TechSpot

[A] Help I have a malware virus

By blazer5217
Jan 16, 2012
  1. BRONI,

    I have a malware virus and have followed your 5 step process. Here are the following logs. Can you Please help.

    My Error Messages:
    1.Hard Drive Clusters are partiality damaged.
    2. Ram storage is critically low
    3. Windows OS can not detect free storage space
    4. Critical Hard Drive damage perform system scan

    I follow all you steps and Here are the logs you requested

    mbam

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.16.01

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 8.0.7601.17514
    Richard :: RICHARD-PC [administrator]

    Protection: Enabled

    1/16/2012 3:43:34 PM
    mbam-log-2012-01-16 (15-43-34).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 167257
    Time elapsed: 5 minute(s), 46 second(s)

    Memory Processes Detected: 1
    C:\ProgramData\Uwrw4Km7OaDAvt.exe (Rogue.FakeAlert) -> 3020 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)
     
  2. blazer5217

    blazer5217 TS Rookie Topic Starter

    mbam log

    Database version: v2012.01.16.01

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 8.0.7601.17514
    Richard :: RICHARD-PC [administrator]

    Protection: Enabled

    1/16/2012 3:43:34 PM
    mbam-log-2012-01-16 (15-43-34).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 167257
    Time elapsed: 5 minute(s), 46 second(s)

    Memory Processes Detected: 1
    C:\ProgramData\Uwrw4Km7OaDAvt.exe (Rogue.FakeAlert) -> 3020 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\ProgramData\Uwrw4Km7OaDAvt.exe (Rogue.FakeAlert) -> Delete on reboot.

    (end)
     
  3. blazer5217

    blazer5217 TS Rookie Topic Starter

    dds log

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
    Run by Richard at 15:41:40 on 2012-01-16
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.978 [GMT -7:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
    C:\Windows\System32\alg.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\ProgramData\jEGCsSWIMfSR.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\ProgramData\Uwrw4Km7OaDAvt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3059010
    uSearch Bar = Preserve
    uURLSearchHooks: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll
    mURLSearchHooks: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Vgrabber Toolbar: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - c:\program files\vgrabber\prxtbVgra.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [Facebook Update] "c:\users\richard\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [jEGCsSWIMfSR.exe] c:\programdata\jEGCsSWIMfSR.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\richard\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{00B717E8-023D-4A14-BDCA-01DFE6F8F883} : DhcpNameServer = 192.168.42.129
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1} : DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\055534B46594255535 : NameServer = 192.168.1.1
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\055534B46594255535 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\140707C65626565637 : DhcpNameServer = 10.128.128.128
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\157756374775966496 : DhcpNameServer = 192.168.9.1 64.134.255.2 64.134.255.10
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\2596467656679656774556C6 : NameServer = 192.168.0.1,205.171.3.25
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\2596467656679656774556C6 : DhcpNameServer = 4.2.2.1 4.2.2.2
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\D496B65602751627460294E66696E6964796 : DhcpNameServer = 209.150.200.10 66.213.224.2
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\E4544574541425 : NameServer = 192.168.1.1
    TCP: Interfaces\{AB5CA5A9-01F7-44B4-8690-426221FA9EE1}\E4544574541425 : DhcpNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\richard\appdata\roaming\mozilla\firefox\profiles\ndegllfq.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3059010&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3059010&SearchSource=13
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
    FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\richard\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.BabylonToolbar_i.id - a4a1ff75000000000000001f3a1ea795
    FF - user.js: extensions.BabylonToolbar_i.hardId - a4a1ff75000000000000001f3a1ea795
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15337
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.170:47:29
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108844
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-17 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-17 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-17 66616]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-3 652872]
    R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-4-26 223088]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-17 20464]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-19 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-19 136176]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-4-4 20480]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-21 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-17 1343400]
    .
    =============== Created Last 30 ================
    .
    2012-01-16 22:14:09 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6ab3c6b9-32f1-43f3-a3e7-f1bec42b41e2}\offreg.dll
    2012-01-16 22:11:36 358656 ------w- c:\programdata\Uwrw4Km7OaDAvt.exe
    2012-01-16 20:50:17 455424 ---ha-w- c:\programdata\jEGCsSWIMfSR.exe
    2012-01-16 01:58:44 -------- d-----w- c:\program files\v-Grabber
    2012-01-16 01:58:25 -------- d-----w- c:\program files\Conduit
    2012-01-16 01:58:21 -------- d--h--w- c:\users\richard\appdata\local\Conduit
    2012-01-16 01:58:20 -------- d-----w- c:\program files\Vgrabber
    2012-01-16 01:46:37 -------- d--h--w- c:\users\richard\appdata\local\The Weather Channel
    2012-01-15 23:55:59 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-15 23:55:59 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-15 23:55:59 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-15 23:55:59 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-15 23:55:59 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-15 23:55:58 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-15 23:55:58 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-01-15 23:55:58 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-15 23:55:58 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-15 23:55:58 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-15 14:31:42 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6ab3c6b9-32f1-43f3-a3e7-f1bec42b41e2}\mpengine.dll
    2012-01-11 16:30:40 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 16:30:37 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 16:30:28 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 16:30:28 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-10 09:41:54 57344 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\ZIMFPRNT.DLL
    2012-01-10 09:41:35 53248 ----a-w- c:\windows\system32\ZTAG.DLL
    2012-01-10 09:41:35 106496 ----a-w- c:\windows\system32\ZSPOOL.DLL
    2012-01-10 09:41:34 61440 ----a-w- c:\windows\system32\ZIMF.DLL
    2012-01-10 09:41:34 430080 ----a-w- c:\windows\system32\ZSHP1018.EXE
    2012-01-10 09:41:34 102400 ----a-w- c:\windows\system32\ZLhp1018.DLL
    2011-12-29 07:47:39 -------- d--h--w- c:\programdata\Tarma Installer
    2011-12-29 07:47:26 -------- d--h--w- c:\users\richard\appdata\local\Babylon
    2011-12-29 07:47:25 -------- d--h--w- c:\users\richard\appdata\roaming\Babylon
    2011-12-29 07:47:25 -------- d--h--w- c:\programdata\Babylon
    .
    ==================== Find3M ====================
    .
    2012-01-15 14:51:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 22:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-07 22:51:21 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-12-03 03:18:08 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-20 19:18:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-11-20 19:18:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-26 04:47:40 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-26 04:47:40 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
    .
    ============= FINISH: 15:42:18.85 ===============
     
  4. blazer5217

    blazer5217 TS Rookie Topic Starter

    Log Attachments

    Sorry here is the log attachment!!!!
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Please pay attention to forum rules.
    All logs have to be pasted not attached.

    I still need Attach.txt part of DDS and GMER log PASTED.
     
  6. blazer5217

    blazer5217 TS Rookie Topic Starter

    To many characters

    I tried to post gmer but there was too many characters! Sorry any other suggestion?


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/17/2011 10:13:39 PM
    System Uptime: 1/16/2012 3:10:26 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0KU184
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 47.029 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {50dd5230-ba8a-11d1-bf5d-0000f805f530}
    Description: Microsoft Usbccid Smartcard Reader (O2 Micro OZ776/777)
    Device ID: USB\VID_0B97&PID_7772\6&36CD5118&0&2
    Manufacturer: Microsoft
    Name: Microsoft Usbccid Smartcard Reader (O2 Micro OZ776/777)
    PNP Device ID: USB\VID_0B97&PID_7772\6&36CD5118&0&2
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP146: 1/4/2012 5:05:02 PM - Windows Update
    RP147: 1/11/2012 9:29:53 AM - Windows Update
    RP148: 1/12/2012 10:03:07 AM - Windows Update
    RP149: 1/16/2012 3:00:20 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    4500_G510af_Help
    4500G510af
    4500G510af_Software_Min
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.0.1)
    Avira AntiVir Personal - Free Antivirus
    BufferChm
    CCleaner
     
  7. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...