Inactive Google redirect & .exe file bad image pop-ups

Status
Not open for further replies.
S

sunday972

Posts: 18   +0
I am having strange pop ups like for example "ms.paint.exe - Bad Image: The application or DLL C:\WINDOWS\system32\napipsec32.dll is not a a valid Windows image. Please check this against your installation diskette," whenever I open any program as well as getting Google redirects whenever I search a link using Google Chrome. This occurred after I did a System Restore after deleting the "Sigma Tel Audio" on accident for a Dell Vostro 1000 Notebook Laptop as these malware begin appearing.

[All Logs have been posted in the following order - MBAM, GMER, DDS, & ATTACHMENT] :)
 
First Scan Log MBAM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7026

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/5/2011 8:51:21 AM
mbam-log-2011-07-05 (08-51-21).txt

Scan type: Quick scan
Objects scanned: 178958
Time elapsed: 1 hour(s), 46 minute(s), 59 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 114

Memory Processes Infected:
c:\WINDOWS\system32\rassapi32.exe (Trojan.Tracur.SGen) -> 1900 -> Unloaded process successfully.
c:\WINDOWS\system32\tcpmonui32.exe (Trojan.Tracur.SGen) -> 196 -> Unloaded process successfully.
c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> 216 -> Unloaded process successfully.
c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> 2412 -> Unloaded process successfully.
c:\documents and settings\ducmelavang1\application data\SysWin\lsass.exe (Trojan.Tracur.SGen) -> 1992 -> Unloaded process successfully.
c:\WINDOWS\spmsgwow.exe (Trojan.Tracur.SGen) -> 2396 -> Unloaded process successfully.
c:\WINDOWS\Ftehea.exe (Trojan.FraudPack.Gen) -> 3948 -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr32 (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{021B3F33-F1B7-438F-BB69-284DD7D2080b} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021B3F33-F1B7-438F-BB69-284DD7D2080B} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{021B3F33-F1B7-438F-BB69-284DD7D2080B} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CLASSES_ROOT\TypeLib\{A1BC6BEA-778D-48A0-A58B-1D0B425E1BDE} (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CLASSES_ROOT\Interface\{D090529F-4CB3-4952-859D-9889416405D5} (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CLASSES_ROOT\facerange.StockBar.1 (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CLASSES_ROOT\facerange.StockBar (PUP.WebEnhancements) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B9EAB5A-1226-4D3A-8200-60A905B32161} (PUP.WebEnhancements) -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements_1 (PUP.WebEnhancements) -> Not selected for removal.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TLNTSVR32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Tracur.SGen) -> Value: RTHDBPL -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spmsgwow.exe (Trojan.Tracur.SGen) -> Value: spmsgwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SQ4DY0FH7F (Trojan.FraudPack.Gen) -> Value: SQ4DY0FH7F -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIY5DFZ5LO (Trojan.FraudPack.Gen) -> Value: DIY5DFZ5LO -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.XGen) -> Bad: (C:\WINDOWS\system32\napipsec32.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:
c:\WINDOWS\system32\SysWoW32 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\program files\webenhancements (PUP.WebEnhancements) -> Not selected for removal.
c:\documents and settings\ducmelavang1\application data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\rassapi32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tcpmonui32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6F.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
c:\documents and settings\ducmelavang1\application data\SysWin\lsass.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\spmsgwow.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\Documents and Settings\DucMeLaVang1\Local Settings\Temp\Frr.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
c:\WINDOWS\Ftehea.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\program files\webenhancements\webenhancements.dll (PUP.WebEnhancements) -> Not selected for removal.
c:\WINDOWS\system32\mydocs32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\napipsec32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mtxparhd32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\1A8.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\271.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\2BB.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\documents and settings\ducmelavang1\local settings\Temp\Frq.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\30.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\51.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000258e316d1347c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000258e316d1347o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000258e316d1347p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000258e316d1347s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000258e316d1347c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000258e316d1347o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000258e316d1347p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000258e316d1347s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v12.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\@u1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v10.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v11.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v8.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v9.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu220396494v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v1 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v10 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v11 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v2 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v3 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v8 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v9 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu220396494v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v0 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v12 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v13 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v13.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v14 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v14.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v15.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v4 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v5 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v6 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v7 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\mu1927150542v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\wu1927150542v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SysWoW32\_u1927150542v15 (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\program files\webenhancements\webenhancements.xpi (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\uninst.exe (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\webenhancements.crx (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\webenhancements.safariextz (PUP.WebEnhancements) -> Not selected for removal.
 
Latest MBAM Scan Log

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7044

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/7/2011 3:44:15 PM
mbam-log-2011-07-07 (15-44-15).txt

Scan type: Quick scan
Objects scanned: 181047
Time elapsed: 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\DIY5DFZ5LO (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIY5DFZ5LO (Trojan.FakeAlert.SA) -> Value: DIY5DFZ5LO -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Ftehea.exe (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
 
GMER log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-07 18:40:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM121HI rev.LZ100-11
Running: y7e3kd9x.exe; Driver: C:\DOCUME~1\DUCMEL~1\LOCALS~1\Temp\awtyapoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
 
Welcome to TechSpot! I''ll hep with the redirect problem.

My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

You do not need to run Malwarebytes again. And I only need logs for the current scans, unless I Specifically request an older log.

Regarding this:
c:\program files\webenhancements\webenhancements.xpi (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\uninst.exe (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\webenhancements.crx (PUP.WebEnhancements) -> Not selected for removal.
c:\program files\webenhancements\webenhancements.safariextz (PUP.WebEnhancements) -> Not selected for removal.
Click to expand...
Did you download each of these for Firefox or other browser? Did you intentionally not check for removal?
==================================
 
DDS & ATTACHMENT log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by DucMeLaVang1 at 19:00:47 on 2011-07-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1313 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Documents and Settings\DucMeLaVang1\My Documents\My Music\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D&machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5.1-x86-SP3
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: {021b3f33-f1b7-438f-bb69-284dd7d2080b} - c:\windows\system32\atipdlxx32.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - No File
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\documents and settings\ducmelavang1\my documents\my music\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\documents and settings\ducmelavang1\my documents\my music\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ducmelavang1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221506534368
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\napipsec32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-5 366640]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-3-24 199904]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-5 22712]
S3 apf001;apf001;c:\windows\system32\apf001.sys [2011-4-25 10872]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-5 39984]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-11-5 86064]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-11-5 1371184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2011-07-06 00:12:49 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-07-06 00:12:49 405504 ----a-w- c:\windows\stsystra.exe
2011-07-06 00:12:49 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-07-05 23:57:36 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Help
2011-07-05 20:27:56 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 20:27:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 14:55:57 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-05 14:55:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-05 14:55:30 -------- d-----w- c:\program files\common files\Akamai
2011-07-05 14:55:24 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\PMB Files
2011-07-05 14:55:24 -------- d-----w- c:\documents and settings\all users\application data\PMB Files
2011-07-05 14:55:23 -------- d-----w- c:\program files\StartNow Toolbar
2011-07-05 14:55:17 -------- d-----w- c:\program files\SigmaTel
2011-07-05 14:23:38 -------- d-----w- c:\program files\DriverFinder
2011-07-05 14:23:12 -------- d-----w- c:\documents and settings\ducmelavang1\application data\DriverFinder
2011-07-05 14:20:43 -------- d-----w- c:\program files\Software Informer
2011-07-05 14:20:43 -------- d-----w- c:\documents and settings\ducmelavang1\application data\Software Informer
2011-07-05 11:55:46 -------- d-----w- c:\documents and settings\ducmelavang1\application data\Malwarebytes
2011-07-05 11:54:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-05 05:56:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-05 02:05:15 -------- d-----w- c:\windows\system32\NtmsData
2011-07-05 00:21:08 145408 --sha-r- c:\windows\system32\msswchxf.dll
2011-07-03 18:48:15 -------- d-----w- c:\windows\system32\1509816429
2011-07-03 18:47:58 -------- d-----w- c:\windows\system32\1592885943
2011-06-25 16:52:41 213504 ----a-w- c:\windows\system32\mtxparhd32.exe
2011-06-25 04:56:38 -------- d-----w- c:\program files\common files\xing shared
2011-06-25 04:52:40 -------- d-----w- c:\program files\ClickCoupon
2011-06-24 23:56:32 -------- d-----w- c:\program files\Object
2011-06-23 08:54:01 213504 ----a-w- c:\windows\system32\mydocs32.exe
2011-06-23 04:56:42 -------- d-----w- c:\windows\system32\924857355
2011-06-23 04:53:06 0 ---ha-w- c:\documents and settings\ducmelavang1\nyqsdjspie.tmp
2011-06-23 04:52:41 203776 --sh--w- c:\windows\system32\unrar.exe
2011-06-23 04:52:41 -------- d-----w- c:\windows\system32\448120563
2011-06-23 04:52:39 -------- d-sh--w- c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
2011-06-23 04:52:16 256512 ----a-w- c:\windows\system32\napipsec32.dll
2011-06-23 04:52:16 1416192 ----a-w- c:\windows\system32\tcpmonui32.exe
2011-06-23 04:52:15 213504 ----a-w- c:\windows\system32\napipsec32.exe
2011-06-23 04:48:51 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Apple
2011-06-23 04:47:55 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\Apple Computer
2011-06-23 01:02:01 -------- d-----w- c:\documents and settings\ducmelavang1\application data\FrostWire
2011-06-23 00:57:15 -------- d-----w- c:\documents and settings\ducmelavang1\local settings\application data\OpenCandy
2011-06-23 00:57:13 -------- d-----w- c:\documents and settings\ducmelavang1\application data\OpenCandy
2011-06-20 06:09:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 18:33:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-18 18:33:39 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-18 18:33:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-06-16 12:37:11 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:10:34 -------- d-----w- c:\documents and settings\ducmelavang1\application data\MSNInstaller
.
==================== Find3M ====================
.
2011-06-25 04:56:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 04:56:10 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-20 06:09:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-12 05:00:01 7219986245 ----a-w- c:\windows\system32\cdmcache.dll
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51:57 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01:21 389120 ----a-w- c:\windows\system32\html.iec
2011-04-25 06:12:19 12920 ----a-w- c:\windows\system32\apl001.sys
2011-04-25 06:12:19 10872 ----a-w- c:\windows\system32\apf001.sys
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 19:01:05.89 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/15/2008 2:16:40 PM
System Uptime: 7/7/2011 3:47:03 PM (4 hours ago)
.
Motherboard: Dell Inc. | | 0WY383
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-57 | Socket M2/S1G1 | 1899/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 90.298 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1395 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Manufacturer: Broadcom
Name: Dell Wireless 1395 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Service: BCM43XX
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_022A1028&REV_02\4&B216F0A&0&00A4
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_022A1028&REV_02\4&B216F0A&0&00A4
Service: bcm4sbxp
.
==== System Restore Points ===================
.
RP1: 7/4/2011 8:06:14 PM - System Checkpoint
RP2: 7/5/2011 12:03:33 AM - Removed Apple Software Update
RP3: 7/5/2011 12:08:57 AM - Removed SigmaTel Audio
RP4: 7/5/2011 9:54:30 AM - Restore Operation
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Akamai NetSession Interface
AMD Processor Driver
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bandisoft MPEG-1 Decoder
Broadcom 440x 10/100 Integrated Controller
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Wireless WLAN Card
DivX Setup
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 26
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC90_CRT_x86
Nero OEM
Pando Media Booster
PowerDVD
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
StartNow Toolbar 2.0
Symantec AntiVirus Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
7/7/2011 4:30:12 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
7/6/2011 6:05:22 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/5/2011 9:58:45 AM, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
7/5/2011 9:57:59 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/5/2011 8:54:06 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/5/2011 8:50:58 AM, error: Service Control Manager [7034] - The Telnet service terminated unexpectedly. It has done this 1 time(s).
7/5/2011 7:33:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/5/2011 7:32:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2011 7:32:53 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2011 7:32:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/4/2011 8:45:13 PM, error: Service Control Manager [7034] - The Toolbar Updater Service service terminated unexpectedly. It has done this 1 time(s).
6/30/2011 9:44:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 00225F156D1C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
Bobbye said:
=====================================
Regarding this:

Did you download each of these for Firefox or other browser? Did you intentionally not check for removal?
==================================
Click to expand...


I have only downloaded those to Google Chrome. I do not use any other browsers at this time. This was my first time using the MBAM program and I did not intentionally not check for removal, I scrolled the first time and figured it was all checked and cleared it. And then I redid again just in case I missed any & also cleared those too. I appreciate your assistance ^^ !
 
Please review:
My Guidelines: please read and follow:

* Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
* Read my instructions carefully. If you don't understand or have a problem, ask me.
* If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
* Follow the order of the tasks I give you. Order is crucial in cleaning process.
* File sharing programs should be uninstalled or disabled during the cleaning process..
* Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.
* Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
Click to expand...
You lasr reply: 17 Hours Ago
sunday972

I will get back to you as soon as I can.
 
Sorry for delay./ I spent extra time with my family over the holiday weekend- so am catching up on my threads now.

Even after all the malware removals in Mbam, the system is still heavily infected with malware. We will attempt to remove the entries, but you will have to remove the following>>Vuze Remote Toolbar and LimeWire. Neither are showing in the installed programs list, but both are running. I can remove some entries after you run Combofix, but I'd like you to see if either or both are in Add/Remove Programs. IF they are, please uninstall then.

The right click on Start> Explore> My Computer> Double click on Local Drive(C)> Programs> look for program folders for both Vuze and LimeWire> do a right click> Delete on each. Exit Windows explorer.
==============================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=================================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
Let's check on that 'bad image' entry:
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
napipsec32.*
napipsec.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
c:\windows\system32\napipsec32.dll
.
 
ComboFix Log

ComboFix 11-07-09.02 - DucMeLaVang1 07/09/2011 13:04:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1113 [GMT -5:00]
Running from: c:\documents and settings\DucMeLaVang1\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\DucMeLaVang1\WINDOWS
c:\documents and settings\Guest\Application Data\AdVantage
c:\documents and settings\Guest\Application Data\advantage\AdVantage.exe
c:\windows\system32\$winnt$.inf
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\1509816429
c:\windows\system32\1509816429\frt0.rar
c:\windows\system32\1509816429\frt0.rar.ver
c:\windows\system32\1509816429\frt1.rar
c:\windows\system32\1509816429\frt1.rar.ver
c:\windows\system32\1509816429\frt2.rar
c:\windows\system32\1509816429\frt2.rar.ver
c:\windows\system32\1509816429\frt3.rar
c:\windows\system32\1509816429\frt3.rar.ver
c:\windows\system32\1509816429\frt4.rar
c:\windows\system32\1509816429\frt4.rar.ver
c:\windows\system32\1509816429\frt5.rar
c:\windows\system32\1509816429\frt5.rar.ver
c:\windows\system32\1509816429\frt6.rar
c:\windows\system32\1509816429\frt6.rar.ver
c:\windows\system32\1509816429\frt7.rar
c:\windows\system32\1509816429\frt7.rar.ver
c:\windows\system32\1592885943
c:\windows\system32\448120563
c:\windows\system32\448120563\new.i0.kwd
c:\windows\system32\448120563\new.i1.kwd
c:\windows\system32\448120563\new.i10.kwd
c:\windows\system32\448120563\new.i11.kwd
c:\windows\system32\448120563\new.i12.kwd
c:\windows\system32\448120563\new.i13.kwd
c:\windows\system32\448120563\new.i14.kwd
c:\windows\system32\448120563\new.i15.kwd
c:\windows\system32\448120563\new.i2.kwd
c:\windows\system32\448120563\new.i3.kwd
c:\windows\system32\448120563\new.i4.kwd
c:\windows\system32\448120563\new.i5.kwd
c:\windows\system32\448120563\new.i6.kwd
c:\windows\system32\448120563\new.i7.kwd
c:\windows\system32\448120563\new.i8.kwd
c:\windows\system32\448120563\new.i9.kwd
c:\windows\system32\924857355
c:\windows\system32\924857355\frt0.rar
c:\windows\system32\924857355\frt0.rar.ver
c:\windows\system32\924857355\frt1.rar
c:\windows\system32\924857355\frt1.rar.ver
c:\windows\system32\924857355\frt10.rar
c:\windows\system32\924857355\frt10.rar.ver
c:\windows\system32\924857355\frt11.rar
c:\windows\system32\924857355\frt11.rar.ver
c:\windows\system32\924857355\frt12.rar
c:\windows\system32\924857355\frt12.rar.ver
c:\windows\system32\924857355\frt13.rar
c:\windows\system32\924857355\frt13.rar.ver
c:\windows\system32\924857355\frt14.rar
c:\windows\system32\924857355\frt14.rar.ver
c:\windows\system32\924857355\frt15.rar
c:\windows\system32\924857355\frt15.rar.ver
c:\windows\system32\924857355\frt2.rar
c:\windows\system32\924857355\frt2.rar.ver
c:\windows\system32\924857355\frt3.rar
c:\windows\system32\924857355\frt3.rar.ver
c:\windows\system32\924857355\frt4.rar
c:\windows\system32\924857355\frt4.rar.ver
c:\windows\system32\924857355\frt5.rar
c:\windows\system32\924857355\frt5.rar.ver
c:\windows\system32\924857355\frt6.rar
c:\windows\system32\924857355\frt6.rar.ver
c:\windows\system32\924857355\frt7.rar
c:\windows\system32\924857355\frt7.rar.ver
c:\windows\system32\924857355\frt8.rar
c:\windows\system32\924857355\frt8.rar.ver
c:\windows\system32\924857355\frt9.rar
c:\windows\system32\924857355\frt9.rar.ver
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-06 00:12 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-07-06 00:12 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-07-06 00:12 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-07-05 23:57 . 2011-07-05 23:57 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Help
2011-07-05 05:56 . 2011-07-05 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\windows\system32\NtmsData
2011-07-05 00:21 . 2011-07-05 00:21 145408 --sha-r- c:\windows\system32\msswchxf.dll
2011-06-25 16:52 . 2011-06-25 16:52 213504 ----a-w- c:\windows\system32\mtxparhd32.exe
2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Common Files\xing shared
2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Real
2011-06-24 23:56 . 2011-06-25 00:21 -------- d-----w- c:\program files\Object
2011-06-23 08:54 . 2011-06-23 08:54 213504 ----a-w- c:\windows\system32\mydocs32.exe
2011-06-23 05:07 . 2011-06-23 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-06-23 04:53 . 2011-06-23 04:53 0 ---ha-w- c:\documents and settings\DucMeLaVang1\nyqsdjspie.tmp
2011-06-23 04:52 . 2011-06-23 04:52 203776 --sh--w- c:\windows\system32\unrar.exe
2011-06-23 04:52 . 2011-07-05 05:50 -------- d-sh--w- c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
2011-06-23 04:52 . 2011-06-23 04:52 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\Apple Computer
2011-06-23 04:52 . 2011-06-23 04:52 256512 ----a-w- c:\windows\system32\napipsec32.dll
2011-06-23 04:52 . 2011-06-23 04:52 1416192 ----a-w- c:\windows\system32\tcpmonui32.exe
2011-06-23 04:52 . 2011-06-23 04:52 213504 ----a-w- c:\windows\system32\napipsec32.exe
2011-06-23 04:48 . 2011-06-23 04:48 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple
2011-06-23 04:47 . 2011-06-23 04:47 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple Computer
2011-06-23 00:57 . 2011-06-23 05:15 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
2011-06-22 03:59 . 2011-06-22 03:59 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
2011-06-20 06:09 . 2011-06-20 06:09 -------- d-----w- c:\program files\Common Files\Java
2011-06-20 06:09 . 2011-06-20 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 18:33 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-18 18:33 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-16 12:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:10 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\MSNInstaller
2011-06-11 08:20 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 04:56 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 04:56 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-20 06:09 . 2011-05-07 18:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 15:31 . 2008-09-15 19:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-25 06:12 . 2011-04-25 06:12 12920 ----a-w- c:\windows\system32\apl001.sys
2011-04-25 06:12 . 2011-04-25 06:12 10872 ----a-w- c:\windows\system32\apf001.sys
2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\napipsec32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58600:TCP"= 58600:TCP:pando Media Booster
"58600:UDP"= 58600:UDP:pando Media Booster
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/5/2011 3:27 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/5/2011 3:27 PM 22712]
S3 apf001;apf001;c:\windows\system32\apf001.sys [4/25/2011 1:12 AM 10872]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/5/2011 3:27 PM 39984]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IDSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005Core.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005UA.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D&machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5.1-x86-SP3
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{021B3F33-F1B7-438F-BB69-284DD7D2080b} - c:\windows\system32\atipdlxx32.dll
BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
HKCU-Run-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 13:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\05\04\0c\10\08\06?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-09 13:11:25
ComboFix-quarantined-files.txt 2011-07-09 18:11
.
Pre-Run: 96,801,333,248 bytes free
Post-Run: 101,304,414,208 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 79189BF18551F70F1BDF670813701D26
 
ESETScan log

C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Guest\Application Data\advantage\AdVantage.exe.vir a variant of Win32/Kunhitta.A trojan
C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP1\A0003055.exe a variant of Win32/Kryptik.PVN trojan
C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP3\A0004207.exe a variant of Win32/Kryptik.PVN trojan
C:\System Volume Information\_restore{75D9072C-A095-49C6-BDCC-0473088235DE}\RP5\A0008589.exe a variant of Win32/Kunhitta.A trojan
C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 a variant of Win32/Kryptik.PVN trojan
C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 Win32/TrojanDownloader.Tracur.B trojan
 
Here's the SystemLook log for Bad Image

SystemLook 04.09.10 by jpshortstuff
Log created at 14:33 on 09/07/2011 by DucMeLaVang1
Administrator - Elevation successful

========== filefind ==========

Searching for "napipsec32.*"
C:\WINDOWS\system32\napipsec32.dll --a---- 256512 bytes [04:52 23/06/2011] [04:52 23/06/2011] 7BEFA69C56C084C4CDD5807F17B235E2
C:\WINDOWS\system32\napipsec32.exe --a---- 213504 bytes [04:52 23/06/2011] [04:52 23/06/2011] 9562EFE2D6A77BBB515666D933DD746B

Searching for "napipsec.*"
C:\WINDOWS\ServicePackFiles\i386\napipsec.dll -----c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\system32\napipsec.dll -----c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\system32\dllcache\napipsec.dll --a--c- 30208 bytes [00:12 14/04/2008] [00:12 14/04/2008] 87906187B3AF89582380D156DA601F68

-= EOF =-
 
Logs Completed & Removing Limewire/Vuze Toolbar

The right click on Start> Explore> My Computer> Double click on Local Drive(C)> Programs> look for program folders for both Vuze and LimeWire> do a right click> Delete on each. Exit Windows explorer.
Click to expand...

I have successfully completed the steps and produced the logs from Combofix, ESETScans, and SystemLook. I had a slight problem about the Limewire and Vuze Toolbar not being able to find it on the Add/Remove program as well in the Windows Explorer. However, I did find some "leftover" files inside Windows Explorer under the Local Drive (C) > Document and Settings > Application Data (instead of Program Files) & deleted those Vuze Toolbar and Limewire folders prior to starting ComboFix. I am checking if those were the ones you wanted to be deleted.

Update on the Laptop Status: It is running fairly fast, however, the "bad image .exe" is still happening every time I log on from restarting the laptop as well as opening any programs or a new window on Chrome. The good news is that the redirection on Google Chrome is completely gone and it works normal. ^^
 
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\mtxparhd32.exe
c:\documents and settings\ducmelavang1\nyqsdjspie.tmp
c:\windows\system32\msswchxf.dll
c:\windows\system32\mydocs32.exe
c:\windows\system32\unrar.exe
c:\windows\system32\apl001.sys
c:\windows\system32\apf001.sys
Folder::
c:\program files\StartNow Toolbar
c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
c:\program files\common files\xing shared
c:\program files\Object
c:\windows\system32\924857355
c:\windows\system32\448120563
c:\windows\system32\1509816429
c:\windows\system32\1592885943
c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
DDS::
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=4 35&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_c ountry=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D& machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5. 1-x86-SP3
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: {70C6E9DE-F30E-4A40-8A6F-9572C2328320} - No File
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

Driver::
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js 
C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 
C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Please run this Security Check

Download Security Check by screen317 from HERE or HERE .
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
ComboFix Log

ComboFix 11-07-09.03 - DucMeLaVang1 07/09/2011 21:24:34.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1394 [GMT -5:00]
Running from: c:\documents and settings\DucMeLaVang1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DucMeLaVang1\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\ducmelavang1\nyqsdjspie.tmp"
"c:\windows\system32\apf001.sys"
"c:\windows\system32\apl001.sys"
"c:\windows\system32\msswchxf.dll"
"c:\windows\system32\mtxparhd32.exe"
"c:\windows\system32\mydocs32.exe"
"c:\windows\system32\unrar.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-09 18:32 . 2011-07-09 18:32 -------- d-----w- c:\program files\ESET
2011-07-06 00:12 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-07-06 00:12 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-07-06 00:12 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-07-05 23:57 . 2011-07-05 23:57 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Help
2011-07-05 05:56 . 2011-07-05 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\windows\system32\NtmsData
2011-06-22 03:59 . 2011-06-22 03:59 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
2011-06-20 06:09 . 2011-06-20 06:09 -------- d-----w- c:\program files\Common Files\Java
2011-06-20 06:09 . 2011-06-20 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 18:33 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-18 18:33 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-16 12:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:10 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\MSNInstaller
2011-06-11 08:20 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 04:56 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 04:56 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-20 06:09 . 2011-05-07 18:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 15:31 . 2008-09-15 19:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\napipsec32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58600:TCP"= 58600:TCP:pando Media Booster
"58600:UDP"= 58600:UDP:pando Media Booster
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/5/2011 3:27 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/5/2011 3:27 PM 22712]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005Core.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005UA.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-07-09 21:29:14
ComboFix-quarantined-files.txt 2011-07-10 02:29
ComboFix2.txt 2011-07-10 02:08
ComboFix3.txt 2011-07-09 18:11
.
Pre-Run: 101,084,344,320 bytes free
Post-Run: 101,069,377,536 bytes free
.
- - End Of File - - EF743381C5B49E19BFC47441D8696035
 
for some reason...

My MBAM icon seem to have disappeared in the bottom right corner of the laptop screen by the timer after disabling them and activated Combofix. Is there a way to fix this? to enable it before moving on to the next step?

I will provide the OTMoveit & Security Check Soon
 
OTMoveit3 log

All processes killed
Error: Unable to interpret < > in the current context!
========== FILES ==========
C:\Documents and Settings\DucMeLaVang1\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\kciobbhbdbagfdjakadageiinmcklpkd\contentscript.js moved successfully.
File/Folder C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\binm1 not found.
File/Folder C:\WINDOWS\system32\FE9BB8E90C5A2CB441A11D3379094FBF\b\bint1 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: DucMeLaVang1
->Temp folder emptied: 1695 bytes
->Temporary Internet Files folder emptied: 141530 bytes
->Java cache emptied: 1395106 bytes
->Google Chrome cache emptied: 44267765 bytes
->Flash cache emptied: 47801 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 148030 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: User

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 698897 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 47.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 07092011_221617

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_63c.dat not found!

Registry entries deleted on Reboot...
 
Security Check

I tried running Security Check twice and the pop up continued to pop up drastically and it only loaded up to "Prepared Finish" but no log came up? and I am still missing my MBAM icon in the Taskbar on the bottom right corner of the laptop by the timer.
 
Please run this Security Check instead:

Download eSec-Info2.zip and save it to your Desktop.
You will need to extract the file.
  • Right click on the zipped folder> click on Extract All...
  • Click on Next In the 'Extraction Wizard'window that opens
  • click on Next> and in the next window that appears
  • click on Finish in the final window
  • Double click on the folder Sec-info2.vbs to run
  • When completed, a text file named Sec-Info.txtis created in the same folder
  • Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.
========================================
Regarding Mbam icon: IS this for the scan you downloaded on 7/5? It may be set to show only when active: Do a right click on an empty area of the Notification Area> Click on 'Customize Notification Area'> Find the Mbam icon and set to 'Always Show'.

But be advised that I will have you uninstall this tool when we finish. Unless you purchase the program, it will outdate while sitting on the hard drive.
=====================================
Some of your problems may be due to this:
2011-06-23 05:15 > c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
OpenCandy is a company that produces an advertising software module. When a user installs an application that has the OpenCandy library, there is an option to install additional software that it recommends.

Privacy concerns have been raised about.OpenCandy has attracted criticism because of [3] Past versions[4] of OpenCandy were considered adware by Microsoft Sec as they 'may send user-specific information ... without obtaining adequate user consent'.
=================================
Glad you found Vuze and LimeWire- kudos to you for overridding my incorrect path!

Windows users can disable the software by adding this entry to their hosts file to block the domain api.opencandy.com, effectively disabling the software from transmitting information back to its servers:
 
Sec Info

I tried the notifications to allow the MBAM icon to "always show" yet it still doesn't show. However, it does seem like its running under Task Manager. I even tried add/removing and reinstall MBAM but nothing changed and the icon is still missing. I'm just hoping there would be another way of disabling it if its require in the next few scans that you will provide me through ^^ & since MBAM will be remove later anyhow, I don't mind that either. Just thought it might be a problem, not knowing how to disable during certain scans since it doesn't appear in the system tray or notification area.

& Yes, I did dl it on July 5, 2011 and not the full version of MBAM.


(Below is the Sec Info Log) :


Script run: 7/10/2011 2:48:31 PM

~~~~~~~~~~~~~~~~~~~~~~~~

The Windows Firewall is enabled.

~~~~~~~~~~~~~~~~~~~~~~~~

The Security Center Anti-Virus Alerts are enabled.
The Security Center Firewall Alerts are enabled.

~~~~~~~~~~~~~~~~~~~~~~~~

Number of Restore Points found: 5

~~~~~~~~~~~~~~~~~~~~~~~~
 
Don't worry about the tray icon. You don't need it and the program will be removed.

Are you still getting 'bad image' notices? Has the redirect be resolved? Is there any other malware related problem?
 
Okay, I need you to be very specific about the 'bad image':

1. What are you trying to do when the message comes up?
2. What is the exact message?
3. Note the time on the computer clock when you get the 'bad' image' error. Write it down. I will have you check the Event Viewer for related Error at the same time. Events are time-coded.
s
The system was heavily infected when we started. It is possible that the malware could have corrupted some files. Two entries in particular:
Memory Modules Infected:
c:\WINDOWS\system32\napipsec32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
c:\WINDOWS\system32\atipdlxx32.dll (Trojan.Tracur.XGen) -> Delete on reboot.
are of concern because they got into the memory.

The second process atipdlxx32.doo is a Trojan.Downloader of Chinese origin. and both of the infected processes got in to the memory.

About a Memory Resident:
Memory Processes Infected:
Memory-resident programs are those that can be placed in, and remain in, an affected system's main memory space after execution. Memory residency enables a piece of malware to be readily available whenever needed, ensuring that the malware is easily accessible or can monitor every event on an affected system. This is a malware's way of controlling every activity on an affected system when a condition is satisfied.

First, the malware has to be executed. Once done, to assure it is executed in every system startup, it can put links to itself where the system initializes or pre-configures the OS. These are places or configuration files where it is accessed by an Operating System upon startup. By modifying or adding to Registry entries for processes such as the autoexec.bat or config.sys, processes always used in basic startup schemes.

Usually by way of a backdoor.bot which is installed, although showing 'removed' or 'unloaded',
when you reboot, it will be back, so finding the offensive entry and removing it becomes more difficult
Source: Symantec
=================================================
I'd like you to run Malwarebytes again, but changing to Full Scan as follows:
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Thousands of websites infected to redirect users in Google Ads view-pumping scam
Replies
5
Views
637
Feng Lengshun
F
Julio Franco
5 alternatives to using WhatsApp in 2021
Replies
18
Views
3K
Danny101
Danny101
Ivan Franco
Rainbow Six Siege continues to thrive in 2020
Replies
8
Views
3K
Kerodon
K

Latest posts

Back