Performance issues,unexplained loss of disk space&strange files,virus?

Inactive
By beccap
Jan 8, 2011
Topic Status:
Not open for further replies.
  1. i have had problems with freezing and having to unplug the computer to get it to turn off at times.i also can't figure out what's using up all my available disk space, but I did find probably hundreds of files in my windowa and systems32 folders with names like 26133viruszb59 and 3z19hacktool359.ocx and 3z96thief2435.dll. could these be causing the problems? I went through all the 8steps and have the logs for all the steps.but im so retarded im not sure if im supposed to post them here or wait for someone to answer then post it in a reply to them. Can anyone tell me what to do here? Thank you so much for your help.
  2. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Reopened.....
  4. beccap

    beccap Newcomer, in training Topic Starter

    reopened topic

    Hello Broni. Thank you for helping me get back on track. I now have one more stupid question. I don't know how to post the logs. I assumed I could just copy and paste it into this reply but it's not letting me do that. Is there another way I should do it? If so, can you give me detailed instructions on how to do this. Thank you.
  5. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Explain, please.
  6. beccap

    beccap Newcomer, in training Topic Starter

    I right-click on the log, located on my desktop,then I clock on copy. then I go to the reply box and right-click and the option to paste is not highlighted as an option. I can't click on it at all. So I'm assuming it's just that I don't know how to do this correctly.What am I doing wrong here? Thanks
  7. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    You have to open a log in a Notepad, select all text, then copy and paste.
  8. beccap

    beccap Newcomer, in training Topic Starter

    gmer log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-08 20:33:58
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.3.08
    Running: cq3b8xc9.exe; Driver: C:\DOCUME~1\becca\LOCALS~1\Temp\uwliraoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT spgg.sys ZwEnumerateKey [0xF74FCDA4]
    SSDT spgg.sys ZwEnumerateValueKey [0xF74FD132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\apuv6avw \Device\Scsi\apuv6avw1Port4Path0Target0Lun0 8A226500
    Device \Driver\apuv6avw \Device\Scsi\apuv6avw1 8A226500
    Device \FileSystem\Ntfs \Ntfs 8A30B1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Fastfat \Fat 89DB91F8

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
  9. beccap

    beccap Newcomer, in training Topic Starter

    DDS log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by becca at 20:51:48.73 on Sat 01/08/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1070 [GMT -7:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\becca\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/ig
    uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60179
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    mSearchAssistant =
    mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60179
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PDFHelperBHO Class: {1ad61d5b-58a3-4592-9b34-dc84688ff805} - c:\program files\pdf suite\PDFIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: Crawler Search - tbr:iemenu
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
    IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B7B1D292-6383-4743-8793-9609BFABF36F} - {E751277C-C09B-448E-B5C9-95AB1B3E9FD2} - c:\program files\pdf suite\IEPDFExt.dll
    Trusted Zone: scouting.org\www
    Trusted Zone: youtube.com\www
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1245270930781
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-9 135664]
    S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2003-3-13 11319]
    S3 DIGIRPS;Digi PortServer Driver;c:\windows\system32\drivers\digirlpt.sys [2009-5-25 42432]

    =============== Created Last 30 ================

    2011-01-09 02:52:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-09 02:52:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-09 02:52:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-09 00:32:46 -------- d-----w- c:\program files\VideoLAN
    2010-12-22 23:53:40 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    2010-12-22 23:53:19 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
    2010-12-22 23:53:19 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
    2010-12-22 23:53:19 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
    2010-12-22 23:53:19 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
    2010-12-22 23:53:18 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
    2010-12-22 23:53:17 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
    2010-12-22 23:53:17 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
    2010-12-22 23:51:09 78864 ----a-w- c:\windows\system32\drivers\LMouKE.Sys
    2010-12-22 23:51:09 62992 ----a-w- c:\windows\system32\drivers\L8042mou.Sys
    2010-12-22 23:51:08 20496 ----a-w- c:\windows\system32\drivers\L8042Kbd.sys
    2010-12-22 23:51:07 34576 ----a-w- c:\windows\system32\drivers\LHidFilt.Sys
    2010-12-22 23:51:07 33296 ----a-w- c:\windows\system32\drivers\LMouFilt.Sys
    2010-12-22 23:51:07 1419024 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
    2010-12-22 23:51:07 101136 ----a-w- c:\windows\KHALMNPR.Exe
    2010-12-22 23:35:41 -------- dc----w- C:\39654623a0771ac1acf9
    2010-12-16 21:45:18 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 15:15:34 -------- d-----w- c:\docume~1\becca\locals~1\applic~1\Yahoo!

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-08-11 08:04:14 1364522 ----a-w- c:\program files\wrar393.exe
    2010-08-11 02:03:02 260384 -c--a-w- c:\program files\daemontools4.35.6.exe
    2010-05-21 03:49:04 2131808 ----a-w- c:\program files\avg_free_stb_all_9_114_cnet.exe

    ============= FINISH: 20:52:31.18 ===============
  10. beccap

    beccap Newcomer, in training Topic Starter

    attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/11/2008 7:08:42 AM
    System Uptime: 1/8/2011 8:28:43 PM (0 hours ago)

    Motherboard: Hewlett-Packard | | 085Ch
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | XU1 PROCESSOR | 2992/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 4.998 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme Gigabit Ethernet for hp
    Device ID: PCI\VEN_14E4&DEV_1696&SUBSYS_12BC103C&REV_03\4&3A321F38&0&10F0
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme Gigabit Ethernet for hp
    PNP Device ID: PCI\VEN_14E4&DEV_1696&SUBSYS_12BC103C&REV_03\4&3A321F38&0&10F0
    Service: b57w2k

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&369939D9&0
    Manufacturer: Logitech
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&369939D9&0
    Service: i8042prt

    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&369939D9&0
    Manufacturer: Logitech
    Name: PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&369939D9&0
    Service: i8042prt

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 9.3.3
    AVG 2011
    Broadcom Management Programs
    CDDRV_Installer
    CyberSky
    DAEMON Tools Toolbar
    Dassault Systemes Software Prerequisites x86
    DivX Web Player
    Facebook Plug-In
    Gimp 2.6.2 Debug
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    InstallIQ Updater
    Intel(R) Extreme Graphics 2 Driver
    InterVideo WinDVD
    Java 2 Runtime Environment, SE v1.4.2_01
    Java(TM) 6 Update 15
    KhalSetup
    LightScribe 1.4.124.1
    Logitech Desktop Messenger
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Move Media Player
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    muvee Plugin 1.0
    QuickTime
    Rosetta Stone Version 3
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923789)
    Software Setup
    Sonic Activation Module
    SoundMAX
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2467659)
    VC80CRTRedist - 8.0.50727.762
    VLC media player 1.1.5
    WebFldrs XP
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Resource Kit Tools - SubInAcl.exe
    Windows XP Service Pack 3
    Yahoo! Anti-Spy
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    1/8/2011 7:49:39 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
    1/8/2011 7:49:39 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    1/8/2011 7:49:39 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/8/2011 10:02:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    1/8/2011 10:02:09 AM, error: Service Control Manager [7001] - The Windows Service Pack Installer update service service depends on the Security Accounts Manager service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/8/2011 10:02:09 AM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/8/2011 10:01:36 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    ==== End Of File ===========================
  11. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Malwarebytes log is missing.
  12. beccap

    beccap Newcomer, in training Topic Starter

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5485

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/8/2011 8:01:46 PM
    mbam-log-2011-01-08 (20-01-46).txt

    Scan type: Quick scan
    Objects scanned: 134610
    Time elapsed: 5 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 12
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SoftSafeness (Rogue.SoftSafeness) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  13. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.