Malware/Virus infection (7-step logs included): hidden all my files

Resolved
By BigChief014
May 25, 2011
Topic Status:
Not open for further replies.
  1. Heya! I'm currently using Windows Vista 32-bit.
    Something happened to my system two nights ago where my program windows (inc. FireFox) reverted back to Windows 95 style for a short time. Then my computer automatically restarted, and when it rebooted all of my files and folders were gone! However my desktop background remained unchanged.

    I did a system restore, and many of my files and folders came back, but the majority were still gone. Turns out they were randomly made hidden. Around this time my firefox browser occasionally opens up new tabs by itself, or redirects google searchers, so I suspect malware is the problem.

    I ran the following in this order: Avira Virus Scan, MalwareBytes, GMER, and DDS. All logs are pasted below. Please help! Thanks in advance. =)


    AVIRA SCAN:
    Avira AntiVir Personal
    Report file date: Tuesday, 24 May 2011 20:24

    Scanning for 2757234 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows Vista
    Windows version : (Service Pack 1) [6.0.6001]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : ONUR-PC

    Version information:
    BUILD.DAT : 10.0.0.648 31823 Bytes 1/04/2011 18:36:00
    AVSCAN.EXE : 10.0.4.2 442024 Bytes 1/04/2011 07:07:43
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/04/2011 07:07:57
    LUKE.DLL : 10.0.3.2 104296 Bytes 1/04/2011 07:07:53
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 14:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 00:05:36
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 06:15:47
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/02/2011 06:15:47
    VBASE003.VDF : 7.11.5.225 1980416 Bytes 7/04/2011 10:12:21
    VBASE004.VDF : 7.11.5.226 2048 Bytes 7/04/2011 10:12:21
    VBASE005.VDF : 7.11.5.227 2048 Bytes 7/04/2011 10:12:22
    VBASE006.VDF : 7.11.5.228 2048 Bytes 7/04/2011 10:12:22
    VBASE007.VDF : 7.11.5.229 2048 Bytes 7/04/2011 10:12:23
    VBASE008.VDF : 7.11.5.230 2048 Bytes 7/04/2011 10:12:23
    VBASE009.VDF : 7.11.5.231 2048 Bytes 7/04/2011 10:12:24
    VBASE010.VDF : 7.11.5.232 2048 Bytes 7/04/2011 10:12:24
    VBASE011.VDF : 7.11.5.233 2048 Bytes 7/04/2011 10:12:25
    VBASE012.VDF : 7.11.5.234 2048 Bytes 7/04/2011 10:12:25
    VBASE013.VDF : 7.11.6.28 158208 Bytes 11/04/2011 10:12:28
    VBASE014.VDF : 7.11.6.74 116224 Bytes 13/04/2011 10:12:30
    VBASE015.VDF : 7.11.6.113 137728 Bytes 14/04/2011 10:12:32
    VBASE016.VDF : 7.11.6.150 146944 Bytes 18/04/2011 10:12:34
    VBASE017.VDF : 7.11.6.192 138240 Bytes 20/04/2011 10:12:36
    VBASE018.VDF : 7.11.6.237 156160 Bytes 22/04/2011 10:12:38
    VBASE019.VDF : 7.11.7.45 427520 Bytes 27/04/2011 10:12:42
    VBASE020.VDF : 7.11.7.64 192000 Bytes 28/04/2011 10:12:49
    VBASE021.VDF : 7.11.7.97 182272 Bytes 2/05/2011 10:12:52
    VBASE022.VDF : 7.11.7.127 467968 Bytes 4/05/2011 10:12:58
    VBASE023.VDF : 7.11.7.183 185856 Bytes 9/05/2011 10:13:02
    VBASE024.VDF : 7.11.7.218 133120 Bytes 11/05/2011 10:13:04
    VBASE025.VDF : 7.11.7.234 139776 Bytes 11/05/2011 10:13:06
    VBASE026.VDF : 7.11.8.16 147456 Bytes 13/05/2011 10:13:09
    VBASE027.VDF : 7.11.8.46 169472 Bytes 17/05/2011 10:13:11
    VBASE028.VDF : 7.11.8.109 181760 Bytes 24/05/2011 10:13:14
    VBASE029.VDF : 7.11.8.110 2048 Bytes 24/05/2011 10:13:15
    VBASE030.VDF : 7.11.8.111 2048 Bytes 24/05/2011 10:13:15
    VBASE031.VDF : 7.11.8.115 22016 Bytes 24/05/2011 10:13:16
    Engineversion : 8.2.4.242
    AEVDF.DLL : 8.1.2.1 106868 Bytes 28/03/2011 06:15:27
    AESCRIPT.DLL : 8.1.3.64 1606011 Bytes 24/05/2011 10:13:54
    AESCN.DLL : 8.1.7.2 127349 Bytes 28/03/2011 06:15:27
    AESBX.DLL : 8.1.3.2 254324 Bytes 28/03/2011 06:15:26
    AERDL.DLL : 8.1.9.9 639347 Bytes 25/03/2011 02:21:38
    AEPACK.DLL : 8.2.6.8 557430 Bytes 24/05/2011 10:13:46
    AEOFFICE.DLL : 8.1.1.22 205178 Bytes 24/05/2011 10:13:43
    AEHEUR.DLL : 8.1.2.119 3481976 Bytes 24/05/2011 10:13:42
    AEHELP.DLL : 8.1.17.2 246135 Bytes 24/05/2011 10:13:25
    AEGEN.DLL : 8.1.5.6 401780 Bytes 24/05/2011 10:13:23
    AEEMU.DLL : 8.1.3.0 393589 Bytes 28/03/2011 06:15:19
    AECORE.DLL : 8.1.20.5 196983 Bytes 24/05/2011 10:13:21
    AEBB.DLL : 8.1.1.0 53618 Bytes 28/03/2011 06:15:19
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 28/03/2011 06:15:31
    AVPREF.DLL : 10.0.0.0 44904 Bytes 1/04/2011 07:07:42
    AVREP.DLL : 10.0.0.10 174120 Bytes 24/05/2011 10:13:56
    AVREG.DLL : 10.0.3.2 53096 Bytes 1/04/2011 07:07:42
    AVSCPLR.DLL : 10.0.4.2 84840 Bytes 1/04/2011 07:07:43
    AVARKT.DLL : 10.0.22.6 231784 Bytes 1/04/2011 07:07:38
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/04/2011 07:07:41
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 05:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 28/03/2011 06:15:30
    NETNT.DLL : 10.0.0.0 11624 Bytes 28/03/2011 06:15:39
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/04/2011 07:07:58
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 28/03/2011 06:15:52

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, E:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Tuesday, 24 May 2011 20:24

    Starting search for hidden objects.

    The scan of running processes will be started
    Scan process 'wmiprvse.exe' - '44' Module(s) have been scanned
    Scan process 'STARFI~1.SCR' - '25' Module(s) have been scanned
    Scan process 'avscan.exe' - '88' Module(s) have been scanned
    Scan process 'avcenter.exe' - '91' Module(s) have been scanned
    Scan process 'avgnt.exe' - '55' Module(s) have been scanned
    Scan process 'sched.exe' - '61' Module(s) have been scanned
    Scan process 'avshadow.exe' - '38' Module(s) have been scanned
    Scan process 'avguard.exe' - '72' Module(s) have been scanned
    Scan process 'svchost.exe' - '35' Module(s) have been scanned
    Scan process 'vssvc.exe' - '60' Module(s) have been scanned
    Scan process 'mcupdmgr.exe' - '82' Module(s) have been scanned
    Scan process 'svchost.exe' - '161' Module(s) have been scanned
    Scan process 'WinMail.exe' - '89' Module(s) have been scanned
    Scan process 'sprtsvc.exe' - '71' Module(s) have been scanned
    Scan process 'iPodService.exe' - '36' Module(s) have been scanned
    Scan process 'wmpnetwk.exe' - '79' Module(s) have been scanned
    Scan process 'McSvHost.exe' - '153' Module(s) have been scanned
    Scan process 'mfefire.exe' - '34' Module(s) have been scanned
    Scan process 'mcshield.exe' - '73' Module(s) have been scanned
    Scan process 'RUNDLL32.EXE' - '38' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '89' Module(s) have been scanned
    Scan process 'svchost.exe' - '38' Module(s) have been scanned
    Scan process 'svchost.exe' - '50' Module(s) have been scanned
    Scan process 'SeaPort.exe' - '69' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'mfevtps.exe' - '40' Module(s) have been scanned
    Scan process 'IAANTMon.exe' - '41' Module(s) have been scanned
    Scan process 'BtStackServer.exe' - '78' Module(s) have been scanned
    Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
    Scan process 'Apntex.exe' - '27' Module(s) have been scanned
    Scan process 'HidFind.exe' - '29' Module(s) have been scanned
    Scan process 'ApMsgFwd.exe' - '29' Module(s) have been scanned
    Scan process 'DellDock.exe' - '89' Module(s) have been scanned
    Scan process 'BTTray.exe' - '68' Module(s) have been scanned
    Scan process 'wmpnscfg.exe' - '35' Module(s) have been scanned
    Scan process 'ehtray.exe' - '31' Module(s) have been scanned
    Scan process 'sprtcmd.exe' - '69' Module(s) have been scanned
    Scan process 'mcagent.exe' - '115' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
    Scan process 'rundll32.exe' - '39' Module(s) have been scanned
    Scan process 'PDVDDXSrv.exe' - '45' Module(s) have been scanned
    Scan process 'IAAnotif.exe' - '43' Module(s) have been scanned
    Scan process 'quickset.exe' - '83' Module(s) have been scanned
    Scan process 'WLTRAY.EXE' - '67' Module(s) have been scanned
    Scan process 'sttray.exe' - '46' Module(s) have been scanned
    Scan process 'Apoint.exe' - '37' Module(s) have been scanned
    Scan process 'hnm_svc.exe' - '118' Module(s) have been scanned
    Scan process 'btwdins.exe' - '31' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '38' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '167' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '52' Module(s) have been scanned
    Scan process 'aestsrv.exe' - '21' Module(s) have been scanned
    Scan process 'Dwm.exe' - '44' Module(s) have been scanned
    Scan process 'svchost.exe' - '64' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '89' Module(s) have been scanned
    Scan process 'bcmwltry.exe' - '78' Module(s) have been scanned
    Scan process 'WLTRYSVC.EXE' - '24' Module(s) have been scanned
    Scan process 'svchost.exe' - '100' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '41' Module(s) have been scanned
    Scan process 'DockLogin.exe' - '28' Module(s) have been scanned
    Scan process 'svchost.exe' - '87' Module(s) have been scanned
    Scan process 'SLsvc.exe' - '29' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'CTAudSvc.exe' - '31' Module(s) have been scanned
    Scan process 'STacSV.exe' - '41' Module(s) have been scanned
    Scan process 'svchost.exe' - '120' Module(s) have been scanned
    Scan process 'svchost.exe' - '80' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '35' Module(s) have been scanned
    Scan process 'svchost.exe' - '42' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'lsm.exe' - '31' Module(s) have been scanned
    Scan process 'lsass.exe' - '69' Module(s) have been scanned
    Scan process 'services.exe' - '41' Module(s) have been scanned
    Scan process 'winlogon.exe' - '39' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'wininit.exe' - '35' Module(s) have been scanned
    Scan process 'csrss.exe' - '14' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [DETECTION] Contains code of the BOO/TDss.M boot sector virus
    [NOTE] The boot sector was not written!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [DETECTION] Contains code of the BOO/TDss.M boot sector virus
    [NOTE] The boot sector was not written!
    Boot sector 'E:\'
    [DETECTION] Contains code of the BOO/TDss.M boot sector virus
    [NOTE] The boot sector was not written!

    Starting to scan executable files (registry).

    The registry was scanned ( '1817' files ).


    Starting the file scan:

    Begin scan in 'C:\' <OS>
    C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
    [DETECTION] Is the TR/Fake.Rean.1948 Trojan
    C:\Users\Onur\AppData\Local\vah.exe
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
    [DETECTION] Is the TR/Dldr.Renos.twf Trojan
    C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
    [DETECTION] Is the TR/Dldr.Renos.twf Trojan
    C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
    [DETECTION] Is the TR/Fake.Rean.1948 Trojan
    C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
    [0] Archive type: ZIP
    [DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
    --> vload.class
    [DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
    --> vmain.class
    [DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
    C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
    [0] Archive type: PDF
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    --> pdf_img_49.avp
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
    [0] Archive type: PDF
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    --> pdf_img_0.avp
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
    [DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
    [0] Archive type: ZIP
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
    --> FAQ/Template.class
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
    --> tools/Commander.class
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CR Java virus
    --> tools/Syntax.class
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CQ Java virus
    --> tools/XmlStandard.class
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
    C:\Windows\Temp\jar_cache7677709313234663009.tmp
    [DETECTION] Is the TR/Drop.Dapato.gp Trojan
    Begin scan in 'E:\' <RECOVERY>

    Beginning disinfection:
    C:\Windows\Temp\jar_cache7677709313234663009.tmp
    [DETECTION] Is the TR/Drop.Dapato.gp Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4bba6677.qua'.
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
    [DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
    [NOTE] The file was moved to the quarantine directory under the name '536d49d3.qua'.
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
    [DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
    [NOTE] The file was moved to the quarantine directory under the name '671b56b8.qua'.
    C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
    [DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
    [DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
    [NOTE] The file was moved to the quarantine directory under the name '113e6fd1.qua'.
    C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
    [DETECTION] Is the TR/Fake.Rean.1948 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6d7a2e7e.qua'.
    C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    [NOTE] The file was moved to the quarantine directory under the name '40200130.qua'.
    C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
    [DETECTION] Is the TR/Dldr.Renos.twf Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
    [DETECTION] Is the TR/Dldr.Renos.twf Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Users\Onur\AppData\Local\vah.exe
    [DETECTION] Is the TR/FakeAV.czvb Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!
    C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
    [DETECTION] Is the TR/Fake.Rean.1948 Trojan
    [NOTE] The file could not be copied to quarantine!
    [NOTE] The file does not exist!


    End of the scan: Wednesday, 25 May 2011 00:39
    Used time: 2:26:52 Hour(s)

    The scan has been done completely.

    26534 Scanned directories
    568757 Files were scanned
    21 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    6 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    568739 Files not concerned
    6470 Archives were scanned
    0 Warnings
    16 Notes
    493798 Objects were scanned with rootkit scan
    0 Hidden objects were found




    MALWAREBYTES:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6654

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19019

    25/05/2011 2:31:32 AM
    mbam-log-2011-05-25 (02-31-32).txt

    Scan type: Quick scan
    Objects scanned: 152166
    Time elapsed: 9 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} (Trojan.ZbotR.Gen) -> Value: {9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\fulo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\mijoe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\Temp\jar_cache3737238844970604673.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\Temp\jar_cache646693631889566736.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.





    GMER:
    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit quick scan 2011-05-25 13:26:54
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003
    Running: q8zhshzq.exe; Driver: C:\Users\Onur\AppData\Local\Temp\pxldapob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- System - GMER 1.0.15 ----

    Code B13A4233 TmInitSystem

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please finish the steps in the thread and leave the 2 logs from DDS in your next reply.. When I have the additional logs, I will have you take the next step.

    Important! One of the malware entries if from a rogue program that will "alert" you to problems, then offer to fix them on their site. ($$$). It is important that you don't act on these alerts.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Note: I have deleted your duplicate thread. Please leave the logs on this thread- do not start a new one for the same problem.
  3. BigChief014

    BigChief014 Newcomer, in training Topic Starter

    Sorry, I thought I could post the remaining logs right away.. Here they are.
    Edit: Just to update you, my user account is not applying changes I make to my profile picture; my Dell Dock is constantly crashing; and my Quick Launch icon in the Taskbar is permanently gone despite enabling it in Taskbar Properties. I don't mean to unload all my problems on you, but everything here happened after the problems in my previous post. If they're related, please help me fix them. Thanks Bobbye!



    DDS:
    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.19019
    Run by Onur at 13:23:26 on 2011-05-25
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3579.2622 [GMT 10:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\RUNDLL32.EXE
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Users\Onur\Desktop\dds.scr
    C:\Windows\system32\WSCRIPT.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [RunDLLEntry] c:\windows\system32\rundll32.exe c:\windows\system32\AmbRunE.dll,RunDLLEntry
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\onur\appdata\roaming\mozilla\firefox\profiles\ab5ixccm.default\
    FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-30 218688]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-9-11 81920]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-24 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-24 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-24 61960]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-19 155648]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-9-11 29736]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-9-11 144128]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-9-11 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-11 79360]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
    S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\common files\creative labs shared\service\XMBLicensing.exe [2009-9-11 79360]
    .
    =============== Created Last 30 ================
    .
    2011-05-24 10:38:12 -------- d-----w- c:\users\onur\appdata\roaming\Jujeh
    2011-05-24 10:38:12 -------- d-----w- c:\users\onur\appdata\roaming\Coabas
    2011-05-24 10:22:32 -------- d-----w- c:\users\onur\appdata\roaming\Avira
    2011-05-24 10:10:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-05-24 10:10:36 -------- d-----w- c:\programdata\Avira
    2011-05-24 10:10:36 -------- d-----w- c:\program files\Avira
    2011-05-23 17:05:39 -------- d-----w- c:\users\onur\appdata\roaming\Malwarebytes
    2011-05-23 17:05:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-23 17:05:16 -------- d-----w- c:\programdata\Malwarebytes
    2011-05-23 17:05:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-23 17:05:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-22 13:05:28 0 ---ha-w- c:\users\onur\appdata\local\Fsakoca.bin
    2011-05-22 13:05:26 -------- d--h--w- c:\users\onur\appdata\local\{CDDBA3CB-4DD2-4FD3-97CB-CFFA1F097D74}
    2011-05-20 07:25:26 -------- d--h--w- c:\windows\msdownld.tmp
    2011-05-20 07:25:21 -------- d-----w- c:\windows\system32\directx
    2011-05-20 07:21:54 -------- d-----w- c:\program files\PCSX2 0.9.8
    2011-05-07 17:00:39 -------- d--h--w- c:\users\onur\appdata\local\Microsoft Games
    2011-05-07 08:28:40 -------- d-----w- c:\users\onur\appdata\local\Stardock_Corporation
    2011-05-06 14:43:17 -------- d-----w- c:\users\onur\appdata\roaming\Eclipse
    2011-05-06 14:43:12 -------- d--h--w- c:\users\onur\appdata\local\javasharedresources
    2011-05-06 14:38:32 -------- d-----w- c:\programdata\SafeNet Sentinel
    2011-05-06 14:36:19 -------- d--h--w- c:\program files\Zero G Registry
    2011-05-06 14:36:18 -------- d--h--w- c:\users\onur\InstallAnywhere
    2011-05-06 14:35:20 -------- d-----w- c:\programdata\SPSS
    2011-05-06 14:33:33 -------- d-----w- c:\program files\common files\IBM
    2011-05-06 14:32:07 -------- d-----w- c:\program files\IBM
    2011-05-06 14:31:53 205 ----a-w- c:\windows\system32\lsprst7.dll
    2011-05-06 14:31:53 1025 ----a-w- c:\windows\system32\sysprs7.dll
    2011-05-06 06:05:37 -------- d-----w- c:\program files\ATMA V
    2011-04-30 12:13:03 -------- d--h--w- c:\users\onur\appdata\roaming\Kisis
    2011-04-30 12:13:03 -------- d-----w- c:\users\onur\appdata\roaming\Ildo
    2011-04-30 06:03:10 -------- d-----w- c:\users\onur\appdata\local\SupportSoft
    2011-04-30 01:29:11 94208 ----a-w- c:\windows\DIIUnin.exe
    2011-04-30 01:29:11 2829 ----a-w- c:\windows\DIIUnin.pif
    2011-04-30 01:27:38 -------- d-----w- c:\program files\Diablo II
    2011-04-30 01:06:41 -------- d--h--w- c:\users\onur\appdata\local\Apple Computer
    2011-04-29 17:12:49 571392 ----a-w- c:\windows\system32\Flurry.scr
    2011-04-29 16:35:00 14596133 ----a-w- c:\windows\system32\Windows 7 Energy.scr
    2011-04-29 16:34:51 16440029 ----a-w- c:\windows\system32\Waterfalls HD.scr
    2011-04-29 16:30:01 14336 ----a-w- c:\windows\system32\Starfield.scr
    2011-04-29 16:21:02 -------- d-----w- c:\program files\HJSplit
    2011-04-29 16:17:31 -------- d-----w- c:\program files\WinSPC
    2011-04-29 15:35:27 -------- d-----w- c:\program files\NCH Software
    2011-04-29 15:35:25 -------- d--h--w- c:\users\onur\appdata\roaming\NCH Software
    2011-04-29 15:30:47 -------- d-----w- c:\program files\ComicRack
    2011-04-29 15:25:00 -------- d-----w- c:\program files\Audacity
    2011-04-29 15:24:36 -------- d-----w- c:\program files\G3C
    2011-04-29 15:24:19 -------- d-----w- c:\program files\Foxit Software
    2011-04-29 15:15:49 -------- d--h--w- c:\users\onur\appdata\local\Google
    2011-04-29 15:15:42 -------- d-----w- c:\program files\SpinRite
    2011-04-29 15:14:27 -------- d-----w- c:\program files\Audiosurf
    2011-04-29 15:13:17 -------- d-----w- c:\program files\BitTorrent
    2011-04-29 15:12:48 -------- d-----w- c:\users\onur\appdata\roaming\BitTorrent
    2011-04-29 15:11:01 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
    2011-04-29 15:10:54 -------- d-----w- c:\program files\DAEMON Tools Lite
    2011-04-29 15:08:58 -------- d--h--w- c:\users\onur\appdata\roaming\DAEMON Tools Lite
    2011-04-29 15:08:58 -------- d--h--w- c:\programdata\DAEMON Tools Lite
    2011-04-29 15:08:40 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-04-29 15:08:40 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-04-29 15:08:40 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-04-29 15:08:40 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-04-29 15:08:40 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-04-29 15:08:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-29 15:08:39 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-04-29 15:08:39 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-04-29 15:06:06 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-04-29 15:06:06 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-04-29 15:05:11 -------- d-----w- c:\program files\iPod
    2011-04-29 15:05:10 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-04-29 15:05:10 -------- d-----w- c:\program files\iTunes
    2011-04-29 14:56:30 -------- d--h--w- c:\users\onur\appdata\local\Apple
    2011-04-29 14:53:30 -------- d-----w- c:\program files\Guitar Pro 5
    2011-04-29 14:51:56 -------- d-----w- c:\program files\Bonjour
    2011-04-29 14:50:09 -------- d-----w- c:\program files\Happy Note
    2011-04-29 14:49:55 178176 ----a-w- c:\windows\system32\unrar.dll
    2011-04-29 14:49:50 881664 ----a-w- c:\windows\system32\xvidcore.dll
    2011-04-29 14:49:50 839680 ----a-w- c:\windows\system32\lameACM.acm
    2011-04-29 14:49:50 217088 ----a-w- c:\windows\system32\yv12vfw.dll
    2011-04-29 14:49:50 205824 ----a-w- c:\windows\system32\xvidvfw.dll
    2011-04-29 14:49:50 118784 ----a-w- c:\windows\system32\ac3acm.acm
    2011-04-29 14:49:48 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-04-29 14:49:46 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-04-29 14:44:52 -------- d-----w- c:\program files\Spectromancer
    2011-04-29 14:44:37 -------- d-----w- c:\program files\Power Tab Editor 1.7
    2011-04-29 14:43:52 -------- d-----w- c:\program files\ShellExView
    2011-04-29 14:43:18 -------- d-----w- c:\program files\Tetris
    2011-04-29 14:43:04 551424 ----a-w- c:\windows\TheMatrix.scr
    2011-04-29 14:43:04 -------- d-----w- c:\program files\TheMatrix Screen Saver
    2011-04-29 14:42:23 -------- d-----w- c:\program files\JDownloader
    2011-04-29 14:40:54 -------- d-----w- c:\program files\NCH Swift Sound
    2011-04-29 14:40:41 -------- d-----w- c:\program files\Tunatic
    2011-04-29 14:40:33 -------- d-----w- c:\program files\Ultimate Windows Tweaker
    2011-04-29 13:54:27 -------- d--h--w- c:\users\onur\appdata\local\Adobe
    2011-04-29 13:27:39 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
    2011-04-29 13:27:01 72704 ----a-w- c:\windows\system32\admparse.dll
    2011-04-29 13:27:00 66560 ----a-w- c:\windows\system32\tdc.ocx
    2011-04-29 13:27:00 48128 ----a-w- c:\windows\system32\mshtmler.dll
    2011-04-29 13:27:00 34816 ----a-w- c:\windows\system32\imgutil.dll
    2011-04-29 13:27:00 18944 ----a-w- c:\windows\system32\corpol.dll
    2011-04-29 13:27:00 156160 ----a-w- c:\windows\system32\msls31.dll
    2011-04-29 13:21:13 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-04-29 13:21:13 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-04-29 13:21:13 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-04-29 13:21:13 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-04-29 13:21:13 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-04-29 13:19:16 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2011-04-29 13:19:14 411136 ----a-w- c:\windows\system32\drivers\http.sys
    2011-04-29 13:19:13 31232 ----a-w- c:\windows\system32\httpapi.dll
    2011-04-29 13:18:27 231936 ----a-w- c:\windows\system32\msshsq.dll
    2011-04-29 13:15:24 1257472 ----a-w- c:\windows\system32\msxml3.dll
    2011-04-29 13:15:03 409600 ----a-w- c:\windows\system32\odbc32.dll
    2011-04-29 13:15:02 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-04-29 13:15:02 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-04-29 13:15:02 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-04-29 13:15:02 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-04-29 13:15:02 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-04-29 13:14:47 104960 ----a-w- c:\windows\system32\netiohlp.dll
    2011-04-29 13:14:46 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2011-04-29 13:14:46 19968 ----a-w- c:\windows\system32\ARP.EXE
    2011-04-29 13:14:45 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2011-04-29 13:14:45 10240 ----a-w- c:\windows\system32\finger.exe
    2011-04-29 13:14:44 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2011-04-29 13:14:44 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2011-04-29 13:14:44 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2011-04-29 13:14:42 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-04-29 13:13:33 2868224 ----a-w- c:\windows\system32\mf.dll
    2011-04-29 13:13:25 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-04-29 13:13:24 3550608 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-29 13:13:24 1205592 ----a-w- c:\windows\system32\ntdll.dll
    2011-04-29 13:13:16 499712 ----a-w- c:\windows\system32\kerberos.dll
    2011-04-29 13:13:16 175104 ----a-w- c:\windows\system32\wdigest.dll
    2011-04-29 13:13:15 1256448 ----a-w- c:\windows\system32\lsasrv.dll
    2011-04-29 13:13:14 9728 ----a-w- c:\windows\system32\lsass.exe
    2011-04-29 13:13:14 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2011-04-29 13:13:13 72704 ----a-w- c:\windows\system32\secur32.dll
    2011-04-29 13:12:58 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
    2011-04-29 13:12:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2011-04-29 13:12:05 1616384 ----a-w- c:\program files\windows mail\msoe.dll
    2011-04-29 13:12:01 954752 ----a-w- c:\windows\system32\mfc40.dll
    2011-04-29 13:12:01 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2011-04-29 13:10:55 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-04-29 13:09:09 71680 ----a-w- c:\windows\system32\atl.dll
    2011-04-29 13:09:05 274432 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 13:07:58 126464 ----a-w- c:\windows\system32\spoolsv.exe
    2011-04-29 13:06:56 531968 ----a-w- c:\windows\system32\comctl32.dll
    2011-04-29 12:26:03 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2011-04-29 12:25:47 87552 ----a-w- c:\windows\system32\wudriver.dll
    2011-04-29 12:25:38 33792 ----a-w- c:\windows\system32\wuapp.exe
    2011-04-29 12:25:38 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2011-04-29 12:12:07 -------- d-----w- c:\users\onur\appdata\local\Mozilla
    2011-04-29 12:02:41 -------- d--h--w- c:\users\onur\appdata\local\DataSafeOnline
    2011-04-29 12:02:35 -------- d--h--w- c:\users\onur\appdata\local\Broadcom
    2011-04-29 12:02:16 -------- d--h--w- c:\users\onur\appdata\local\PowerDVD DX
    2011-04-29 12:01:48 -------- d-----w- c:\users\onur\appdata\local\VirtualStore
    2011-04-29 11:55:53 -------- d-sh--we C:\Documents and Settings
    .
    ==================== Find3M ====================
    .
    2011-04-06 06:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 06:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 06:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 06:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
    2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    .
    ============= FINISH: 13:24:19.54 ===============




    DDS Attach:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 11/09/2009 7:35:06 AM
    System Uptime: 25/05/2011 1:11:39 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0CJG36
    Processor: Intel(R) Core(TM)2 Duo CPU T6500 @ 2.10GHz | Microprocessor | 1200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 283 GiB total, 138.733 GiB free.
    E: is FIXED (NTFS) - 15 GiB total, 8.08 GiB free.
    F: is CDROM ()
    W: is CDROM ()
    X: is CDROM ()
    Y: is CDROM ()
    Z: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    Advanced Audio FX Engine
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATMA V 5.05
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    BitTorrent
    Bonjour
    ccc-utility
    Choice Guard
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    ComicRack v0.9.139
    Compatibility Pack for the 2007 Office system
    DAEMON Tools Lite
    Debut Video Capture Software
    Dell-eBay
    Dell Dock
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dell Remote Access
    Dell Support Center (Support Software)
    Dell Touchpad
    Dell Video Chat
    Dell Webcam Central
    Dell Wireless WLAN Card Utility
    Diablo II
    Ear Training Play It By Ear HN
    Foxit PDF Editor
    G3C (remove only)
    Google Earth
    Google Update Helper
    GoToAssist 8.0.0.514
    Guitar Pro 5.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    IBM SPSS Statistics 19
    Intel® Matrix Storage Manager
    iTunes
    Java(TM) 6 Update 13
    JDownloader 0.9
    Junk Mail filter update
    K-Lite Codec Pack 5.5.1 (Full)
    LADSPA_plugins-win-0.4.15
    Live! Cam Avatar Creator
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Default Manager
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works
    Mozilla Firefox 4.0.1 (x86 en-US)
    MSVCRT
    NirSoft ShellExView
    PCSX2 - Playstation 2 Emulator
    PlugY, The Survival Kit
    Power Tab Editor 1.7
    PowerDVD
    QuickSet
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Sound Blaster X-Fi MB
    Spectromancer: Truth and Beauty
    TempoPerfect Metronome Software
    Tetris
    TheMatrix Screen Saver version 1.14
    Total Recorder Editor v12.1.1
    Tunatic
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    WIDCOMM Bluetooth Software 6.2.0.6600
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    25/05/2011 2:35:44 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Advanced Networking Service service to connect.
    25/05/2011 2:32:10 AM, Error: Service Control Manager [7034] - The Marvell Yukon Service service terminated unexpectedly. It has done this 1 time(s).
    25/05/2011 12:58:17 PM, Error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/05/2011 12:57:16 PM, Error: Service Control Manager [7031] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    23/05/2011 8:39:00 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
    23/05/2011 8:19:30 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    23/05/2011 8:19:30 PM, Error: Service Control Manager [7022] - The Server service hung on starting.
    23/05/2011 8:19:30 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    23/05/2011 8:16:39 PM, Error: Service Control Manager [7023] - The Server service terminated with the following error: Not enough server storage is available to process this command.
    23/05/2011 2:21:16 PM, Error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    23/05/2011 1:22:21 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DELIISTANBULLU that believes that it is the master browser for the domain on transport NetBT_Tcpip_{CA520E12-6A50-4CCF-927D-EC8. The master browser is stopping or an election is being forced.
    19/05/2011 8:53:28 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.0.100. The computer with the IP address 192.168.0.101 did not allow the name to be claimed by this computer.
    18/05/2011 9:23:03 AM, Error: Service Control Manager [7000] - The Intel(R) PRO/1000 PCI Express Network Connection Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    18/05/2011 9:23:03 AM, Error: Service Control Manager [7000] - The Intel(R) PRO/1000 NDIS 6 Adapter Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    18/05/2011 9:23:03 AM, Error: Service Control Manager [7000] - The Bluetooth Device (Personal Area Network) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    18/05/2011 12:56:50 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
    18/05/2011 12:01:41 AM, Error: netbt [4321] - The name "DELIISTANBULLU :0" could not be registered on the interface with IP address 192.168.0.100. The computer with the IP address 192.168.0.101 did not allow the name to be claimed by this computer.
    .
    ==== End Of File ===========================
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    There are quite a few files that are outdated and others I will have to 'open' to identify. Please do the following:

    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ============================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    Keep in mind that Malwarebytes removed entries for rogue programs. so messages and alerts you get most likely do not reflect a true state. We'll have to 'unhide' the files- the rogue does this to make you click on their 'fix'- which doesn't nothing because the problem was set up by the malware.
  5. BigChief014

    BigChief014 Newcomer, in training Topic Starter

    Nevermind, as I was waiting for a reply the problem got worse and worse and prompted me to reformat my computer. Thanks anyway
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Thanks for update. I had to wait for my internet to come back up then a violent storm front to get through. But I think you may have ended up at a better place.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.