taskhost.exe
H:\Windows\system32\Dwm.exe
H:\Windows\system32\svchost.exe -k imgsvc
H:\Program Files\DivX\DivX Update\DivXUpdate.exe
H:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
H:\Program Files\Common Files\Java\Java Update\jusched.exe
H:\Program Files\AIM\aim.exe
H:\Windows\system32\SearchIndexer.exe
H:\Windows\System32\spool\drivers\w32x86\3\E_FATIEQA.EXE
H:\Windows\System32\spool\drivers\w32x86\3\E_FATIEFA.EXE
H:\Program Files\Windows Media Player\wmpnetwk.exe
H:\Windows\system32\SearchProtocolHost.exe
H:\Windows\System32\svchost.exe -k LocalServicePeerNet
H:\Windows\System32\svchost.exe -k secsvcs
H:\Windows\system32\wuauclt.exe
H:\Program Files\Common Files\Java\Java Update\jucheck.exe
H:\Windows\explorer.exe
H:\Windows\system32\notepad.exe
H:\Windows\helppane.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\plugin-container.exe
H:\Windows\explorer.exe
H:\Windows\system32\SearchFilterHost.exe
H:\Windows\system32\conhost.exe
H:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\program files\vuze_remote\tbVuze.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\program files\vuze_remote\tbVuze.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - h:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\program files\vuze_remote\tbVuze.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - h:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - h:\program files\vuze_remote\tbVuze.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Aim] "h:\program files\aim\aim.exe" /d locale=en-US
uRun: [EPSON WorkForce 500 Series] h:\windows\system32\spool\drivers\w32x86\3\e_fatieqa.exe /fu "h:\windows\temp\E_SD809.tmp" /EF "HKCU"
uRun: [EPSON Stylus NX200 Series] h:\windows\system32\spool\drivers\w32x86\3\e_fatiefa.exe /fu "h:\windows\temp\E_SDF39.tmp" /EF "HKCU"
uRun: [PeerGuardian] h:\program files\peerguardian2\pg2.exe
uRun: [Pando Media Booster] h:\program files\pando networks\media booster\PMB.exe
mRun: [DivXUpdate] "h:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "h:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dSPEfJqNGav.exe] h:\programdata\dSPEfJqNGav.exe
StartupFolder: h:\users\chandler\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - h:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Google Sidewiki... - h:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CE7E9319-FC3C-43A4-863A-52EEFD8A1386} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CE7E9319-FC3C-43A4-863A-52EEFD8A1386}\C696E6B6379737 : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - h:\users\chandler\appdata\roaming\mozilla\firefox\profiles\e5sa3l73.default\
FF - plugin: h:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: h:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: h:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: h:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: h:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R2 RosettaStoneLtdController;RosettaStoneLtdController;h:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2008-9-16 352312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;h:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== Created Last 30 ================
.
2011-11-28 08:26:23 353024 ---ha-w- h:\programdata\CkDtVto0FJ89Ue.exe
2011-11-28 05:21:12 22216 ---ha-w- h:\windows\system32\drivers\mbam.sys
2011-11-28 05:21:12 -------- d--h--w- h:\program files\Malwarebytes' Anti-Malware
2011-11-28 04:40:51 -------- d--h--w- h:\windows\PIF
2011-11-28 02:20:57 -------- d--h--w- h:\users\chandler\appdata\roaming\Malwarebytes
2011-11-28 02:20:52 -------- d--h--w- h:\programdata\Malwarebytes
2011-11-28 02:11:43 445184 ---ha-w- h:\programdata\dSPEfJqNGav.exe
2011-11-16 01:00:25 2106216 ---ha-w- h:\program files\mozilla firefox\D3DCompiler_43.dll
2011-11-16 01:00:25 1998168 ---ha-w- h:\program files\mozilla firefox\d3dx9_43.dll
2011-11-11 06:25:33 -------- d--h--w- h:\users\chandler\appdata\local\Skyrim
2011-11-11 06:25:22 74072 ---ha-w- h:\windows\system32\XAPOFX1_4.dll
2011-11-11 06:25:22 528216 ---ha-w- h:\windows\system32\XAudio2_6.dll
2011-11-11 06:25:21 238936 ---ha-w- h:\windows\system32\xactengine3_6.dll
2011-11-11 06:25:21 22360 ---ha-w- h:\windows\system32\X3DAudio1_7.dll
2011-11-11 06:25:17 452440 ---ha-w- h:\windows\system32\d3dx10_40.dll
2011-11-11 06:25:17 2036576 ---ha-w- h:\windows\system32\D3DCompiler_40.dll
2011-11-11 06:25:16 4379984 ---ha-w- h:\windows\system32\D3DX9_40.dll
.
==================== Find3M ====================
.
2011-11-05 00:37:32 414368 ---ha-w- h:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:44:03.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 November 2011 - 12:21 AM

Saw that you don't want attached logs. Here is the other log.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume3
Install Date: 1/17/2010 2:37:44 PM
System Uptime: 11/28/2011 8:09:47 PM (0 hours ago)
.
Motherboard: ECS | | GF7050VT-M
Processor: Intel® Core™2 Duo CPU E4500 @ 2.20GHz | CPU 1 | 2203/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 60 GiB total, 50.092 GiB free.
D: is FIXED (NTFS) - 178 GiB total, 15.811 GiB free.
E: is FIXED (NTFS) - 8 GiB total, 7.912 GiB free.
F: is CDROM (UDF)
G: is FIXED (NTFS) - 203 GiB total, 116.018 GiB free.
H: is FIXED (NTFS) - 203 GiB total, 96.926 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP126: 10/9/2011 10:32:22 PM - Scheduled Checkpoint
RP127: 10/17/2011 12:00:04 AM - Scheduled Checkpoint
RP128: 10/21/2011 10:52:55 PM - Installed Ventrilo Client
RP129: 10/29/2011 12:00:03 AM - Scheduled Checkpoint
RP130: 11/5/2011 3:32:47 PM - Scheduled Checkpoint
RP132: 11/5/2011 7:35:10 PM - Removed Oblivion
RP135: 11/5/2011 7:38:18 PM - Installed Oblivion
RP136: 11/5/2011 7:38:18 PM - Installed DirectX 9.0
RP138: 11/10/2011 10:24:24 PM - Installed DirectX
RP139: 11/18/2011 12:12:32 AM - Scheduled Checkpoint
RP140: 11/27/2011 2:41:48 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.6
AIM 7
Apple Application Support
Apple Software Update
AVG 2011
BioShock
BitTorrent
DivX Setup
Download Updater (AOL LLC)
Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.12.00.803
EPSON Scan
EPSON Stylus NX200 Series Printer Uninstall
EPSON WorkForce 500 Series Printer Uninstall
Fallout 3
Google Toolbar for Internet Explorer
Icewind Dale
Icewind Dale - Heart of Winter
Icewind Dale II
ImgBurn
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 22
Java™ 6 Update 26
League of Legends
Magic Workstation 0.94f
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 8.0 (x86 en-US)
Norton Security Scan
Oblivion - BTmod 2.20
Oblivion mod manager 1.1.12
OCTGN
OpenOffice.org 3.3
Operation Optimization v1.1.1
Pando Media Booster
PeerGuardian 2.0
QuickTime
Rosetta Stone Ltd Services
Rosetta Stone Version 3
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Unofficial Oblivion Patch v3.2.0
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
VTF Explorer 1.3
VTF Shell Extensions 1.0.6.1
VTFEdit 1.2.5
Vuze
Vuze_Remote Toolbar
Windows Media Player Firefox Plugin
WinRAR archiver
Xvid 1.2.1 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
11/28/2011 8:21:38 PM, Error: Service Control Manager [7034] - The EPSON V5 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 8:21:38 PM, Error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 8:10:23 PM, Error: Service Control Manager [7000] - The pgfilter service failed to start due to the following error: The system cannot find the file specified.
11/28/2011 12:44:15 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x00000003, 0x86948030, 0x8694819c, 0x82e28ac0). A dump was saved in: H:\Windows\MEMORY.DMP. Report Id: 112811-17160-01.
11/27/2011 9:19:21 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
11/27/2011 8:53:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/27/2011 8:53:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/27/2011 8:53:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/27/2011 8:53:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/27/2011 8:53:28 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
11/27/2011 8:45:05 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr sptd Wanarpv6
11/27/2011 8:44:47 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
11/27/2011 6:37:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
11/27/2011 6:37:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
11/27/2011 10:31:02 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: Access is denied.
11/27/2011 10:31:02 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: Access is denied.
11/27/2011 10:31:02 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80070005.
11/27/2011 10:28:25 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
11/27/2011 10:11:58 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 29 November 2011 - 12:54 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:




Back-Up Registry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


NEXT:



Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    :Services
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dSPEfJqNGav.exe"=-
    :Files
    h:\programdata\CkDtVto0FJ89Ue.exe
    h:\programdata\dSPEfJqNGav.exe
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [EMPTYFLASH]
    [resethosts]
    [createrestorepoint]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



OTS Scan
Download OTS to your Desktop
  • Double-click on OTS.exe to start the program. Make sure you close all other programs.
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here as an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way.


NEXT:



What issues are you currently experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 November 2011 - 01:27 AM

OTM results:

========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dSPEfJqNGav.exe deleted successfully.
========== FILES ==========
h:\programdata\CkDtVto0FJ89Ue.exe moved successfully.
h:\programdata\dSPEfJqNGav.exe moved successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: H:\Windows\system32\drivers\etc\hosts
H:\Users\Chandler\Downloads\cmd.bat deleted successfully.
H:\Users\Chandler\Downloads\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
H:\Users\Chandler\Downloads\cmd.bat deleted successfully.
H:\Users\Chandler\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Chandler
->Flash cache emptied: 149331 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

H:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


OTM by OldTimer - Version 3.1.19.0 log created on 11282011_222039


Starting GMER now, will post when done.

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 29 November 2011 - 01:45 AM

:thumbsup:

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 November 2011 - 08:45 AM

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-29 05:39:12
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 ST3500320AS rev.SD15
Running: gmer.exe; Driver: H:\Users\Chandler\AppData\Local\Temp\ffrdypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C878C9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CA74F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text PCIIDEX.SYS!AtaPortEtwTraceLog + D7 8973AE49 2 Bytes [14, E1] {ADC AL, 0xe1}
.text PCIIDEX.SYS!AtaPortEtwTraceLog + DA 8973AE4C 1 Byte [85]
.text PCIIDEX.SYS!AtaPortEtwTraceLog + 1BA 8973AF2C 2 Bytes [14, E1] {ADC AL, 0xe1}
.text PCIIDEX.SYS!AtaPortEtwTraceLog + 1BD 8973AF2F 1 Byte [85]
.text PCIIDEX.SYS!AtaPortEtwTraceLog + 201 8973AF73 2 Bytes [14, E1] {ADC AL, 0xe1}
.text ...
.text PCIIDEX.SYS!AtaPortGetScatterGatherList + 203 8973B1E3 2 Bytes [14, E1] {ADC AL, 0xe1}
.text PCIIDEX.SYS!AtaPortGetScatterGatherList + 206 8973B1E6 1 Byte [85]
.text PCIIDEX.SYS!AtaPortGetScatterGatherList + 31F 8973B2FF 2 Bytes [14, E1] {ADC AL, 0xe1}
.text PCIIDEX.SYS!AtaPortGetScatterGatherList + 322 8973B302 1 Byte [85]
.text PCIIDEX.SYS!AtaPortGetScatterGatherList + 3E9 8973B3C9 2 Bytes [14, E1] {ADC AL, 0xe1}
.text ...
.text ataport.SYS!DllInitialize 897670C5 4 Bytes JMP 856DE1FC
.text ataport.SYS!DllInitialize 897681A6 4 Bytes JMP 85842DDC
.text ataport.SYS!DllInitialize 89768444 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortEtwTraceLog + D7 8976B6E1 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortEtwTraceLog + 1BA 8976B7C4 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortEtwTraceLog + 201 8976B80B 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortGetScatterGatherList + 203 8976BB0D 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortGetScatterGatherList + 31F 8976BC29 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortGetScatterGatherList + 3E9 8976BCF3 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortGetScatterGatherList + 431 8976BD3B 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortGetScatterGatherList + 57A 8976BE84 4 Bytes JMP 85842DDC
.text ...
.text ataport.SYS!AtaPortInitialize + 8B5 8976CD93 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortInitialize + 3AF7 8976FFD5 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortInitialize + 40D0 897705AE 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortInitialize + 4249 89770727 4 Bytes JMP 85842DDC
.text ataport.SYS!AtaPortInitialize + 49B6 89770E94 4 Bytes JMP 856DE1FC
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 3286 89E562AC 4 Bytes JMP 8579DC9C
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 3317 89E5633D 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassCompleteRequest + D 89E56494 4 Bytes JMP 85674C0C
.text CLASSPNP.SYS!ClassCompleteRequest + 119 89E565A0 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassCompleteRequest + 72B 89E56BB2 4 Bytes JMP 85821114
.text CLASSPNP.SYS!ClassSendSrbSynchronous + 1EA 89E57364 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassIoComplete + 2D4 89E57892 4 Bytes JMP 85821114
.text CLASSPNP.SYS!ClassDeviceControl + 2DE 89E58288 4 Bytes JMP 85674C0C
.text CLASSPNP.SYS!ClassDeviceControl + 72B 89E586D5 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassDeviceControl + CAE 89E58C58 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A 89E591E6 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassReadDriveCapacity + 6BC 89E5A716 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassReadDriveCapacity + 74E 89E5A7A8 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 498 89E5AD81 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 89D 89E5B186 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 9A2 89E5B28B 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + EE9 89E5B7D2 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 13CE 89E5BCB7 4 Bytes JMP 861018C4
.text ...
.text CLASSPNP.SYS!ClassNotifyFailurePredicted + F38 89E5D411 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassInternalIoControl + 87 89E5DAED 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassInternalIoControl + 175 89E5DBDB 4 Bytes JMP 85821114
.text CLASSPNP.SYS!ClassReleaseChildLock + 1B5 89E5DE2E 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassGetDriverExtension + 110 89E5E050 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassGetDriverExtension + 1D4 89E5E114 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSendStartUnit + CC 89E5E47E 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 143 89E5FB6B 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassWmiFireEvent + 276 89E5FDF6 4 Bytes JMP 85674C0C
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 29B 89E617C4 4 Bytes JMP 85821114
.text CLASSPNP.SYS!ClassDebugPrint + 1327 89E62BFA 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassDebugPrint + 13BD 89E62C90 4 Bytes JMP 861018C4
.text CLASSPNP.SYS!ClassDebugPrint + 141F 89E62CF2 4 Bytes JMP 85674C0C
.text CLASSPNP.SYS!ClassDebugPrint + 14C3 89E62D96 4 Bytes JMP 85674C0C
.text CLASSPNP.SYS!ClassDebugPrint + 152F 89E62E02 4 Bytes JMP 85674C0C
.text ...
? system32\drivers\98491165.sys The system cannot find the path specified. !
? H:\Users\Chandler\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text H:\Program Files\Mozilla Firefox\firefox.exe[640] ntdll.dll!LdrLoadDll 7703F5B5 5 Bytes JMP 5A442EC0 H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\89306002 \Device\KLMD14092011_206080 98491165.sys

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 1
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\02B3FCF9-5C88-4238-B98C-4B659B3AA2D6@Alive 0

---- EOF - GMER 1.0.15 ----

Starting OTS Scan. Then off to work. Back in 10 hours

#7 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 November 2011 - 08:30 PM


OTS logfile created on: 11/29/2011 5:48:03 AM - Run 1

OTS by OldTimer - Version 3.1.46.0     Folder = H:\Users\Chandler\Downloads

 Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = H: | %SystemRoot% = H:\Windows | %ProgramFiles% = H:\Program Files

Drive C: | 60.00 Gb Total Space | 49.97 Gb Free Space | 83.28% Space Free | Partition Type: NTFS

Drive D: | 178.31 Gb Total Space | 15.81 Gb Free Space | 8.87% Space Free | Partition Type: NTFS

Drive E: | 7.99 Gb Total Space | 7.91 Gb Free Space | 99.03% Space Free | Partition Type: NTFS

Drive F: | 4.16 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Drive G: | 202.88 Gb Total Space | 116.02 Gb Free Space | 57.19% Space Free | Partition Type: NTFS

Drive H: | 202.88 Gb Total Space | 96.93 Gb Free Space | 47.78% Space Free | Partition Type: NTFS

I: Drive not present or media not loaded

 

Computer Name: MRROBOTO

Current User Name: Chandler

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

 

[Processes - Safe List]

ots.exe -> H:\Users\Chandler\Downloads\OTS.exe -> [2011/11/29 05:43:08 | 000,646,144 | ---- | M] (OldTimer Tools)

conhost.exe -> H:\Windows\System32\conhost.exe -> [2011/07/15 20:31:12 | 000,271,360 | ---- | M] (Microsoft Corporation)

jucheck.exe -> H:\Program Files\Common Files\Java\Java Update\jucheck.exe -> [2011/04/08 11:59:52 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.)

explorer.exe -> H:\Windows\explorer.exe -> [2011/02/25 21:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation)

divxupdate.exe -> H:\Program Files\DivX\DivX Update\DivXUpdate.exe -> [2010/09/16 12:04:06 | 001,164,584 | ---- | M] ()

taskhost.exe -> H:\Windows\System32\taskhost.exe -> [2009/07/13 17:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation)

rosettastoneltdcontroller.exe -> H:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe -> [2008/09/16 10:02:42 | 000,352,312 | ---- | M] (Rosetta Stone Ltd.)

rosettastoneltdserver.exe -> H:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe -> [2008/09/16 10:02:42 | 000,013,368 | ---- | M] (Rosetta Stone Ltd.)

e_fatieqa.exe -> H:\Windows\System32\spool\drivers\w32x86\3\E_FATIEQA.EXE -> [2008/02/22 05:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION)

e_fatiefa.exe -> H:\Windows\System32\spool\drivers\w32x86\3\E_FATIEFA.EXE -> [2007/12/13 06:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION)

 

[Modules - No Company Name]

divxupdatecheck.dll -> H:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll -> [2010/09/16 12:04:50 | 000,095,528 | ---- | M] ()

divxupdate.exe -> H:\Program Files\DivX\DivX Update\DivXUpdate.exe -> [2010/09/16 12:04:06 | 001,164,584 | ---- | M] ()

rarext.dll -> H:\Program Files\WinRAR\RarExt.dll -> [2010/03/15 10:28:22 | 000,141,824 | ---- | M] ()

 

[Win32 Services - Safe List]

(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2011/08/10 15:25:23 | 000,655,624 | ---- | M] (Acresso Software Inc.)

(Steam Client Service) Steam Client Service [On_Demand | Stopped] -> H:\Program Files\Common Files\Steam\SteamService.exe -> [2011/06/03 17:00:14 | 000,403,240 | ---- | M] (Valve Corporation)

(SensrSvc) Adaptive Brightness [On_Demand | Stopped] -> H:\Windows\System32\sensrsvc.dll -> [2009/07/13 17:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation)

(PeerDistSvc) BranchCache [On_Demand | Stopped] -> H:\Windows\System32\PeerDistSvc.dll -> [2009/07/13 17:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation)

(WinDefend) Windows Defender [Auto | Running] -> H:\Program Files\Windows Defender\MpSvc.dll -> [2009/07/13 17:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation)

(RosettaStoneLtdController) RosettaStoneLtdController [Auto | Running] -> H:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe -> [2008/09/16 10:02:42 | 000,352,312 | ---- | M] (Rosetta Stone Ltd.)

(EPSON_EB_RPCV4_01) EPSON V5 Service4(01) [Auto | Stopped] -> H:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE -> [2007/12/17 04:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION)

(EPSON_PM_RPCV4_01) EPSON V3 Service4(01) [Auto | Stopped] -> H:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> [2007/01/11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION)

 

[Driver Services - Safe List]

(vmbus) Virtual Machine Bus [Kernel | On_Demand | Stopped] -> H:\Windows\system32\DRIVERS\vmbus.sys -> [2009/07/13 17:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation)

(storflt) Disk Virtual Machine Bus Acceleration Filter Driver [Kernel | Boot | Running] -> H:\Windows\system32\DRIVERS\vmstorfl.sys -> [2009/07/13 17:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation)

(storvsc) storvsc [Kernel | On_Demand | Stopped] -> H:\Windows\system32\DRIVERS\storvsc.sys -> [2009/07/13 17:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation)

(s3cap) s3cap [Kernel | On_Demand | Stopped] -> H:\Windows\system32\DRIVERS\vms3cap.sys -> [2009/07/13 15:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation)

(VMBusHID) VMBusHID [Kernel | On_Demand | Stopped] -> H:\Windows\system32\DRIVERS\VMBusHID.sys -> [2009/07/13 15:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation)

(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Running] -> H:\Windows\System32\drivers\nvm62x32.sys -> [2009/07/13 14:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation)

(nvlddmkm) nvlddmkm [Kernel | On_Demand | Running] -> H:\Windows\System32\drivers\nvlddmkm.sys -> [2009/06/10 13:19:48 | 009,853,248 | ---- | M] (NVIDIA Corporation)

(MRV6X32P) Vista 32-bits Native WiFi Driver [Kernel | On_Demand | Running] -> H:\Windows\System32\drivers\MRVW13B.sys -> [2007/05/03 08:11:14 | 000,256,000 | ---- | M] (Marvell Semiconductor, Inc)

 

[Registry - Safe List]

< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 

HKEY_LOCAL_MACHINE\: URLSearchHooks\\"{ba14329e-9550-4989-b3f2-9732e92d17cc}" [HKLM] -> H:\Program Files\Vuze_Remote\tbVuze.dll [Vuze Remote Toolbar] -> [2010/05/20 14:35:42 | 002,675,296 | ---- | M] (Conduit Ltd.)

< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 

HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank -> 

HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache" -> http://www.msn.com/ -> 

HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache AcceptLangs" -> en-us -> 

HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> 20 D9 D9 49 7B 63 CB 01  [binary data] -> 

HKEY_CURRENT_USER\: URLSearchHooks\\"{ba14329e-9550-4989-b3f2-9732e92d17cc}" [HKLM] -> H:\Program Files\Vuze_Remote\tbVuze.dll [Vuze Remote Toolbar] -> [2010/05/20 14:35:42 | 002,675,296 | ---- | M] (Conduit Ltd.)

HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 

< FireFox Settings [Prefs.js] > -> H:\Users\Chandler\AppData\Roaming\Mozilla\FireFox\Profiles\e5sa3l73.default\prefs.js -> 

< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla

HKLM\software\mozilla\Firefox\Extensions ->  -> 

HKLM\software\mozilla\Mozilla Firefox 8.0\extensions ->  -> 

HKLM\software\mozilla\Mozilla Firefox 8.0\extensions\\Components -> H:\Program Files\Mozilla Firefox\components [H:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2011/11/15 17:00:26 | 000,000,000 | ---D | M]

HKLM\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins -> H:\Program Files\Mozilla Firefox\plugins [H:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2011/11/10 23:17:39 | 000,000,000 | ---D | M]

< FireFox Extensions [User Folders] > -> 

  -> H:\Users\Chandler\AppData\Roaming\Mozilla\Extensions -> [2011/11/15 16:59:12 | 000,000,000 | ---D | M]

< FireFox Extensions [Program Folders] > -> 

  -> H:\Program Files\Mozilla Firefox\extensions -> [2011/11/15 17:00:26 | 000,000,000 | ---D | M]

< HOSTS File > ([2011/11/28 22:21:03 | 000,000,098 | ---- | M] - 2 lines) -> H:\Windows\System32\drivers\etc\Hosts -> 

Reset Hosts

127.0.0.1       localhost

::1       localhost

< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> H:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [Google Toolbar Notifier BHO] -> [2010/01/22 12:19:35 | 000,764,912 | ---- | M] (Google Inc.)

{ba14329e-9550-4989-b3f2-9732e92d17cc} [HKLM] -> H:\Program Files\Vuze_Remote\tbVuze.dll [Vuze Remote Toolbar] -> [2010/05/20 14:35:42 | 002,675,296 | ---- | M] (Conduit Ltd.)

< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 

"{ba14329e-9550-4989-b3f2-9732e92d17cc}" [HKLM] -> H:\Program Files\Vuze_Remote\tbVuze.dll [Vuze Remote Toolbar] -> [2010/05/20 14:35:42 | 002,675,296 | ---- | M] (Conduit Ltd.)

< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 

WebBrowser\\"{BA14329E-9550-4989-B3F2-9732E92D17CC}" [HKLM] -> H:\Program Files\Vuze_Remote\tbVuze.dll [Vuze Remote Toolbar] -> [2010/05/20 14:35:42 | 002,675,296 | ---- | M] (Conduit Ltd.)

WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found

< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

"DivXUpdate" -> H:\Program Files\DivX\DivX Update\DivXUpdate.exe ["H:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW] -> [2010/09/16 12:04:06 | 001,164,584 | ---- | M] ()

< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 

"Aim" -> H:\Program Files\AIM\aim.exe ["H:\Program Files\AIM\aim.exe" /d locale=en-US] -> [2009/12/01 09:38:47 | 003,951,976 | ---- | M] (AOL LLC)

"EPSON Stylus NX200 Series" -> H:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIEFA.EXE [H:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEFA.EXE /FU "H:\Windows\TEMP\E_SDF39.tmp" /EF "HKCU"] -> [2007/12/13 06:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION)

"EPSON WorkForce 500 Series" -> H:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE [H:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE /FU "H:\Windows\TEMP\E_SD809.tmp" /EF "HKCU"] -> [2008/02/22 05:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION)

"Pando Media Booster" -> H:\Program Files\Pando Networks\Media Booster\PMB.exe [H:\Program Files\Pando Networks\Media Booster\PMB.exe] -> [2011/08/31 21:53:11 | 003,077,528 | ---- | M] ()

"PeerGuardian" -> H:\Program Files\PeerGuardian2\pg2.exe [H:\Program Files\PeerGuardian2\pg2.exe] -> [2007/06/02 14:59:08 | 001,457,152 | ---- | M] (Phoenix Labs)

< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Recovery

\Recovery\\"NoReopenLastSession" ->  [1] -> File not found

< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 

< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

\\"ConsentPromptBehaviorAdmin" ->  [0] -> File not found

\\"ConsentPromptBehaviorUser" ->  [3] -> File not found

\\"EnableLUA" ->  [0] -> File not found

\\"PromptOnSecureDesktop" ->  [0] -> File not found

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats

< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 

< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 

< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 

Google Sidewiki... -> H:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll [res://H:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html] -> [2010/01/22 12:19:32 | 000,648,192 | ---- | M] (Google Inc.)

< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 

< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

"" -> http://

< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 

< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 

< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 

{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 

{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 

{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java Plug-in 1.6.0_22] -> 

{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 

{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [HKLM] -> http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab [PopCapLoader Object] -> 

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.] -> 

< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 

DhcpNameServer -> 192.168.1.1 -> 

< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 

{CE7E9319-FC3C-43A4-863A-52EEFD8A1386}\\DhcpNameServer -> 192.168.1.1   (NETGEAR WG311v3 54Mbps Wireless PCI Adapter) -> 

< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 

*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 

explorer.exe -> H:\Windows\explorer.exe -> [2011/02/25 21:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation)

*MultiFile Done* -> -> 

*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 

H:\Windows\system32\userinit.exe -> H:\Windows\System32\userinit.exe -> [2009/07/13 17:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation)

*MultiFile Done* -> -> 

*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 

SystemPropertiesPerformance.exe -> H:\Windows\System32\SystemPropertiesPerformance.exe -> [2009/07/13 17:14:42 | 000,081,920 | ---- | M] (Microsoft Corporation)

/pagefile ->  -> File not found

*MultiFile Done* -> -> 

< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck] -> File not found

< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 

< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->

"AutoRun" -> 1 -> 

"DisplayName" -> CD-ROM Driver -> 

"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found

< Drives with AutoRun files > ->  -> 

C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2009/09/26 02:01:00 | 000,000,000 | ---- | M] ()

D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ NTFS ] -> [2006/01/24 16:12:09 | 000,000,000 | ---- | M] ()

F:\autorun.inf [[autorun] | open=OblivionLauncher.exe | icon=Oblivion.ico | ] -> F:\autorun.inf [ UDF ] -> [2005/11/21 09:26:21 | 000,000,057 | R--- | M] ()

H:\autoexec.bat [REM Dummy file for NTVDM | ] -> H:\autoexec.bat [ NTFS ] -> [2009/06/10 13:42:20 | 000,000,024 | ---- | M] ()

< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 

\{35dce62e-03b7-11df-ba78-806e6f6e6963}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35dce62e-03b7-11df-ba78-806e6f6e6963}\shell

\{35dce62e-03b7-11df-ba78-806e6f6e6963}\shell\\"" ->  [AutoRun] -> File not found

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{35dce62e-03b7-11df-ba78-806e6f6e6963}\shell\AutoRun\command

\{35dce62e-03b7-11df-ba78-806e6f6e6963}\shell\AutoRun\command\\"" -> F:\OblivionLauncher.exe [F:\OblivionLauncher.exe] -> [2006/04/06 09:25:44 | 001,662,976 | R--- | M] (Bethesda Softworks)

< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 

comfile [open] -> "%1" %* -> 

exefile [open] -> "%1" %* -> 

< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 

.com [@ = comfile] -> "%1" %* -> 

.exe [@ = exefile] -> "%1" %* -> 

 

 

[Files/Folders - Created Within 30 Days]

 _OTM -> H:\_OTM -> [2011/11/28 22:20:39 | 000,000,000 | ---D | C]

 DAEMON Tools Lite -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite -> [2011/11/28 22:19:02 | 000,000,000 | ---D | C]

 dds.scr -> H:\Users\Chandler\Desktop\dds.scr -> [2011/11/28 20:42:08 | 000,607,260 | R--- | C] (Swearware)

 Malwarebytes' Anti-Malware -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2011/11/27 21:21:15 | 000,000,000 | ---D | C]

 mbam.sys -> H:\Windows\System32\drivers\mbam.sys -> [2011/11/27 21:21:12 | 000,022,216 | ---- | C] (Malwarebytes Corporation)

 Malwarebytes' Anti-Malware -> H:\Program Files\Malwarebytes' Anti-Malware -> [2011/11/27 21:21:12 | 000,000,000 | ---D | C]

 123com123.com.exe -> H:\Users\Chandler\Desktop\123com123.com.exe -> [2011/11/27 20:43:09 | 001,566,512 | ---- | C] (Kaspersky Lab ZAO)

 PIF -> H:\Windows\PIF -> [2011/11/27 20:40:51 | 000,000,000 | ---D | C]

 Malwarebytes -> H:\Users\Chandler\AppData\Roaming\Malwarebytes -> [2011/11/27 18:20:57 | 000,000,000 | ---D | C]

 Malwarebytes -> H:\ProgramData\Malwarebytes -> [2011/11/27 18:20:52 | 000,000,000 | ---D | C]

 System Fix -> H:\Users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix -> [2011/11/27 18:14:14 | 000,000,000 | ---D | C]

 Firefox Setup 8.0.exe -> H:\Users\Chandler\Desktop\Firefox Setup 8.0.exe -> [2011/11/13 16:01:26 | 014,753,912 | ---- | C] (Mozilla)

 Skyrim -> H:\Users\Chandler\AppData\Local\Skyrim -> [2011/11/10 22:25:33 | 000,000,000 | ---D | C]

 XAudio2_6.dll -> H:\Windows\System32\XAudio2_6.dll -> [2011/11/10 22:25:22 | 000,528,216 | ---- | C] (Microsoft Corporation)

 XAPOFX1_4.dll -> H:\Windows\System32\XAPOFX1_4.dll -> [2011/11/10 22:25:22 | 000,074,072 | ---- | C] (Microsoft Corporation)

 xactengine3_6.dll -> H:\Windows\System32\xactengine3_6.dll -> [2011/11/10 22:25:21 | 000,238,936 | ---- | C] (Microsoft Corporation)

 X3DAudio1_7.dll -> H:\Windows\System32\X3DAudio1_7.dll -> [2011/11/10 22:25:21 | 000,022,360 | ---- | C] (Microsoft Corporation)

 D3DCompiler_40.dll -> H:\Windows\System32\D3DCompiler_40.dll -> [2011/11/10 22:25:17 | 002,036,576 | ---- | C] (Microsoft Corporation)

 d3dx10_40.dll -> H:\Windows\System32\d3dx10_40.dll -> [2011/11/10 22:25:17 | 000,452,440 | ---- | C] (Microsoft Corporation)

 D3DX9_40.dll -> H:\Windows\System32\D3DX9_40.dll -> [2011/11/10 22:25:16 | 004,379,984 | ---- | C] (Microsoft Corporation)

 NVIDIA -> H:\ProgramData\NVIDIA -> [2011/11/05 19:35:56 | 000,000,000 | ---D | C]

 

[Files/Folders - Modified Within 30 Days]

 Hosts -> H:\Windows\System32\drivers\etc\Hosts -> [2011/11/28 22:21:03 | 000,000,098 | ---- | M] ()

 Attach.rar -> H:\Users\Chandler\Desktop\Attach.rar -> [2011/11/28 20:45:58 | 000,002,722 | ---- | M] ()

 dds.scr -> H:\Users\Chandler\Desktop\dds.scr -> [2011/11/28 20:42:08 | 000,607,260 | R--- | M] (Swearware)

 perfh009.dat -> H:\Windows\System32\perfh009.dat -> [2011/11/28 20:16:27 | 000,644,922 | ---- | M] ()

 perfc009.dat -> H:\Windows\System32\perfc009.dat -> [2011/11/28 20:16:27 | 000,114,360 | ---- | M] ()

 7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> H:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> [2011/11/28 20:15:06 | 000,010,016 | ---- | M] ()

 7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> H:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> [2011/11/28 20:15:06 | 000,010,016 | ---- | M] ()

 CkDtVto0FJ89Ue -> H:\ProgramData\CkDtVto0FJ89Ue -> [2011/11/28 20:12:37 | 000,000,464 | ---- | M] ()

 ~CkDtVto0FJ89Ue -> H:\ProgramData\~CkDtVto0FJ89Ue -> [2011/11/28 20:11:00 | 000,000,320 | ---- | M] ()

 ~CkDtVto0FJ89Uer -> H:\ProgramData\~CkDtVto0FJ89Uer -> [2011/11/28 20:10:59 | 000,000,224 | ---- | M] ()

 bootstat.dat -> H:\Windows\bootstat.dat -> [2011/11/28 20:10:02 | 000,067,584 | --S- | M] ()

 hiberfil.sys -> H:\hiberfil.sys -> [2011/11/28 20:09:56 | 1610,014,720 | -HS- | M] ()

 MEMORY.DMP -> H:\Windows\MEMORY.DMP -> [2011/11/28 00:44:09 | 207,179,248 | ---- | M] ()

 unhide.exe -> H:\Users\Chandler\Desktop\unhide.exe -> [2011/11/27 22:36:17 | 000,684,297 | ---- | M] ()

 AmfvFyF2poMjvu -> H:\ProgramData\AmfvFyF2poMjvu -> [2011/11/27 22:15:16 | 000,000,408 | ---- | M] ()

 ~AmfvFyF2poMjvu -> H:\ProgramData\~AmfvFyF2poMjvu -> [2011/11/27 22:15:08 | 000,000,320 | ---- | M] ()

 ~AmfvFyF2poMjvur -> H:\ProgramData\~AmfvFyF2poMjvur -> [2011/11/27 22:15:08 | 000,000,224 | ---- | M] ()

 Malwarebytes' Anti-Malware.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk -> [2011/11/27 21:21:15 | 000,001,059 | ---- | M] ()

 iExplore(2).exe -> H:\Users\Chandler\Desktop\iExplore(2).exe -> [2011/11/27 20:15:59 | 001,008,114 | ---- | M] ()

 Malwarebytes' Anti-Malware.lnk -> H:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/11/27 18:20:52 | 000,001,035 | ---- | M] ()

 RUFGUMQeGIjzMq -> H:\ProgramData\RUFGUMQeGIjzMq -> [2011/11/27 18:15:05 | 000,000,424 | ---- | M] ()

 ~RUFGUMQeGIjzMq -> H:\ProgramData\~RUFGUMQeGIjzMq -> [2011/11/27 18:14:15 | 000,000,320 | ---- | M] ()

 ~RUFGUMQeGIjzMqr -> H:\ProgramData\~RUFGUMQeGIjzMqr -> [2011/11/27 18:14:15 | 000,000,224 | ---- | M] ()

 System Fix.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk -> [2011/11/27 18:14:14 | 000,000,677 | ---- | M] ()

 System Fix.lnk -> H:\Users\Chandler\Desktop\System Fix.lnk -> [2011/11/27 18:14:14 | 000,000,653 | ---- | M] ()

 123com123.com.exe -> H:\Users\Chandler\Desktop\123com123.com.exe -> [2011/11/24 12:33:42 | 001,566,512 | ---- | M] (Kaspersky Lab ZAO)

 Norton Security Scan for Chandler.job -> H:\Windows\tasks\Norton Security Scan for Chandler.job -> [2011/11/21 18:47:56 | 000,000,480 | ---- | M] ()

 Mozilla Firefox.lnk -> H:\Users\Public\Desktop\Mozilla Firefox.lnk -> [2011/11/15 17:00:26 | 000,001,060 | ---- | M] ()

 Firefox Setup 8.0.exe -> H:\Users\Chandler\Desktop\Firefox Setup 8.0.exe -> [2011/11/13 16:01:38 | 014,753,912 | ---- | M] (Mozilla)

 BlendSettings.ini -> H:\Windows\BlendSettings.ini -> [2011/11/11 02:31:56 | 000,000,023 | ---- | M] ()

 FlashPlayerCPLApp.cpl -> H:\Windows\System32\FlashPlayerCPLApp.cpl -> [2011/11/04 16:37:32 | 000,414,368 | ---- | M] (Adobe Systems Incorporated)

 660 H:\Users\Chandler\AppData\Local\Temp\*.tmp files -> H:\Users\Chandler\AppData\Local\Temp\*.tmp -> 

 1 H:\Users\Chandler\AppData\Local\Temp\is-T6D3I.tmp\_isetup\*.tmp files -> H:\Users\Chandler\AppData\Local\Temp\is-T6D3I.tmp\_isetup\*.tmp -> 

 1 H:\Users\Chandler\AppData\Local\Temp\is-RLCUS.tmp\_isetup\*.tmp files -> H:\Users\Chandler\AppData\Local\Temp\is-RLCUS.tmp\_isetup\*.tmp -> 

 1 H:\Users\Chandler\AppData\Local\Temp\is-QQJC2.tmp\_isetup\*.tmp files -> H:\Users\Chandler\AppData\Local\Temp\is-QQJC2.tmp\_isetup\*.tmp -> 

 1 H:\Users\Chandler\AppData\Local\Temp\is-FSNPT.tmp\_isetup\*.tmp files -> H:\Users\Chandler\AppData\Local\Temp\is-FSNPT.tmp\_isetup\*.tmp -> 

 

[Files - No Company Name]

 gmer.exe -> H:\Users\Chandler\Desktop\gmer.exe -> [2011/11/28 22:28:46 | 000,302,592 | ---- | C] ()

 Attach.rar -> H:\Users\Chandler\Desktop\Attach.rar -> [2011/11/28 20:45:58 | 000,002,722 | ---- | C] ()

 ~CkDtVto0FJ89Ue -> H:\ProgramData\~CkDtVto0FJ89Ue -> [2011/11/28 00:26:33 | 000,000,320 | ---- | C] ()

 ~CkDtVto0FJ89Uer -> H:\ProgramData\~CkDtVto0FJ89Uer -> [2011/11/28 00:26:33 | 000,000,224 | ---- | C] ()

 CkDtVto0FJ89Ue -> H:\ProgramData\CkDtVto0FJ89Ue -> [2011/11/28 00:26:29 | 000,000,464 | ---- | C] ()

 Adobe Reader 9.lnk -> H:\Users\Public\Desktop\Adobe Reader 9.lnk -> [2011/11/27 22:42:11 | 000,001,948 | ---- | C] ()

 AIM.lnk -> H:\Users\Public\Desktop\AIM.lnk -> [2011/11/27 22:42:11 | 000,001,865 | ---- | C] ()

 QuickTime Player.lnk -> H:\Users\Public\Desktop\QuickTime Player.lnk -> [2011/11/27 22:42:11 | 000,001,779 | ---- | C] ()

 Vuze.lnk -> H:\Users\Public\Desktop\Vuze.lnk -> [2011/11/27 22:42:11 | 000,001,762 | ---- | C] ()

 Norton Security Scan.lnk -> H:\Users\Public\Desktop\Norton Security Scan.lnk -> [2011/11/27 22:42:11 | 000,001,274 | ---- | C] ()

 OpenOffice.org 3.3.lnk -> H:\Users\Public\Desktop\OpenOffice.org 3.3.lnk -> [2011/11/27 22:42:11 | 000,001,078 | ---- | C] ()

 Mozilla Firefox.lnk -> H:\Users\Public\Desktop\Mozilla Firefox.lnk -> [2011/11/27 22:42:11 | 000,001,060 | ---- | C] ()

 DivX Plus Player.lnk -> H:\Users\Public\Desktop\DivX Plus Player.lnk -> [2011/11/27 22:42:11 | 000,001,050 | ---- | C] ()

 EPSON Scan.lnk -> H:\Users\Public\Desktop\EPSON Scan.lnk -> [2011/11/27 22:42:11 | 000,000,938 | ---- | C] ()

 Play League of Legends.lnk -> H:\Users\Public\Desktop\Play League of Legends.lnk -> [2011/11/27 22:42:11 | 000,000,649 | ---- | C] ()

 Ventrilo.lnk -> H:\Users\Public\Desktop\Ventrilo.lnk -> [2011/11/27 22:42:11 | 000,000,586 | ---- | C] ()

 Apple Software Update.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk -> [2011/11/27 22:42:10 | 000,002,519 | ---- | C] ()

 Adobe Reader 9.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk -> [2011/11/27 22:42:10 | 000,002,441 | ---- | C] ()

 Vuze.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk -> [2011/11/27 22:42:10 | 000,001,762 | ---- | C] ()

 Windows Anytime Upgrade.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk -> [2011/11/27 22:42:10 | 000,001,352 | ---- | C] ()

 Mozilla Firefox.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> [2011/11/27 22:42:10 | 000,001,072 | ---- | C] ()

 BitTorrent.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitTorrent.lnk -> [2011/11/27 22:42:10 | 000,000,703 | ---- | C] ()

 unhide.exe -> H:\Users\Chandler\Desktop\unhide.exe -> [2011/11/27 22:36:17 | 000,684,297 | ---- | C] ()

 ~AmfvFyF2poMjvu -> H:\ProgramData\~AmfvFyF2poMjvu -> [2011/11/27 22:15:08 | 000,000,320 | ---- | C] ()

 ~AmfvFyF2poMjvur -> H:\ProgramData\~AmfvFyF2poMjvur -> [2011/11/27 22:15:08 | 000,000,224 | ---- | C] ()

 AmfvFyF2poMjvu -> H:\ProgramData\AmfvFyF2poMjvu -> [2011/11/27 22:15:04 | 000,000,408 | ---- | C] ()

 Malwarebytes' Anti-Malware.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk -> [2011/11/27 21:21:15 | 000,001,059 | ---- | C] ()

 Malwarebytes' Anti-Malware.lnk -> H:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/11/27 21:21:15 | 000,001,035 | ---- | C] ()

 iExplore(2).exe -> H:\Users\Chandler\Desktop\iExplore(2).exe -> [2011/11/27 20:15:58 | 001,008,114 | ---- | C] ()

 Windows Media Player.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk -> [2011/11/27 18:31:58 | 000,001,515 | ---- | C] ()

 Media Center.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk -> [2011/11/27 18:31:58 | 000,001,345 | ---- | C] ()

 Sidebar.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk -> [2011/11/27 18:31:58 | 000,001,330 | ---- | C] ()

 Windows DVD Maker.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk -> [2011/11/27 18:31:58 | 000,001,326 | ---- | C] ()

 XPS Viewer.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk -> [2011/11/27 18:31:58 | 000,001,246 | ---- | C] ()

 Windows Fax and Scan.lnk -> H:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk -> [2011/11/27 18:31:58 | 000,001,210 | ---- | C] ()

 Internet Explorer (64-bit).lnk -> H:\Users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk -> [2011/11/27 18:31:56 | 000,001,409 | ---- | C] ()

 ~RUFGUMQeGIjzMq -> H:\ProgramData\~RUFGUMQeGIjzMq -> [2011/11/27 18:14:15 | 000,000,320 | ---- | C] ()

 ~RUFGUMQeGIjzMqr -> H:\ProgramData\~RUFGUMQeGIjzMqr -> [2011/11/27 18:14:15 | 000,000,224 | ---- | C] ()

 System Fix.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk -> [2011/11/27 18:14:14 | 000,000,677 | ---- | C] ()

 System Fix.lnk -> H:\Users\Chandler\Desktop\System Fix.lnk -> [2011/11/27 18:14:14 | 000,000,653 | ---- | C] ()

 RUFGUMQeGIjzMq -> H:\ProgramData\RUFGUMQeGIjzMq -> [2011/11/27 18:14:10 | 000,000,424 | ---- | C] ()

 BlendSettings.ini -> H:\Windows\BlendSettings.ini -> [2011/11/05 19:34:09 | 000,000,023 | ---- | C] ()

 {789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini -> H:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini -> [2011/10/21 21:53:10 | 000,000,248 | ---- | C] ()

 mlfcache.dat -> H:\Windows\System32\mlfcache.dat -> [2011/10/15 20:31:13 | 000,121,448 | ---- | C] ()

 EPPICPrinterDB.dat -> H:\Windows\System32\EPPICPrinterDB.dat -> [2011/02/20 12:18:48 | 000,073,220 | ---- | C] ()

 EPPICPattern131.dat -> H:\Windows\System32\EPPICPattern131.dat -> [2011/02/20 12:18:48 | 000,031,053 | ---- | C] ()

 EPPICPattern1.dat -> H:\Windows\System32\EPPICPattern1.dat -> [2011/02/20 12:18:48 | 000,029,114 | ---- | C] ()

 EPPICPattern121.dat -> H:\Windows\System32\EPPICPattern121.dat -> [2011/02/20 12:18:48 | 000,027,417 | ---- | C] ()

 EPPICPattern3.dat -> H:\Windows\System32\EPPICPattern3.dat -> [2011/02/20 12:18:48 | 000,021,021 | ---- | C] ()

 EPPICPattern5.dat -> H:\Windows\System32\EPPICPattern5.dat -> [2011/02/20 12:18:48 | 000,015,670 | ---- | C] ()

 EPPICPattern2.dat -> H:\Windows\System32\EPPICPattern2.dat -> [2011/02/20 12:18:48 | 000,013,280 | ---- | C] ()

 EPPICPattern4.dat -> H:\Windows\System32\EPPICPattern4.dat -> [2011/02/20 12:18:48 | 000,010,673 | ---- | C] ()

 EPPICPattern6.dat -> H:\Windows\System32\EPPICPattern6.dat -> [2011/02/20 12:18:48 | 000,004,943 | ---- | C] ()

 EPPICPresetData_PT.dat -> H:\Windows\System32\EPPICPresetData_PT.dat -> [2011/02/20 12:18:48 | 000,001,140 | ---- | C] ()

 EPPICPresetData_BP.dat -> H:\Windows\System32\EPPICPresetData_BP.dat -> [2011/02/20 12:18:48 | 000,001,140 | ---- | C] ()

 EPPICPresetData_ES.dat -> H:\Windows\System32\EPPICPresetData_ES.dat -> [2011/02/20 12:18:48 | 000,001,137 | ---- | C] ()

 EPPICPresetData_FR.dat -> H:\Windows\System32\EPPICPresetData_FR.dat -> [2011/02/20 12:18:48 | 000,001,130 | ---- | C] ()

 EPPICPresetData_CF.dat -> H:\Windows\System32\EPPICPresetData_CF.dat -> [2011/02/20 12:18:48 | 000,001,130 | ---- | C] ()

 EPPICPresetData_EN.dat -> H:\Windows\System32\EPPICPresetData_EN.dat -> [2011/02/20 12:18:48 | 000,001,104 | ---- | C] ()

 PICSDK.ini -> H:\Windows\System32\PICSDK.ini -> [2011/02/20 12:18:48 | 000,000,097 | ---- | C] ()

 xvidcore.dll -> H:\Windows\System32\xvidcore.dll -> [2010/07/16 21:48:00 | 000,815,104 | ---- | C] ()

 xvidvfw.dll -> H:\Windows\System32\xvidvfw.dll -> [2010/07/16 21:48:00 | 000,180,224 | ---- | C] ()

 fusioncache.dat -> H:\Users\Chandler\AppData\Local\fusioncache.dat -> [2010/07/10 19:57:38 | 000,000,096 | ---- | C] ()

 bootstat.dat -> H:\Windows\bootstat.dat -> [2009/07/13 20:57:37 | 000,067,584 | --S- | C] ()

 FNTCACHE.DAT -> H:\Windows\System32\FNTCACHE.DAT -> [2009/07/13 20:33:53 | 000,293,224 | ---- | C] ()

 perfh009.dat -> H:\Windows\System32\perfh009.dat -> [2009/07/13 18:05:48 | 000,644,922 | ---- | C] ()

 perfi009.dat -> H:\Windows\System32\perfi009.dat -> [2009/07/13 18:05:48 | 000,291,294 | ---- | C] ()

 perfc009.dat -> H:\Windows\System32\perfc009.dat -> [2009/07/13 18:05:48 | 000,114,360 | ---- | C] ()

 perfd009.dat -> H:\Windows\System32\perfd009.dat -> [2009/07/13 18:05:48 | 000,031,548 | ---- | C] ()

 NOISE.DAT -> H:\Windows\System32\NOISE.DAT -> [2009/07/13 18:05:05 | 000,000,741 | ---- | C] ()

 dssec.dat -> H:\Windows\System32\dssec.dat -> [2009/07/13 18:04:11 | 000,215,943 | ---- | C] ()

 PrintBrmUi.exe -> H:\Windows\System32\PrintBrmUi.exe -> [2009/07/13 16:19:49 | 000,066,048 | ---- | C] ()

 mib.bin -> H:\Windows\mib.bin -> [2009/07/13 15:55:01 | 000,043,131 | ---- | C] ()

 BthpanContextHandler.dll -> H:\Windows\System32\BthpanContextHandler.dll -> [2009/07/13 15:51:43 | 000,073,728 | ---- | C] ()

 BWContextHandler.dll -> H:\Windows\System32\BWContextHandler.dll -> [2009/07/13 15:42:10 | 000,064,000 | ---- | C] ()

 mlang.dat -> H:\Windows\System32\mlang.dat -> [2009/06/10 13:26:10 | 000,673,088 | ---- | C] ()

 VTFLib.dll -> H:\Windows\System32\VTFLib.dll -> [2008/04/13 15:34:54 | 000,585,728 | ---- | C] ()

 xlive.dll.cat -> H:\Windows\System32\xlive.dll.cat -> [2007/11/26 20:56:28 | 000,151,415 | ---- | C] ()

< End of report >



#8 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 November 2011 - 08:35 PM

OK so my symptoms are as such

1) When I boot my system, the system fix virus comes up with a fake scan telling me that I need to buy software to fix problems that aren't there.

2) All my files are changed to hidden files

3) I am locked out of the task manager

4) My windows explorer preferences are changed

5) My taskbar preferences are changed.

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 30 November 2011 - 12:53 AM

Hi!

Your still infected. When you ran Unhide.exe did it happen to Unhide any of the files that were previously hidden by the infection?

Running OTS Fix
Start OTS Copy/Paste the information inside the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26]
YN -> {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20]
YN -> {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab [Java Plug-in 1.6.0_22]
YN -> {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26]
YN -> {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Key error.]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck]
[Files/Folders - Modified Within 30 Days]
NY ->  CkDtVto0FJ89Ue -> H:\ProgramData\CkDtVto0FJ89Ue
NY ->  ~CkDtVto0FJ89Ue -> H:\ProgramData\~CkDtVto0FJ89Ue
NY ->  ~CkDtVto0FJ89Uer -> H:\ProgramData\~CkDtVto0FJ89Uer
NY ->  AmfvFyF2poMjvu -> H:\ProgramData\AmfvFyF2poMjvu
NY ->  ~AmfvFyF2poMjvu -> H:\ProgramData\~AmfvFyF2poMjvu
NY ->  ~AmfvFyF2poMjvur -> H:\ProgramData\~AmfvFyF2poMjvur
NY ->  RUFGUMQeGIjzMq -> H:\ProgramData\RUFGUMQeGIjzMq
NY ->  ~RUFGUMQeGIjzMq -> H:\ProgramData\~RUFGUMQeGIjzMq
NY ->  ~RUFGUMQeGIjzMqr -> H:\ProgramData\~RUFGUMQeGIjzMqr
NY ->  System Fix.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
NY ->  System Fix.lnk -> H:\Users\Chandler\Desktop\System Fix.lnk
[Files - No Company Name]
NY ->  ~CkDtVto0FJ89Ue -> H:\ProgramData\~CkDtVto0FJ89Ue
NY ->  ~CkDtVto0FJ89Uer -> H:\ProgramData\~CkDtVto0FJ89Uer
NY ->  CkDtVto0FJ89Ue -> H:\ProgramData\CkDtVto0FJ89Ue
NY ->  ~AmfvFyF2poMjvu -> H:\ProgramData\~AmfvFyF2poMjvu
NY ->  ~AmfvFyF2poMjvur -> H:\ProgramData\~AmfvFyF2poMjvur
NY ->  AmfvFyF2poMjvu -> H:\ProgramData\AmfvFyF2poMjvu
NY ->  ~RUFGUMQeGIjzMq -> H:\ProgramData\~RUFGUMQeGIjzMq
NY ->  ~RUFGUMQeGIjzMqr -> H:\ProgramData\~RUFGUMQeGIjzMqr
NY ->  System Fix.lnk -> H:\Users\Chandler\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
NY ->  System Fix.lnk -> H:\Users\Chandler\Desktop\System Fix.lnk
NY ->  RUFGUMQeGIjzMq -> H:\ProgramData\RUFGUMQeGIjzMq
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 30 November 2011 - 01:43 AM

OK so unhide did return the hidden files and folders. I ran the OTS fix and it seems to have fixed the problem. However, after reboot it did not produce a log file.

I then ran combo fix. Here is the log:

ComboFix 11-11-29.04 - Chandler 11/29/2011 22:30:30.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1316 [GMT -8:00]
Running from: h:\users\Chandler\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
h:\users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
h:\users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
h:\windows\Downloaded Program Files\popcaploader.dll
h:\windows\Downloaded Program Files\popcaploader.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))
.
.
2011-11-30 06:37 . 2011-11-30 06:37 -------- d-----w- h:\users\Default\AppData\Local\temp
2011-11-30 06:23 . 2011-11-30 06:23 -------- d-----w- H:\_OTS
2011-11-30 04:30 . 2011-11-30 04:30 -------- d-----w- h:\users\UpdatusUser
2011-11-30 04:30 . 2011-10-15 08:53 6350144 ----a-w- h:\windows\system32\nvcpl.dll
2011-11-30 04:30 . 2011-10-15 08:53 602432 ----a-w- h:\windows\system32\easyupdatusapiu.dll
2011-11-30 04:30 . 2011-10-15 08:53 3840320 ----a-w- h:\windows\system32\nvsvc.dll
2011-11-30 04:30 . 2011-10-15 08:53 203072 ----a-w- h:\windows\system32\nvmctray.dll
2011-11-30 04:30 . 2011-10-15 08:53 123712 ----a-w- h:\windows\system32\nvshext.dll
2011-11-30 04:30 . 2011-10-15 08:53 1136448 ----a-w- h:\windows\system32\nvvsvc.exe
2011-11-30 04:30 . 2011-11-30 04:30 -------- d-----w- h:\programdata\NVIDIA Corporation
2011-11-30 04:29 . 2011-10-15 08:53 919872 ----a-w- h:\windows\system32\nvdispco32.dll
2011-11-30 04:29 . 2011-10-15 08:53 877376 ----a-w- h:\windows\system32\nvgenco32.dll
2011-11-30 04:29 . 2011-10-15 08:53 61248 ----a-w- h:\windows\system32\OpenCL.dll
2011-11-30 04:29 . 2011-10-15 08:53 5578560 ----a-w- h:\windows\system32\nvcuda.dll
2011-11-30 04:29 . 2011-10-15 08:53 2458432 ----a-w- h:\windows\system32\nvapi.dll
2011-11-30 04:29 . 2011-10-15 08:53 2401088 ----a-w- h:\windows\system32\nvcuvid.dll
2011-11-30 04:29 . 2011-10-15 08:53 2099520 ----a-w- h:\windows\system32\nvcuvenc.dll
2011-11-30 04:29 . 2011-10-15 08:53 18871616 ----a-w- h:\windows\system32\nvoglv32.dll
2011-11-30 04:29 . 2011-10-15 08:53 17248576 ----a-w- h:\windows\system32\nvcompiler.dll
2011-11-30 04:29 . 2011-10-15 08:53 10327360 ----a-w- h:\windows\system32\drivers\nvlddmkm.sys
2011-11-30 04:29 . 2011-11-30 04:31 -------- d-----w- h:\program files\NVIDIA Corporation
2011-11-30 04:16 . 2011-11-30 04:16 -------- d-----w- h:\program files\SystemRequirementsLab
2011-11-30 04:16 . 2011-11-30 04:16 -------- d-----w- h:\users\Chandler\AppData\Roaming\SystemRequirementsLab
2011-11-29 06:20 . 2011-11-29 06:20 -------- d-----w- H:\_OTM
2011-11-28 05:21 . 2011-11-28 05:21 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-11-28 05:21 . 2011-09-01 01:00 22216 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-11-28 04:40 . 2011-11-28 04:40 -------- d-----w- h:\windows\PIF
2011-11-28 02:20 . 2011-11-28 02:20 -------- d-----w- h:\users\Chandler\AppData\Roaming\Malwarebytes
2011-11-28 02:20 . 2011-11-28 02:20 -------- d-----w- h:\programdata\Malwarebytes
2011-11-16 01:00 . 2011-11-05 03:21 2106216 ----a-w- h:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-11-16 01:00 . 2011-11-05 03:21 1998168 ----a-w- h:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-11 06:25 . 2011-11-11 06:25 -------- d-----w- h:\users\Chandler\AppData\Local\Skyrim
2011-11-11 06:25 . 2010-02-04 18:01 74072 ----a-w- h:\windows\system32\XAPOFX1_4.dll
2011-11-11 06:25 . 2010-02-04 18:01 528216 ----a-w- h:\windows\system32\XAudio2_6.dll
2011-11-11 06:25 . 2010-02-04 18:01 238936 ----a-w- h:\windows\system32\xactengine3_6.dll
2011-11-11 06:25 . 2010-02-04 18:01 22360 ----a-w- h:\windows\system32\X3DAudio1_7.dll
2011-11-11 06:25 . 2008-10-15 14:22 452440 ----a-w- h:\windows\system32\d3dx10_40.dll
2011-11-11 06:25 . 2008-10-15 14:22 2036576 ----a-w- h:\windows\system32\D3DCompiler_40.dll
2011-11-11 06:25 . 2008-10-15 14:22 4379984 ----a-w- h:\windows\system32\D3DX9_40.dll
2011-11-06 03:35 . 2011-11-30 06:25 -------- d-----w- h:\programdata\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 00:37 . 2011-08-11 06:03 414368 ----a-w- h:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 08:54 . 2011-10-15 08:54 321856 ----a-w- h:\windows\system32\nvStreaming.exe
2011-10-15 08:53 . 2009-07-13 22:09 7041856 ----a-w- h:\windows\system32\nvwgf2um.dll
2011-10-15 08:53 . 2009-06-10 21:19 13205312 ----a-w- h:\windows\system32\nvd3dum.dll
2011-11-05 06:53 . 2011-11-16 00:59 134104 ----a-w- h:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\program files\Vuze_Remote\tbVuze.dll" [2010-05-20 2675296]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-05-20 22:35 2675296 ----a-w- h:\program files\Vuze_Remote\tbVuze.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "h:\program files\Vuze_Remote\tbVuze.dll" [2010-05-20 2675296]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "h:\program files\Vuze_Remote\tbVuze.dll" [2010-05-20 2675296]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="h:\program files\AIM\aim.exe" [2009-12-01 3951976]
"PeerGuardian"="h:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"Pando Media Booster"="h:\program files\Pando Networks\Media Booster\PMB.exe" [2011-09-01 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DivXUpdate"="h:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="h:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
h:\users\Chandler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - h:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;h:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 RosettaStoneLtdController;RosettaStoneLtdController;h:\program files\RosettaStoneLtdServices\RosettaStoneLtdController.exe [2008-09-16 352312]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;h:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-30 h:\windows\Tasks\Norton Security Scan for Chandler.job
- h:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-09-30 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Google Sidewiki... - h:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - h:\users\Chandler\AppData\Roaming\Mozilla\Firefox\Profiles\e5sa3l73.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-06388813.sys
SafeBoot-34599139.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3383455678-3866618119-4233008107-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:6d,d3,f6,6a,a5,f6,78,18,5a,10,03,e7,60,a0,14,28,d8,d7,5e,00,2f,f8,71,
5e,62,09,60,9f,ea,e7,64,03,0b,60,cb,e7,2b,3c,c2,a8,11,00,83,30,b5,88,11,2e,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-29 22:38:49
ComboFix-quarantined-files.txt 2011-11-30 06:38
.
Pre-Run: 104,013,864,960 bytes free
Post-Run: 104,965,406,720 bytes free
.
- - End Of File - - 4A7059B7B8F73B0FDD38304DDFAA689A

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 30 November 2011 - 02:07 AM

Hi!

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 30 November 2011 - 02:22 AM

Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8276

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/29/2011 11:17:09 PM
mbam-log-2011-11-29 (23-17-09).txt

Scan type: Quick scan
Objects scanned: 170356
Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 30 November 2011 - 03:52 AM

:thumbsup:

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 dopefish2112

dopefish2112
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 30 November 2011 - 08:29 PM

ESET Log:

D:\Installs\registryfix.exe a variant of Win32/Adware.ErrorClean application
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2376d581-2a36a2d2 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\6e2dba0f-13a06443 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-2e24c003 Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\70f0f65a-734529f3 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-6b77074e Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\68b74c9f-1b0cd05b probably a variant of Java/Agent.BR trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-3aa43713 Java/TrojanDownloader.Agent.NBL trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-1092a1de Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-27ebb9ba Java/TrojanDownloader.Agent.NBM trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\469f7ebd-5b3c4ded a variant of Java/Agent.BR trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-766b115b Java/TrojanDownloader.Agent.NBK trojan
H:\_OTM\MovedFiles\11282011_222039\h_programdata\CkDtVto0FJ89Ue.exe Win32/Adware.HDDRescue.AB application
H:\_OTM\MovedFiles\11282011_222039\h_programdata\dSPEfJqNGav.exe a variant of Win32/Kryptik.WEN trojan


Security Check Log:

Results of screen317's Security Check version 0.99.28
Windows 7 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java™ 6 Update 20
Java™ 6 Update 22
Java version out of date!
Adobe Flash Player 11.0.1.152
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
``````````End of Log````````````

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:42 AM

Posted 01 December 2011 - 01:54 AM

Hi!

These threat(s) below are currently in Quarantine/System Restore and shall be removed when we clean up our tools later on.

H:\_OTM\MovedFiles\11282011_222039\h_programdata\CkDtVto0FJ89Ue.exe Win32/Adware.HDDRescue.AB application
H:\_OTM\MovedFiles\11282011_222039\h_programdata\dSPEfJqNGav.exe a variant of Win32/Kryptik.WEN trojan


These threat(s) below will be removed very shortly:

D:\Installs\registryfix.exe a variant of Win32/Adware.ErrorClean application
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2376d581-2a36a2d2 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\6e2dba0f-13a06443 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-2e24c003 Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\70f0f65a-734529f3 multiple threats
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-6b77074e Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\68b74c9f-1b0cd05b probably a variant of Java/Agent.BR trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-3aa43713 Java/TrojanDownloader.Agent.NBL trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-1092a1de Java/Agent.BV trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-27ebb9ba Java/TrojanDownloader.Agent.NBM trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\469f7ebd-5b3c4ded a variant of Java/Agent.BR trojan
H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-766b115b Java/TrojanDownloader.Agent.NBK trojan


____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform:
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    D:\Installs\registryfix.exe
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2376d581-2a36a2d2
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\6e2dba0f-13a06443
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\d50c015-2e24c003
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\70f0f65a-734529f3
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2f31845f-6b77074e
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\68b74c9f-1b0cd05b
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-3aa43713
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6b4d836b-1092a1de
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-27ebb9ba
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\469f7ebd-5b3c4ded
    H:\Users\Chandler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-766b115b
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users