TechSpot

Google redirect & .exe file bad image pop-ups

Inactive
By sunday972
Jul 7, 2011
  1. I am having strange pop ups like for example "ms.paint.exe - Bad Image: The application or DLL C:\WINDOWS\system32\napipsec32.dll is not a a valid Windows image. Please check this against your installation diskette," whenever I open any program as well as getting Google redirects whenever I search a link using Google Chrome. This occurred after I did a System Restore after deleting the "Sigma Tel Audio" on accident for a Dell Vostro 1000 Notebook Laptop as these malware begin appearing.

    [All Logs have been posted in the following order - MBAM, GMER, DDS, & ATTACHMENT] :)
     
  2. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    First Scan Log MBAM

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7026

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/5/2011 8:51:21 AM
    mbam-log-2011-07-05 (08-51-21).txt

    Scan type: Quick scan
    Objects scanned: 178958
    Time elapsed: 1 hour(s), 46 minute(s), 59 second(s)

    Memory Processes Infected: 7
    Memory Modules Infected: 2
    Registry Keys Infected: 15
    Registry Values Infected: 4
    Registry Data Items Infected: 1
    Folders Infected: 3
    Files Infected: 114

    Memory Processes Infected:
    c:\WINDOWS\system32\rassapi32.exe (Trojan.Tracur.SGen) -> 1900 -> Unloaded process successfully.
    c:\WINDOWS\system32\tcpmonui32.exe (Trojan.Tracur.SGen) -> 196 -> Unloaded process successfully.
    c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> 216 -> Unloaded process successfully.
    c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> 2412 -> Unloaded process successfully.
    c:\documents and settings\ducmelavang1\application data\SysWin\lsass.exe (Trojan.Tracur.SGen) -> 1992 -> Unloaded process successfully.
    c:\WINDOWS\spmsgwow.exe (Trojan.Tracur.SGen) -> 2396 -> Unloaded process successfully.
    c:\WINDOWS\Ftehea.exe (Trojan.FraudPack.Gen) -> 3948 -> Unloaded process successfully.

    Memory Modules Infected:
    c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
    c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr32 (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{021B3F33-F1B7-438F-BB69-284DD7D2080b} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021B3F33-F1B7-438F-BB69-284DD7D2080B} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{021B3F33-F1B7-438F-BB69-284DD7D2080B} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CLASSES_ROOT\TypeLib\{A1BC6BEA-778D-48A0-A58B-1D0B425E1BDE} (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CLASSES_ROOT\Interface\{D090529F-4CB3-4952-859D-9889416405D5} (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CLASSES_ROOT\facerange.StockBar.1 (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CLASSES_ROOT\facerange.StockBar (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements_1 (PUP.WebEnhancements) -> Not selected for removal.
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TLNTSVR32 (Trojan.Tracur) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Tracur.SGen) -> Value: RTHDBPL -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spmsgwow.exe (Trojan.Tracur.SGen) -> Value: spmsgwow.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQ4DY0FH7F (Trojan.FraudPack.Gen) -> Value: SQ4DY0FH7F -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIY5DFZ5LO (Trojan.FraudPack.Gen) -> Value: DIY5DFZ5LO -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.XGen) -> Bad: (C:\WINDOWS\system32\napipsec32.dll) Good: () -> Quarantined and deleted successfully.

    Folders Infected:
    c:\WINDOWS\system32\SysWoW32 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\program files\webenhancements (PUP.WebEnhancements) -> Not selected for removal.
    c:\documents and settings\ducmelavang1\application data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    c:\WINDOWS\system32\rassapi32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\tcpmonui32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
    c:\documents and settings\ducmelavang1\application data\SysWin\lsass.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\spmsgwow.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\Documents and Settings\DucMeLaVang1\Local Settings\Temp\Frr.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
    c:\WINDOWS\Ftehea.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
    c:\program files\webenhancements\webenhancements.dll (PUP.WebEnhancements) -> Not selected for removal.
    c:\WINDOWS\system32\mydocs32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\napipsec32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\mtxparhd32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\1A8.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\271.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\2BB.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\documents and settings\ducmelavang1\local settings\Temp\Frq.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\30.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\51.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\02000000258e316d1347c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\02000000258e316d1347o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\02000000258e316d1347p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\localservice\application data\02000000258e316d1347s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\02000000258e316d1347c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\02000000258e316d1347o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\02000000258e316d1347p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\02000000258e316d1347s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v12.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\@u1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v10.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v11.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v8.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v9.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu220396494v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu220396494v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v13.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v14.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v15.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\mu1927150542v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\wu1927150542v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\SysWoW32\_u1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
    c:\program files\webenhancements\webenhancements.xpi (PUP.WebEnhancements) -> Not selected for removal.
    c:\program files\webenhancements\uninst.exe (PUP.WebEnhancements) -> Not selected for removal.
    c:\program files\webenhancements\webenhancements.crx (PUP.WebEnhancements) -> Not selected for removal.
    c:\program files\webenhancements\webenhancements.safariextz (PUP.WebEnhancements) -> Not selected for removal.
     
  3. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Latest MBAM Scan Log

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7044

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    7/7/2011 3:44:15 PM
    mbam-log-2011-07-07 (15-44-15).txt

    Scan type: Quick scan
    Objects scanned: 181047
    Time elapsed: 12 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\DIY5DFZ5LO (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIY5DFZ5LO (Trojan.FakeAlert.SA) -> Value: DIY5DFZ5LO -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\Ftehea.exe (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
     
  4. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    GMER log

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-07-07 18:40:27
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM121HI rev.LZ100-11
    Running: y7e3kd9x.exe; Driver: C:\DOCUME~1\DUCMEL~1\LOCALS~1\Temp\awtyapoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I''ll hep with the redirect problem.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    You do not need to run Malwarebytes again. And I only need logs for the current scans, unless I Specifically request an older log.

    Regarding this:
    Did you download each of these for Firefox or other browser? Did you intentionally not check for removal?
    ==================================
     
  6. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    DDS & ATTACHMENT log

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 7.0.5730.13
    Run by DucMeLaVang1 at 19:00:47 on 2011-07-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1313 [GMT -5:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Documents and Settings\DucMeLaVang1\My Documents\My Music\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D&machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5.1-x86-SP3
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    BHO: {021b3f33-f1b7-438f-bb69-284dd7d2080b} - c:\windows\system32\atipdlxx32.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - No File
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\documents and settings\ducmelavang1\my documents\my music\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\documents and settings\ducmelavang1\my documents\my music\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\ducmelavang1\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221506534368
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    AppInit_DLLs: c:\windows\system32\napipsec32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-5 366640]
    R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
    R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
    R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-3-24 199904]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-5 22712]
    S3 apf001;apf001;c:\windows\system32\apf001.sys [2011-4-25 10872]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-5 39984]
    S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
    S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-11-5 86064]
    S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-11-5 1371184]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    .
    =============== Created Last 30 ================
    .
    2011-07-06 00:12:49 4952064 ----a-w- c:\windows\system32\stacgui.cpl
    2011-07-06 00:12:49 405504 ----a-w- c:\windows\stsystra.exe
    2011-07-06 00:12:49 1601536 ----a-w- c:\windows\system32\stlang.dll
    2011-07-05 23:57:36 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Help
    2011-07-05 20:27:56 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-05 20:27:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-05 14:55:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-07-05 14:55:57 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-07-05 14:55:30 -------- d-----w- c:\program files\common files\Akamai
    2011-07-05 14:55:24 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\PMB Files
    2011-07-05 14:55:24 -------- d-----w- c:\documents and settings\all users\application data\PMB Files
    2011-07-05 14:55:23 -------- d-----w- c:\program files\StartNow Toolbar
    2011-07-05 14:55:17 -------- d-----w- c:\program files\SigmaTel
    2011-07-05 14:23:38 -------- d-----w- c:\program files\DriverFinder
    2011-07-05 14:23:12 -------- d-----w- c:\documents and settings\ducmelavang1\application data\DriverFinder
    2011-07-05 14:20:43 -------- d-----w- c:\program files\Software Informer
    2011-07-05 14:20:43 -------- d-----w- c:\documents and settings\ducmelavang1\application data\Software Informer
    2011-07-05 11:55:46 -------- d-----w- c:\documents and settings\ducmelavang1\application data\Malwarebytes
    2011-07-05 11:54:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-05 05:56:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-07-05 02:05:15 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-05 00:21:08 145408 --sha-r- c:\windows\system32\msswchxf.dll
    2011-07-03 18:48:15 -------- d-----w- c:\windows\system32\1509816429
    2011-07-03 18:47:58 -------- d-----w- c:\windows\system32\1592885943
    2011-06-25 16:52:41 213504 ----a-w- c:\windows\system32\mtxparhd32.exe
    2011-06-25 04:56:38 -------- d-----w- c:\program files\common files\xing shared
    2011-06-25 04:52:40 -------- d-----w- c:\program files\ClickCoupon
    2011-06-24 23:56:32 -------- d-----w- c:\program files\Object
    2011-06-23 08:54:01 213504 ----a-w- c:\windows\system32\mydocs32.exe
    2011-06-23 04:56:42 -------- d-----w- c:\windows\system32\924857355
    2011-06-23 04:53:06 0 ---ha-w- c:\documents and settings\ducmelavang1\nyqsdjspie.tmp
    2011-06-23 04:52:41 203776 --sh--w- c:\windows\system32\unrar.exe
    2011-06-23 04:52:41 -------- d-----w- c:\windows\system32\448120563
    2011-06-23 04:52:39 -------- d-sh--w- c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
    2011-06-23 04:52:16 256512 ----a-w- c:\windows\system32\napipsec32.dll
    2011-06-23 04:52:16 1416192 ----a-w- c:\windows\system32\tcpmonui32.exe
    2011-06-23 04:52:15 213504 ----a-w- c:\windows\system32\napipsec32.exe
    2011-06-23 04:48:51 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Apple
    2011-06-23 04:47:55 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Apple Computer
    2011-06-23 01:02:01 -------- d-----w- c:\documents and settings\ducmelavang1\application data\FrostWire
    2011-06-23 00:57:15 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\OpenCandy
    2011-06-23 00:57:13 -------- d-----w- c:\documents and settings\ducmelavang1\application data\OpenCandy
    2011-06-20 06:09:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-18 18:33:39 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-06-18 18:33:39 215920 ----a-w- c:\windows\system32\muweb.dll
    2011-06-18 18:33:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2011-06-16 12:37:11 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-11 10:10:34 -------- d-----w- c:\documents and settings\ducmelavang1\application data\MSNInstaller
    .
    ==================== Find3M ====================
    .
    2011-06-25 04:56:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-06-25 04:56:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-06-20 06:09:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-12 05:00:01 7219986245 ----a-w- c:\windows\system32\cdmcache.dll
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-04-25 15:51:57 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
    2011-04-25 06:12:19 12920 ----a-w- c:\windows\system32\apl001.sys
    2011-04-25 06:12:19 10872 ----a-w- c:\windows\system32\apf001.sys
    2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    ============= FINISH: 19:01:05.89 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/15/2008 2:16:40 PM
    System Uptime: 7/7/2011 3:47:03 PM (4 hours ago)
    .
    Motherboard: Dell Inc. | | 0WY383
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-57 | Socket M2/S1G1 | 1899/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 112 GiB total, 90.298 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell Wireless 1395 WLAN Mini-Card
    Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
    Manufacturer: Broadcom
    Name: Dell Wireless 1395 WLAN Mini-Card
    PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
    Service: BCM43XX
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom 440x 10/100 Integrated Controller
    Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_022A1028&REV_02\4&B216F0A&0&00A4
    Manufacturer: Broadcom
    Name: Broadcom 440x 10/100 Integrated Controller
    PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_022A1028&REV_02\4&B216F0A&0&00A4
    Service: bcm4sbxp
    .
    ==== System Restore Points ===================
    .
    RP1: 7/4/2011 8:06:14 PM - System Checkpoint
    RP2: 7/5/2011 12:03:33 AM - Removed Apple Software Update
    RP3: 7/5/2011 12:08:57 AM - Removed SigmaTel Audio
    RP4: 7/5/2011 9:54:30 AM - Restore Operation
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.0.1)
    Adobe Shockwave Player 11.5
    Akamai NetSession Interface
    AMD Processor Driver
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Bandisoft MPEG-1 Decoder
    Broadcom 440x 10/100 Integrated Controller
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Dell Wireless WLAN Card
    DivX Setup
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 26
    LiveUpdate 1.80 (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office XP Professional with FrontPage
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC90_CRT_x86
    Nero OEM
    Pando Media Booster
    PowerDVD
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB2530548)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    StartNow Toolbar 2.0
    Symantec AntiVirus Client
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    WebFldrs XP
    Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/7/2011 4:30:12 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    7/6/2011 6:05:22 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    7/5/2011 9:58:45 AM, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
    7/5/2011 9:57:59 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    7/5/2011 8:54:06 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    7/5/2011 8:50:58 AM, error: Service Control Manager [7034] - The Telnet service terminated unexpectedly. It has done this 1 time(s).
    7/5/2011 7:33:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    7/5/2011 7:32:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/5/2011 7:32:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/4/2011 8:45:13 PM, error: Service Control Manager [7034] - The Toolbar Updater Service service terminated unexpectedly. It has done this 1 time(s).
    6/30/2011 9:44:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  7. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19


    I have only downloaded those to Google Chrome. I do not use any other browsers at this time. This was my first time using the MBAM program and I did not intentionally not check for removal, I scrolled the first time and figured it was all checked and cleared it. And then I redid again just in case I missed any & also cleared those too. I appreciate your assistance ^^ !
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please review:
    You lasr reply: 17 Hours Ago
    sunday972


    I will get back to you as soon as I can.
     
  9. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Sorry ^^

    Ah ! Sorry for the inconvenience & Okay. :)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry for delay./ I spent extra time with my family over the holiday weekend- so am catching up on my threads now.

    Even after all the malware removals in Mbam, the system is still heavily infected with malware. We will attempt to remove the entries, but you will have to remove the following>>Vuze Remote Toolbar and LimeWire. Neither are showing in the installed programs list, but both are running. I can remove some entries after you run Combofix, but I'd like you to see if either or both are in Add/Remove Programs. IF they are, please uninstall then.

    The right click on Start> Explore> My Computer> Double click on Local Drive(C)> Programs> look for program folders for both Vuze and LimeWire> do a right click> Delete on each. Exit Windows explorer.
    ==============================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =================================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's check on that 'bad image' entry:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      napipsec32.*
      napipsec.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    c:\windows\system32\napipsec32.dll
    .
     
     
  12. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    ComboFix Log

    ComboFix 11-07-09.02 - DucMeLaVang1 07/09/2011 13:04:11.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1113 [GMT -5:00]
    Running from: c:\documents and settings\DucMeLaVang1\Desktop\ComboFix.exe
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\DucMeLaVang1\WINDOWS
    c:\documents and settings\Guest\Application Data\AdVantage
    c:\documents and settings\Guest\Application Data\advantage\AdVantage.exe
    c:\windows\system32\$winnt$.inf
    c:\windows\system32\_000013_.tmp.dll
    c:\windows\system32\1509816429
    c:\windows\system32\1509816429\frt0.rar
    c:\windows\system32\1509816429\frt0.rar.ver
    c:\windows\system32\1509816429\frt1.rar
    c:\windows\system32\1509816429\frt1.rar.ver
    c:\windows\system32\1509816429\frt2.rar
    c:\windows\system32\1509816429\frt2.rar.ver
    c:\windows\system32\1509816429\frt3.rar
    c:\windows\system32\1509816429\frt3.rar.ver
    c:\windows\system32\1509816429\frt4.rar
    c:\windows\system32\1509816429\frt4.rar.ver
    c:\windows\system32\1509816429\frt5.rar
    c:\windows\system32\1509816429\frt5.rar.ver
    c:\windows\system32\1509816429\frt6.rar
    c:\windows\system32\1509816429\frt6.rar.ver
    c:\windows\system32\1509816429\frt7.rar
    c:\windows\system32\1509816429\frt7.rar.ver
    c:\windows\system32\1592885943
    c:\windows\system32\448120563
    c:\windows\system32\448120563\new.i0.kwd
    c:\windows\system32\448120563\new.i1.kwd
    c:\windows\system32\448120563\new.i10.kwd
    c:\windows\system32\448120563\new.i11.kwd
    c:\windows\system32\448120563\new.i12.kwd
    c:\windows\system32\448120563\new.i13.kwd
    c:\windows\system32\448120563\new.i14.kwd
    c:\windows\system32\448120563\new.i15.kwd
    c:\windows\system32\448120563\new.i2.kwd
    c:\windows\system32\448120563\new.i3.kwd
    c:\windows\system32\448120563\new.i4.kwd
    c:\windows\system32\448120563\new.i5.kwd
    c:\windows\system32\448120563\new.i6.kwd
    c:\windows\system32\448120563\new.i7.kwd
    c:\windows\system32\448120563\new.i8.kwd
    c:\windows\system32\448120563\new.i9.kwd
    c:\windows\system32\924857355
    c:\windows\system32\924857355\frt0.rar
    c:\windows\system32\924857355\frt0.rar.ver
    c:\windows\system32\924857355\frt1.rar
    c:\windows\system32\924857355\frt1.rar.ver
    c:\windows\system32\924857355\frt10.rar
    c:\windows\system32\924857355\frt10.rar.ver
    c:\windows\system32\924857355\frt11.rar
    c:\windows\system32\924857355\frt11.rar.ver
    c:\windows\system32\924857355\frt12.rar
    c:\windows\system32\924857355\frt12.rar.ver
    c:\windows\system32\924857355\frt13.rar
    c:\windows\system32\924857355\frt13.rar.ver
    c:\windows\system32\924857355\frt14.rar
    c:\windows\system32\924857355\frt14.rar.ver
    c:\windows\system32\924857355\frt15.rar
    c:\windows\system32\924857355\frt15.rar.ver
    c:\windows\system32\924857355\frt2.rar
    c:\windows\system32\924857355\frt2.rar.ver
    c:\windows\system32\924857355\frt3.rar
    c:\windows\system32\924857355\frt3.rar.ver
    c:\windows\system32\924857355\frt4.rar
    c:\windows\system32\924857355\frt4.rar.ver
    c:\windows\system32\924857355\frt5.rar
    c:\windows\system32\924857355\frt5.rar.ver
    c:\windows\system32\924857355\frt6.rar
    c:\windows\system32\924857355\frt6.rar.ver
    c:\windows\system32\924857355\frt7.rar
    c:\windows\system32\924857355\frt7.rar.ver
    c:\windows\system32\924857355\frt8.rar
    c:\windows\system32\924857355\frt8.rar.ver
    c:\windows\system32\924857355\frt9.rar
    c:\windows\system32\924857355\frt9.rar.ver
    c:\windows\vb.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-06 00:12 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
    2011-07-06 00:12 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
    2011-07-06 00:12 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
    2011-07-05 23:57 . 2011-07-05 23:57 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Help
    2011-07-05 05:56 . 2011-07-05 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
    2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\windows\system32\NtmsData
    2011-07-05 00:21 . 2011-07-05 00:21 145408 --sha-r- c:\windows\system32\msswchxf.dll
    2011-06-25 16:52 . 2011-06-25 16:52 213504 ----a-w- c:\windows\system32\mtxparhd32.exe
    2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Common Files\xing shared
    2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Real
    2011-06-24 23:56 . 2011-06-25 00:21 -------- d-----w- c:\program files\Object
    2011-06-23 08:54 . 2011-06-23 08:54 213504 ----a-w- c:\windows\system32\mydocs32.exe
    2011-06-23 05:07 . 2011-06-23 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2011-06-23 04:53 . 2011-06-23 04:53 0 ---ha-w- c:\documents and settings\DucMeLaVang1\nyqsdjspie.tmp
    2011-06-23 04:52 . 2011-06-23 04:52 203776 --sh--w- c:\windows\system32\unrar.exe
    2011-06-23 04:52 . 2011-07-05 05:50 -------- d-sh--w- c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
    2011-06-23 04:52 . 2011-06-23 04:52 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\Apple Computer
    2011-06-23 04:52 . 2011-06-23 04:52 256512 ----a-w- c:\windows\system32\napipsec32.dll
    2011-06-23 04:52 . 2011-06-23 04:52 1416192 ----a-w- c:\windows\system32\tcpmonui32.exe
    2011-06-23 04:52 . 2011-06-23 04:52 213504 ----a-w- c:\windows\system32\napipsec32.exe
    2011-06-23 04:48 . 2011-06-23 04:48 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple
    2011-06-23 04:47 . 2011-06-23 04:47 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple Computer
    2011-06-23 00:57 . 2011-06-23 05:15 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
    2011-06-22 03:59 . 2011-06-22 03:59 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
    2011-06-20 06:09 . 2011-06-20 06:09 -------- d-----w- c:\program files\Common Files\Java
    2011-06-20 06:09 . 2011-06-20 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-18 18:33 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-06-18 18:33 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2011-06-16 12:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-11 10:10 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\MSNInstaller
    2011-06-11 08:20 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-25 04:56 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-06-25 04:56 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-06-20 06:09 . 2011-05-07 18:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-02 15:31 . 2008-09-15 19:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 15:51 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 15:51 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-04-25 15:51 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 15:51 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-04-25 12:01 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
    2011-04-25 06:12 . 2011-04-25 06:12 12920 ----a-w- c:\windows\system32\apl001.sys
    2011-04-25 06:12 . 2011-04-25 06:12 10872 ----a-w- c:\windows\system32\apf001.sys
    2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-25 273544]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\napipsec32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
    "c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58600:TCP"= 58600:TCP:pando Media Booster
    "58600:UDP"= 58600:UDP:pando Media Booster
    .
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/5/2011 3:27 PM 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/5/2011 3:27 PM 22712]
    S3 apf001;apf001;c:\windows\system32\apf001.sys [4/25/2011 1:12 AM 10872]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/5/2011 3:27 PM 39984]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - IDSVC
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005Core.job
    - c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005UA.job
    - c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
    .
    2011-07-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
    .
    2011-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D&machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5.1-x86-SP3
    mStart Page = hxxp://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{021B3F33-F1B7-438F-BB69-284DD7D2080b} - c:\windows\system32\atipdlxx32.dll
    BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
    Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
    HKCU-Run-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-09 13:09
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    "value"="?\05\04\0c\10\08\06?"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(660)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2011-07-09 13:11:25
    ComboFix-quarantined-files.txt 2011-07-09 18:11
    .
    Pre-Run: 96,801,333,248 bytes free
    Post-Run: 101,304,414,208 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 79189BF18551F70F1BDF670813701D26
     
  13. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    ESETScan log

    C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Documents and Settings\Guest\Application Data\advantage\AdVantage.exe.vir a variant of Win32/Kunhitta.A trojan
    C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP1\A0003055.exe a variant of Win32/Kryptik.PVN trojan
    C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP3\A0004207.exe a variant of Win32/Kryptik.PVN trojan
    C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP5\A0008589.exe a variant of Win32/Kunhitta.A trojan
    C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 a variant of Win32/Kryptik.PVN trojan
    C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 Win32/TrojanDownloader.Tracur.B trojan
     
  14. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Here's the SystemLook log for Bad Image

    SystemLook 04.09.10 by jpshortstuff
    Log created at 14:33 on 09/07/2011 by DucMeLaVang1
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "napipsec32.*"
    C:\WINDOWS\system32\napipsec32.dll --a---- 256512 bytes [04:52 23/06/2011] [04:52 23/06/2011] 7BEFA69C56C084C4CDD5807F17B235E2
    C:\WINDOWS\system32\napipsec32.exe --a---- 213504 bytes [04:52 23/06/2011] [04:52 23/06/2011] 9562EFE2D6A77BBB515666D933DD746B

    Searching for "napipsec.*"
    C:\WINDOWS\ServicePackFiles\i386\napipsec.dll -----c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
    C:\WINDOWS\system32\napipsec.dll -----c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
    C:\WINDOWS\system32\dllcache\napipsec.dll --a--c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68

    -= EOF =-
     
  15. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Logs Completed & Removing Limewire/Vuze Toolbar

    I have successfully completed the steps and produced the logs from Combofix, ESETScans, and SystemLook. I had a slight problem about the Limewire and Vuze Toolbar not being able to find it on the Add/Remove program as well in the Windows Explorer. However, I did find some "leftover" files inside Windows Explorer under the Local Drive (C) > Document and Settings > Application Data (instead of Program Files) & deleted those Vuze Toolbar and Limewire folders prior to starting ComboFix. I am checking if those were the ones you wanted to be deleted.

    Update on the Laptop Status: It is running fairly fast, however, the "bad image .exe" is still happening every time I log on from restarting the laptop as well as opening any programs or a new window on Chrome. The good news is that the redirection on Google Chrome is completely gone and it works normal. ^^
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\mtxparhd32.exe
    c:\documents and settings\ducmelavang1\nyqsdjspie.tmp
    c:\windows\system32\msswchxf.dll
    c:\windows\system32\mydocs32.exe
    c:\windows\system32\unrar.exe
    c:\windows\system32\apl001.sys
    c:\windows\system32\apf001.sys
    Folder::
    c:\program files\StartNow Toolbar
    c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
    c:\program files\common files\xing shared
    c:\program files\Object
    c:\windows\system32\924857355
    c:\windows\system32\448120563
    c:\windows\system32\1509816429
    c:\windows\system32\1592885943
    c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
    DDS::
    uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=4 35&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_c ountry=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D& machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5. 1-x86-SP3
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - No File
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
    
    Driver::
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      	
      :Files 
      C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js 
      C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 
      C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    Please run this Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
     
  17. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    ComboFix Log

    ComboFix 11-07-09.03 - DucMeLaVang1 07/09/2011 21:24:34.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1394 [GMT -5:00]
    Running from: c:\documents and settings\DucMeLaVang1\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\DucMeLaVang1\Desktop\CFScript.txt
    .
    FILE ::
    "c:\documents and settings\ducmelavang1\nyqsdjspie.tmp"
    "c:\windows\system32\apf001.sys"
    "c:\windows\system32\apl001.sys"
    "c:\windows\system32\msswchxf.dll"
    "c:\windows\system32\mtxparhd32.exe"
    "c:\windows\system32\mydocs32.exe"
    "c:\windows\system32\unrar.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-09 18:32 . 2011-07-09 18:32 -------- d-----w- c:\program files\ESET
    2011-07-06 00:12 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
    2011-07-06 00:12 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
    2011-07-06 00:12 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
    2011-07-05 23:57 . 2011-07-05 23:57 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Help
    2011-07-05 05:56 . 2011-07-05 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
    2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\windows\system32\NtmsData
    2011-06-22 03:59 . 2011-06-22 03:59 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
    2011-06-20 06:09 . 2011-06-20 06:09 -------- d-----w- c:\program files\Common Files\Java
    2011-06-20 06:09 . 2011-06-20 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-18 18:33 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-06-18 18:33 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2011-06-16 12:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-11 10:10 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\MSNInstaller
    2011-06-11 08:20 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-25 04:56 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-06-25 04:56 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-06-20 06:09 . 2011-05-07 18:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-02 15:31 . 2008-09-15 19:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 15:51 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 15:51 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-04-25 15:51 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 15:51 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-04-25 12:01 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-25 273544]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\napipsec32.dll
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
    "c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58600:TCP"= 58600:TCP:pando Media Booster
    "58600:UDP"= 58600:UDP:pando Media Booster
    "1099:TCP"= 1099:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    .
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/5/2011 3:27 PM 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/5/2011 3:27 PM 22712]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005Core.job
    - c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005UA.job
    - c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
    .
    2011-07-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
    .
    2011-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-09 21:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(660)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2452)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-07-09 21:29:14
    ComboFix-quarantined-files.txt 2011-07-10 02:29
    ComboFix2.txt 2011-07-10 02:08
    ComboFix3.txt 2011-07-09 18:11
    .
    Pre-Run: 101,084,344,320 bytes free
    Post-Run: 101,069,377,536 bytes free
    .
    - - End Of File - - EF743381C5B49E19BFC47441D8696035
     
  18. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    for some reason...

    My MBAM icon seem to have disappeared in the bottom right corner of the laptop screen by the timer after disabling them and activated Combofix. Is there a way to fix this? to enable it before moving on to the next step?

    I will provide the OTMoveit & Security Check Soon
     
  19. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    OTMoveit3 log

    All processes killed
    Error: Unable to interpret < > in the current context!
    ========== FILES ==========
    C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js moved successfully.
    File/Folder C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 not found.
    File/Folder C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56466 bytes

    User: DucMeLaVang1
    ->Temp folder emptied: 1695 bytes
    ->Temporary Internet Files folder emptied: 141530 bytes
    ->Java cache emptied: 1395106 bytes
    ->Google Chrome cache emptied: 44267765 bytes
    ->Flash cache emptied: 47801 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Flash cache emptied: 148030 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: User

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2195181 bytes
    %systemroot%\System32 .tmp files removed: 698897 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 47.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 07092011_221617

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_63c.dat not found!

    Registry entries deleted on Reboot...
     
  20. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Security Check

    I tried running Security Check twice and the pop up continued to pop up drastically and it only loaded up to "Prepared Finish" but no log came up? and I am still missing my MBAM icon in the Taskbar on the bottom right corner of the laptop by the timer.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Security Check instead:

    Download eSec-Info2.zip and save it to your Desktop.
    You will need to extract the file.
    • Right click on the zipped folder> click on Extract All...
    • Click on Next In the 'Extraction Wizard'window that opens
    • click on Next> and in the next window that appears
    • click on Finish in the final window
    • Double click on the folder Sec-info2.vbs to run
    • When completed, a text file named Sec-Info.txtis created in the same folder
    • Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.
    ========================================
    Regarding Mbam icon: IS this for the scan you downloaded on 7/5? It may be set to show only when active: Do a right click on an empty area of the Notification Area> Click on 'Customize Notification Area'> Find the Mbam icon and set to 'Always Show'.

    But be advised that I will have you uninstall this tool when we finish. Unless you purchase the program, it will outdate while sitting on the hard drive.
    =====================================
    Some of your problems may be due to this:
    2011-06-23 05:15 > c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
    OpenCandy is a company that produces an advertising software module. When a user installs an application that has the OpenCandy library, there is an option to install additional software that it recommends.

    Privacy concerns have been raised about.OpenCandy has attracted criticism because of [3] Past versions[4] of OpenCandy were considered adware by Microsoft Sec as they 'may send user-specific information ... without obtaining adequate user consent'.
    =================================
    Glad you found Vuze and LimeWire- kudos to you for overridding my incorrect path!

    Windows users can disable the software by adding this entry to their hosts file to block the domain api.opencandy.com, effectively disabling the software from transmitting information back to its servers:
     
  22. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    Sec Info

    I tried the notifications to allow the MBAM icon to "always show" yet it still doesn't show. However, it does seem like its running under Task Manager. I even tried add/removing and reinstall MBAM but nothing changed and the icon is still missing. I'm just hoping there would be another way of disabling it if its require in the next few scans that you will provide me through ^^ & since MBAM will be remove later anyhow, I don't mind that either. Just thought it might be a problem, not knowing how to disable during certain scans since it doesn't appear in the system tray or notification area.

    & Yes, I did dl it on July 5, 2011 and not the full version of MBAM.


    (Below is the Sec Info Log) :


    Script run: 7/10/2011 2:48:31 PM

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Windows Firewall is enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Security Center Anti-Virus Alerts are enabled.
    The Security Center Firewall Alerts are enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Number of Restore Points found: 5

    ~~~~~~~~~~~~~~~~~~~~~~~~
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Don't worry about the tray icon. You don't need it and the program will be removed.

    Are you still getting 'bad image' notices? Has the redirect be resolved? Is there any other malware related problem?
     
  24. sunday972

    sunday972 TS Rookie Topic Starter Posts: 19

    The redirect has been resolved, however, the bad image notices are still happening.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I need you to be very specific about the 'bad image':

    1. What are you trying to do when the message comes up?
    2. What is the exact message?
    3. Note the time on the computer clock when you get the 'bad' image' error. Write it down. I will have you check the Event Viewer for related Error at the same time. Events are time-coded.
    s
    The system was heavily infected when we started. It is possible that the malware could have corrupted some files. Two entries in particular:
    Memory Modules Infected:
    c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
    c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.

    are of concern because they got into the memory.

    The second process atipdlxx32.doo is a Trojan.Downloader of Chinese origin. and both of the infected processes got in to the memory.

    About a Memory Resident:
    Memory Processes Infected:
    Memory-resident programs are those that can be placed in, and remain in, an affected system's main memory space after execution. Memory residency enables a piece of malware to be readily available whenever needed, ensuring that the malware is easily accessible or can monitor every event on an affected system. This is a malware's way of controlling every activity on an affected system when a condition is satisfied.

    First, the malware has to be executed. Once done, to assure it is executed in every system startup, it can put links to itself where the system initializes or pre-configures the OS. These are places or configuration files where it is accessed by an Operating System upon startup. By modifying or adding to Registry entries for processes such as the autoexec.bat or config.sys, processes always used in basic startup schemes.

    Usually by way of a backdoor.bot which is installed, although showing 'removed' or 'unloaded',
    when you reboot, it will be back, so finding the offensive entry and removing it becomes more difficult
    Source: Symantec
    =================================================
    I'd like you to run Malwarebytes again, but changing to Full Scan as follows:
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.