Wham. Virus hit last night, ertfor.b? 8-steps included

Inactive
By tylerd
Sep 10, 2010
Topic Status:
Not open for further replies.
  1. AVG detected a serious hit as I was downloading a file using ABC torrent client. It quickly unloaded a multitude of infected files into my system (SONY VIAO laptop windows 7 premium).

    Symptoms:
    Slow running, error messages on startup (duch.dll and another dll, I should have screen shotted), slow boot up, system restore inaccessible, windows explorer randomly malfunctions and has to restart.

    First I uninstalled AVG free as the virus would cause the program to endlessly pop up with warnings making any usage of the computer slow and futile. I downloaded Microsoft Security Essentials and updated. It detected ertfor.b and removed it. Still the symptoms remained so I did a google search for ertfor.b and found your forum and started the 8 steps.

    Ran TFC and restarted. 17,000mb cleared

    Downloaded, updated and ran a full system scan with malwarebytes

    ----------------------------------------------------------------------------------------
    first full scan:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4586

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/09/2010 10:03:07 AM
    mbam-log-2010-09-10 (10-03-07).txt

    Scan type: Quick scan
    Objects scanned: 136073
    Time elapsed: 5 minute(s), 39 second(s)

    Memory Processes Infected: 10
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 27
    Registry Data Items Infected: 1
    Folders Infected: 1
    Files Infected: 12

    Memory Processes Infected:
    C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\cmd.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\user.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\spoolsv.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\csrss.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\setup.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\win16.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\drweb.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\Windows\win.exe (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF196$ (Adware.StreetAds) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uledeweciqusol (Trojan.Agent.U) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Windows\$ntUninstallmtf196$ (Adware.StreetAds) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\cmd.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\user.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\spoolsv.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\csrss.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\setup.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\win16.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\drweb.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\win.exe (Trojan.Downloader) -> Delete on reboot.
    C:\Windows\$ntUninstallmtf196$\apUninstall.exe (Adware.StreetAds) -> Quarantined and deleted successfully.
    C:\Users\tyler\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.

    ---------------------------------------------------------------------------------------------

    Second Full Scan:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4586

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/09/2010 12:22:55 PM
    mbam-log-2010-09-10 (12-22-55).txt

    Scan type: Full scan (C:\|E:\|G:\|)
    Objects scanned: 262892
    Time elapsed: 41 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\tyler\AppData\Local\Mozilla\Firefox\Profiles\il97otd1.default\Cache\64321B95d01 (Rogue.Installer) -> No action taken.
    C:\Users\tyler\Downloads\setupxv.exe (Rogue.Installer) -> No action taken.
    C:\Windows\Tasks\RegClean Scheduled Scan.job (Rogue.RegClean) -> No action taken.

    ----------------------------------------------------------------------------------

    These infected registry entries and files can't seem to be removed even after restart.

    There are two startup processes that i do not recognize and have disabled to hopefully prevent further downloading or hijack.
    Lvtdhfngmtd and Lvtdhfngotd

    After doing another quick scan to confirm the infection is still here I tried another deletion and ran DDS I can include logs if you need them.

    Since MBAM removed the majority of the infection I do not get messages on startup. System recover still says it requires 'administrator privileges' to run (which I am), there is a general slowness and windows explorer still crashes spontaneously (once it happened as the infected registry entry was detected by MBAM).
    I have deleted all internet temp files and am not accessing any accounts for fear they may be hijacked.
    I hope you can help. I'm sorry I don't have the log from the first Microsoft Scan, but hopefully this info is enough to get to the bottom of things.


    Thank you!
  2. Broni

    Broni Malware Annihilator Posts: 45,188   +242

  3. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    Thank you for the response

    Here are the DDS logs, I am running 64 bit so I can't run GMER?

    This is the latest MBAM log
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4586

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    10/09/2010 1:53:32 PM
    mbam-log-2010-09-10 (13-53-32).txt

    Scan type: Quick scan
    Objects scanned: 134765
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    I don't see any current AV program running. What happened?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
      Scan for tracking cookies.
      Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
      Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
  5. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    Ah, I uninstalled AVG and installed Microsoft Security Essentials. I probably did the scan between this point in time, which explains the lack of anti virus showing in the log.

    I rebooted after superantispyware and did a MBAM scan, the infected registry entry is clean! no viruses or malware.
    However as I was writing this windows explorer quit again. Maybe I should enable the unknown start up tasks I disabled? I can't find any information about them online. Any suggestions?

    Here are the logs as requested.


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: (build 7600), 64-bit
    Base Board Manufacturer: Sony Corporation
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: Sony Corporation
    System Product Name: VPCEB11FD
    Logical Drives Mask: 0x00000074

    Kernel Drivers (total 188):
    0x02E66000 \SystemRoot\system32\ntoskrnl.exe
    0x02E1D000 \SystemRoot\system32\hal.dll
    0x00BAC000 \SystemRoot\system32\kdcom.dll
    0x00C01000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00C45000 \SystemRoot\system32\PSHED.dll
    0x00C59000 \SystemRoot\system32\CLFS.SYS
    0x00CB7000 \SystemRoot\system32\CI.dll
    0x00E76000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00F1A000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00F29000 \SystemRoot\system32\drivers\ACPI.sys
    0x00F80000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00F89000 \SystemRoot\system32\drivers\msisadrv.sys
    0x00F93000 \SystemRoot\system32\drivers\pci.sys
    0x00FC6000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x00FD3000 \SystemRoot\System32\drivers\partmgr.sys
    0x00FE8000 \SystemRoot\system32\drivers\compbatt.sys
    0x00FF1000 \SystemRoot\system32\drivers\BATTC.SYS
    0x00E00000 \SystemRoot\system32\drivers\volmgr.sys
    0x00E15000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00D77000 \SystemRoot\System32\drivers\mountmgr.sys
    0x010A8000 \SystemRoot\system32\drivers\iaStor.sys
    0x012B0000 \SystemRoot\system32\drivers\amdxata.sys
    0x012BB000 \SystemRoot\system32\drivers\fltmgr.sys
    0x01307000 \SystemRoot\system32\drivers\fileinfo.sys
    0x0131B000 \SystemRoot\System32\Drivers\PxHlpa64.sys
    0x01435000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01327000 \SystemRoot\System32\Drivers\msrpc.sys
    0x015D8000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01385000 \SystemRoot\System32\Drivers\cng.sys
    0x01400000 \SystemRoot\System32\drivers\pcw.sys
    0x01411000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x016EF000 \SystemRoot\system32\drivers\ndis.sys
    0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01802000 \SystemRoot\System32\drivers\tcpip.sys
    0x0168B000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01000000 \SystemRoot\system32\drivers\volsnap.sys
    0x016D5000 \SystemRoot\System32\Drivers\spldr.sys
    0x0104C000 \SystemRoot\System32\drivers\rdyboost.sys
    0x016DD000 \SystemRoot\System32\Drivers\mup.sys
    0x017E1000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x00D91000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x017EA000 \SystemRoot\system32\drivers\disk.sys
    0x00DCB000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x03CA8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x03CD2000 \SystemRoot\System32\Drivers\Null.SYS
    0x03CDB000 \SystemRoot\System32\Drivers\Beep.SYS
    0x03CE2000 \SystemRoot\System32\drivers\vga.sys
    0x03CF0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x03D15000 \SystemRoot\System32\drivers\watchdog.sys
    0x03D25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x03D2E000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x03D37000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x03D40000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x03D4B000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x03D5C000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x03D7A000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x03D87000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x03A00000 \SystemRoot\system32\drivers\afd.sys
    0x03DCC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x03DD5000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x01086000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x02CEF000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x02CFE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x02D19000 \SystemRoot\system32\drivers\termdd.sys
    0x02D2D000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x02D7E000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x02D8A000 \SystemRoot\system32\drivers\mssmbios.sys
    0x02D95000 \SystemRoot\System32\drivers\discache.sys
    0x02DA4000 \SystemRoot\System32\Drivers\dfsc.sys
    0x02DC2000 \SystemRoot\system32\drivers\blbdrive.sys
    0x02DD3000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x04888000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
    0x04266000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x0435A000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x043A0000 \SystemRoot\system32\drivers\HECIx64.sys
    0x043B1000 \SystemRoot\system32\drivers\usbehci.sys
    0x04200000 \SystemRoot\system32\drivers\USBPORT.SYS
    0x043C2000 \SystemRoot\system32\drivers\HDAudBus.sys
    0x0442E000 \SystemRoot\system32\DRIVERS\athrx.sys
    0x045AB000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x045B8000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x045D8000 \SystemRoot\system32\drivers\rimssne64.sys
    0x04400000 \SystemRoot\system32\drivers\risdsne64.sys
    0x04800000 \SystemRoot\system32\DRIVERS\yk62x64.sys
    0x04865000 \SystemRoot\system32\drivers\i8042prt.sys
    0x04418000 \SystemRoot\system32\drivers\kbdclass.sys
    0x02C00000 \SystemRoot\system32\drivers\Apfiltr.sys
    0x043E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x04427000 \SystemRoot\system32\drivers\SFEP.sys
    0x04256000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x02C44000 \SystemRoot\system32\drivers\Impcd.sys
    0x02C6A000 \SystemRoot\system32\drivers\intelppm.sys
    0x045F8000 \SystemRoot\system32\drivers\CmBatt.sys
    0x02C80000 \SystemRoot\system32\drivers\CompositeBus.sys
    0x02C90000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x02CA6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x04FF3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x05015000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x05044000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x0505F000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x05080000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x0509A000 \SystemRoot\system32\drivers\swenum.sys
    0x0509C000 \SystemRoot\system32\drivers\ks.sys
    0x050DF000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x050F1000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x0514B000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x05C9A000 \SystemRoot\system32\drivers\RTKVHD64.sys
    0x05EB5000 \SystemRoot\system32\drivers\portcls.sys
    0x05EF2000 \SystemRoot\system32\drivers\drmk.sys
    0x05F14000 \SystemRoot\system32\drivers\ksthunk.sys
    0x05F1A000 \SystemRoot\system32\DRIVERS\IntcDAud.sys
    0x05F5B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x05F78000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x05F7A000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x05FA8000 \SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
    0x00010000 \SystemRoot\System32\win32k.sys
    0x05FB2000 \SystemRoot\System32\drivers\Dxapi.sys
    0x05FBE000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x03A8A000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x05FCC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x05FDF000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x05C00000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x05C19000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x05C22000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x05C2F000 \SystemRoot\system32\DRIVERS\nvnnio.sys
    0x05C58000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x00550000 \SystemRoot\System32\TSDDD.dll
    0x00790000 \SystemRoot\System32\cdd.dll
    0x05C66000 \SystemRoot\system32\drivers\luafv.sys
    0x05160000 \SystemRoot\system32\drivers\WudfPf.sys
    0x05181000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x05196000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x05FED000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x02CCA000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x02842000 \SystemRoot\system32\drivers\HTTP.sys
    0x0290A000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x02928000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x02940000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x0296D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x029BB000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x03EEB000 \SystemRoot\system32\drivers\peauth.sys
    0x03F91000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x03F9C000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x03FC9000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x03E00000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x078B8000 \SystemRoot\System32\DRIVERS\srv.sys
    0x0794E000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x77740000 \Windows\System32\ntdll.dll
    0x477F0000 \Windows\System32\smss.exe
    0xFFA60000 \Windows\System32\apisetschema.dll
    0xFF480000 \Windows\System32\autochk.exe
    0xFF970000 \Windows\System32\advapi32.dll
    0xFF790000 \Windows\System32\setupapi.dll
    0xFF740000 \Windows\System32\Wldap32.dll
    0xFF6A0000 \Windows\System32\clbcatq.dll
    0xFF680000 \Windows\System32\imagehlp.dll
    0xFF670000 \Windows\System32\lpk.dll
    0xFF540000 \Windows\System32\rpcrt4.dll
    0xFF4F0000 \Windows\System32\ws2_32.dll
    0xFF480000 \Windows\System32\autochk.exe
    0xFF3B0000 \Windows\System32\usp10.dll
    0xFF3A0000 \Windows\System32\nsi.dll
    0xFF380000 \Windows\System32\sechost.dll
    0xFF270000 \Windows\System32\msctf.dll
    0xFF0F0000 \Windows\System32\urlmon.dll
    0xFEEE0000 \Windows\System32\ole32.dll
    0x77620000 \Windows\System32\kernel32.dll
    0xFEE00000 \Windows\System32\oleaut32.dll
    0x77910000 \Windows\System32\normaliz.dll
    0xFED60000 \Windows\System32\comdlg32.dll
    0x77900000 \Windows\System32\psapi.dll
    0xFECC0000 \Windows\System32\msvcrt.dll
    0xFEC90000 \Windows\System32\imm32.dll
    0xFEB60000 \Windows\System32\wininet.dll
    0xFDDD0000 \Windows\System32\shell32.dll
    0x77520000 \Windows\System32\user32.dll
    0xFDB70000 \Windows\System32\iertutil.dll
    0xFDAF0000 \Windows\System32\difxapi.dll
    0xFDA70000 \Windows\System32\shlwapi.dll
    0xFDA30000 \Windows\System32\wintrust.dll
    0xFD9F0000 \Windows\System32\cfgmgr32.dll
    0xFD9D0000 \Windows\System32\devobj.dll
    0xFD860000 \Windows\System32\crypt32.dll
    0xFD7C0000 \Windows\System32\comctl32.dll
    0xFD750000 \Windows\System32\KernelBase.dll
    0xFD740000 \Windows\System32\msasn1.dll
    0x778F0000 \Windows\SysWOW64\normaliz.dll

    Processes (total 79):
    0 System Idle Process
    4 System
    308 C:\Windows\System32\smss.exe
    484 csrss.exe
    544 C:\Windows\System32\wininit.exe
    568 csrss.exe
    600 C:\Windows\System32\services.exe
    628 C:\Windows\System32\lsass.exe
    636 C:\Windows\System32\lsm.exe
    740 C:\Windows\System32\svchost.exe
    820 C:\Windows\System32\svchost.exe
    880 C:\Windows\System32\svchost.exe
    912 C:\Windows\System32\svchost.exe
    952 C:\Windows\System32\svchost.exe
    336 C:\Windows\System32\svchost.exe
    380 C:\Windows\System32\svchost.exe
    1052 C:\Windows\System32\winlogon.exe
    1176 C:\Windows\System32\spoolsv.exe
    1204 C:\Windows\System32\svchost.exe
    1380 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    1428 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    1540 C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
    1576 C:\Windows\System32\svchost.exe
    1716 C:\Windows\System32\taskhost.exe
    1752 C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
    1796 C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
    1816 C:\Windows\System32\dwm.exe
    1848 C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    1900 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    1952 C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    2020 dllhost.exe
    1868 C:\Windows\System32\taskeng.exe
    1412 C:\Program Files\Sony\VAIO Care\VAIOCareService.exe
    2088 C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
    2132 C:\Windows\System32\igfxtray.exe
    2164 C:\Windows\System32\hkcmd.exe
    2176 C:\Windows\System32\igfxpers.exe
    2232 C:\Windows\System32\igfxsrvc.exe
    2256 C:\Program Files\Apoint\Apoint.exe
    2340 C:\Program Files\Apoint\ApMsgFwd.exe
    2424 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    2616 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    2648 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    2688 C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
    2696 C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
    2752 C:\Program Files (x86)\Sony\SmartWi Connection Utility\CCP.exe
    2780 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    2844 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    2932 C:\Program Files\Apoint\Apvfb.exe
    2940 C:\Program Files\Apoint\ApntEx.exe
    2956 C:\Windows\System32\conhost.exe
    2984 C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
    1308 C:\Program Files (x86)\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe
    2600 C:\Program Files (x86)\Sony\SmartWi Connection Utility\PowerManager.exe
    3116 C:\Program Files\Sony\VAIO Power Management\SPMService.exe
    3356 WmiPrvSE.exe
    3516 WUDFHost.exe
    3708 C:\Windows\System32\SearchIndexer.exe
    4072 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3488 C:\Windows\System32\svchost.exe
    4112 C:\Windows\System32\svchost.exe
    5024 C:\Program Files\Java\jre6\bin\jusched.exe
    5048 C:\Program Files\Sony\VAIO Care\VCsystray.exe
    4436 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    2584 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    4956 C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
    4004 C:\Windows\System32\svchost.exe
    4508 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    4840 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    3872 C:\Program Files\iPod\bin\iPodService.exe
    4892 C:\Program Files (x86)\iTunes\iTunesHelper.exe
    4172 C:\Program Files\Java\jre6\bin\jucheck.exe
    4356 C:\Windows\explorer.exe
    4056 C:\Windows\System32\audiodg.exe
    1660 C:\Windows\System32\SearchProtocolHost.exe
    3884 C:\Windows\System32\SearchFilterHost.exe
    1676 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    1328 C:\Users\tyler\Downloads\MBRCheck.exe
    2904 C:\Windows\System32\conhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`37e00000 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM320II, Rev: 2AC101C4

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!

    ================================================================
  6. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/12/2010 at 02:08 AM

    Application Version : 4.42.1000

    Core Rules Database Version : 5491
    Trace Rules Database Version: 3303

    Scan type : Complete Scan
    Total Scan Time : 01:06:53

    Memory items scanned : 328
    Memory threats detected : 0
    Registry items scanned : 13820
    Registry threats detected : 1
    File items scanned : 133933
    File threats detected : 55

    Malware.Trace
    (x86) HKU\S-1-5-21-114913183-1313831441-2921357569-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER#NOFOLDEROPTIONS

    Adware.Tracking Cookie
    ia.media-imdb.com [ C:\Users\tyler\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JTQAMMVK ]
    C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@advertising[1].txt
    C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@doubleclick[1].txt
    C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@sonycanada.112.2o7[1].txt
    C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@sonyelectronicssupportus.112.2o7[1].txt
    .collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .doubleclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .tribalfusion.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .bs.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .legolas-media.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .legolas-media.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .atdmt.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .atdmt.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .apmebf.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .content.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .imrworldwide.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .imrworldwide.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .ru4.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .ru4.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .clickfuse.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
    .doubleclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]

    Thank you!
  7. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  8. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    done and done, files attached.
    Couldn't copy and paste text, over character limit.

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    What happened to AVG?

    ======================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20:[b]64bit:[/b] - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O33 - MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\Shell - "" = AutoRun
      O33 - MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\Shell\AutoRun\command - "" = D:\WD SmartWare.exe -- File not found
      [2010/09/10 11:18:38 | 000,000,000 | ---D | C] -- C:\Users\tyler\AppData\Roaming\RegClean
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  10. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    I uninstalled AVG in favor of microsoft security essentials, good choice?

    ====================================================================

    All processes killed
    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
    File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
    File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A9007C0-4076-11D3-8789-0000F8105754}\ not found.
    File {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
    File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}\ not found.
    File {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ not found.
    File {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found not found.
    64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui\ deleted successfully.
    C:\Windows\SysNative\igfxdev.dll moved successfully.
    64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
    File D:\WD SmartWare.exe not found.
    C:\Users\tyler\AppData\Roaming\RegClean\Log folder moved successfully.
    C:\Users\tyler\AppData\Roaming\RegClean folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: tyler
    ->Temp folder emptied: 119157 bytes
    ->Temporary Internet Files folder emptied: 45755668 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 72797958 bytes
    ->Flash cache emptied: 1747 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 45734 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 142057135 bytes

    Total Files Cleaned = 249.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: tyler
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.12.0 log created on 09132010_103710

    Files\Folders moved on Reboot...
    C:\Users\tyler\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
  11. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    Results of screen317's Security Check version 0.99.5
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player 10.0.32.18
    Adobe Reader 9.1.2
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
  12. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    Monday, September 13, 2010
    Operating system: Microsoft (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Monday, September 13, 2010 11:32:59
    Records in database: 4213809
    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes
    Scan area My Computer
    C:\
    E:\
    F:\
    G:\
    Scan statistics
    Objects scanned 139507
    Threats found 0
    Infected objects found 0
    Suspicious objects found 0
    Scan duration 01:58:49

    No threats found. Scanned area is clean.
    Selected area has been scanned.
  13. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button

    ========================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  14. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    BTW, I prefer MSE over AVG :)
  15. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    before the resetting the restore point i was thinking of enabling the two startup processes i disabled when the virus hit.
    Lvtdhfngmtd
    and
    Lvtdhfngotd

    I am free of malware, but Windows explorer still randomly crashes, maybe this could be the issue.? any thoughts?

    thank you for your help this far.
  16. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    What would those be for??

    What exactly happens and what are you doing, when it happens?
  17. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    I have no idea what the processes are for, google search says nothing either...

    it crashes sometimes when firefox is open, sometimes when i'm browsing files. I've come back to see the error message (windows explorer is not responding) over top of my screen saver.
    it seems really spontaneous.
  18. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Do you see those processes right now in Task Manager?
    They're surely not legit.
  19. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    nope not running in task manager.
    also windows explorer seems to quit halfway through malware bytes quick scan. its done that consistantly a few times.

    but the good news is maleware bytes and super spyware say I'm clean. Thank you for you're help!!!! :D

    I still don't have access to system restore. it says I'm not an administrator, even though i am. That's probably a Microsoft OS issue though
  20. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    You scared me for a moment...LOL

    Regarding system restore...
    Please, re-run #1 from my reply #13 and post resulting log.
  21. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: tyler
    ->Temp folder emptied: 107955194 bytes
    ->Temporary Internet Files folder emptied: 13021140 bytes
    ->Java cache emptied: 135240 bytes
    ->FireFox cache emptied: 91581863 bytes
    ->Flash cache emptied: 2023 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1822070 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 44229956 bytes

    Total Files Cleaned = 247.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: tyler
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Error creating restore point.

    OTL by OldTimer - Version 3.2.12.0 log created on 09142010_191508

    Files\Folders moved on Reboot...
    C:\Users\tyler\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
  22. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Yeah, we have:
    Open Windows Explorer.
    Go Tools>Folder options>View tab
    UN-check "Hide protected operating system files".
    Click OK.
    Restart Windows Explorer.
    In C drive you'll see System Volume Information folder.
    Right click on it, click "Properties", then "Security" tab.
    Make sure, you have full control of it, meaning all checkmarks are in:

    [​IMG]

    Report on findings.
  23. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    hmm everything is checked except for "special permissions"
  24. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    What is the exact message, you're getting and at what exact point?
  25. tylerd

    tylerd Newcomer, in training Topic Starter Posts: 16

    control panel>recovery
    the button labeled (open system restore) is faded and unusable. there is a message box above it that says "some settings are managed by your system administrator. why can't I change some settings?" and it goes on to explain in a help document that computers in a network or group or that are managed by an admin may not have access to certain features.
    I am not connected to a network, or group. my user status is set to admin...

    Go Windows...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.