Solved Windows -- Delayed write failed virus.. advice? (Broni please view)

LiquidPaper

Posts: 49   +0
Hello,

I just signed up to this forum to ask a question about a virus my friend's computer just got this afternoon. She opened an e-mail in her spam that was supposedly from 'USPS'. Of course, it wasn't, and when she opened the attachment it must of downloaded the virus.

Syptoms:
All of her desktop icons disappeard (except for the Internet Explorer icon).
The background disappeard (went black).
1 big pop-up showed up stating:
"Windows detected a hard disk problem"
'A potential disk failure may cause loss of files, applications, and documents stored on the hard disk. It's highly recommended to scan and slove HDD problems before continuing using this PC.'

Scan and fix (recommended) -Prevents future problems with files stored on this disk or device.
Delay scan -Your computer will be restored.
Then another 20 - 22 pop-ups showed up saying:
"Windows -- Delayed write failed"
'Failed to save all the components for the file \\system32\\000015le. The file is corrupted or unreadable error may be caused by---'
**It had a 'close' 'try again' and 'continue' option. It looked like a standard windows message.

We didn't click on either pop-up. Instead I shut the computer off with the power button and got on a back-up laptop and started trying to find out what kinda bug we caught. At first I thought it was the 'System Fix' virus. It told me to download the 'Trojan Killer' to scan and fix the problem. I turned the computer back on -when prompted with how I wanted to start the computer "safe mode, safe mode with networking, ect..." it automatically started under regular start-up. When the computer loaded, the pop-up's showed up again of course. I noticed though that I still had programs under my 'start' menu. If it was the 'System Fix' virus, those should have been gone too. At this point I had already started downloading the Trojan Killer. I stopped the download forced the computer off again. After doing more research, I found the symptoms for the "Windows -- Delayed write failed" virus. This website pretty much described my problem to a 'T'. http://trojan-removal-guide.com/windows-%E2%80%93-delayed-write-failed-problem-description/ Since the site seemed to have the virus down, I went ahead and followed the steps to fix it. I download the Trojan Killer, ran the program (wound up buying it for $40) and then follwed the last three steps in the video. (Downloading and running Kadpersky TDSS Killer, and Trojan Killer's 'unhide' and 'restore' programs). Once this was done, I restarted the computer.

The pop-ups were gone, but only about half of the desktop icons were back. (Had four rows of icons, now there are only two). Also, the background was still black. I was able to change it though. I was pretty confident that it was fixed, except for the fact that half the icons are still missing and that I realized something else was missing too. The 'Quick Launch' feature on the Windows Vista toolbar. I went into the toolbar properties and even though the option is selected, the buttons that should be just to the right of the 'start' button are not there. So now, here is my question (finally, right?). Did I get rid of the virus completely or do you think there could still be some pieces left behind. I'm going to continueing researching it as much as possible, seeing as the computer that has been infected is a family / business computer that must be used on a daily basis.

I know you probably get PM's like this all the time, and probably people saying you "I know you probably get PM's like this all the time". haha I was just wondering if you could shed some light on my situation. When I was browsing the internet I stumbled upon you a thread were you helped someone get through a virus problem using the Registry. On my personal laptop, about a year ago, I got hit with the Windows Vista Security 2011 virus. At that point, I wound up finding someone helpful, like you, and they pointed me in the direction of a site that helped me put a patch in my computer (at which time was almost totally disabled) by adding things to my Registry. If you don't have the time to help, that is totally understandable. Please, if you could just send me a quick 'no' or anything? That way I know you at least got this and I'm not wasting anymore of your time.

If you've read this message to this far, thank you! I'd greatly appreciate any and all input you have.

Happy Holidays,
LiquidPaper
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Wow, thanks for replying! I have read and acknowledged your rules!

Update:

Last night the computer was okay enough print a couple pictures. Had a background and half the icons back. I mentioned the "Quick Launch" feature was gone though. I left today though and my friend's husband turned on the computer and let it sit on all day. When we came home: the screen was black again, all my desktop icons are gone (except internet explorer), and I had TONS of pop-ups everywhere. As of now, I am running the trojan killer again (sorry, I started it up before I saw this post). All the zillions of pop-ups disappeared. All that is left is the Trojan Killer scan, and two other programs minimized on the bar. "System Check" and "iexplore.exe is requesting your permission" -I haven't clicked on any of these things. Also, there is another pop-up on the bottom right of the screen that says:

"Files indexation process failed"
'Indexation process failure may cause:
Files may became unreadable
Files and documents can be lost
Operation System may slow down dramatically

To prevent possible damage to this PC follow the recommendations.

Recommendations:
It's highly recommended to run file integrity checker now and resolve this issue.'

'Resolve this issue' <-button"

When you say I must copy all of the logs, what do you mean? And right now I am on a different laptop. I'm not sure if the infected computer is internet capable. Thank you so much for replying!
 
BRONI!!! THANK YOU!!! It is FIXED!! All the icons are back, there are no strange pop-ups, the background is set, the "Quick Launch" features are all back too! I can not express my gratitude enough!!!! Thank you, thank you, thank you!!!!

:D
 
Good news:)

But....we just started:)

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Oh boy lol Alright!

I guess my half-hour spent victory dancing was wasted too soon! :eek: :rolleyes:

Well, since it was my friend's computer I was working on -I can't do it right now. I'm at home. However, I did tell them to keep the computer turned 'off' until I saw your reply. I am busy tomorrow, so I won't be able to do this. However, Tuesday I am going to their house. So I will do it then and get back to your promptly.

I just glanced over the guide and noticed "Avast" on your list of suggested anti-virus programs.. I had already downloaded that program, but I think the virus had got to it. Because the first time I ran a full scan (took 2 1/2 hours), it came back with viruses. I had it 'delete' them. Then when I asked it to do another full scan, it ran for 12 minutes said everything was perfect! So, could it be that the program was corrupted by the virus? If I deleted Avast, then re-installed it could I still use it? (I'm sorry, I totally forgot to mention Avast earlier. Major no-no! When I started this thread my eyes were ready to fall out of me head :dead:) I believe the same thing happened with the "Trojan Killer" too. I did tell you about that program though!

So do you suggest I just download one of the other anti-virus programs off that list, or un-install and re-install avast?

Thank you!
 
Quick Question:

They have Trend Micro Internet Security on their computer (it was installed before the virus). Do I need to download Avast (or other AV program) or will Trend Micro be okay? -I'm working on it right now.
 
Hmm.. I was just looking in their Trend Micro Internet Security and it says that it has "4" files quarantined. When I opened it up to see what files, it listed only (3).

File Name: Date Quarantined: File Location:
Realtek_AC97.exe 2012/01/05 23:37 C:\Users\user\AppData\Local\Temp
dhjtgelvm.scr 2012/01/07 08:47 C:\Users\user\AppData\Local\Temp
A940.tmp 2012/01/05 23:35 C:\Users\user\AppData\Local\Temp

Under "Status" each one says "Virus Found"
 
Okay, I just finished the TM Scan. This is what it came up with.

It found 14 threats -all which it says were "Successfully removed".

8 of them were Cookies.

4 of them were classified as Trojans. All of them were called "TSC_GENCLEAN"

The other 2 were "Compressed files"

I am going ahead and continuing with steps 2 - 5 since TM seems to be working!
 
I was going through TM and I looked at the quarentine folder again. It said there were two new quarentined files.

USPS report.zip and USPS report (1).zip

These have to be one of the main viruses! This whole thing originated from them opening a 'USPS e-mail' and running the attachment!
 
Hmm, it came back! I ran the scan again everything went fine. I finished the steps. The requested logs are coming in the following posts!
 
Malwarebytes Anti-Malware log

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.10.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-PC [administrator]

Protection: Enabled

1/10/2012 6:42:14 PM
mbam-log-2012-01-10 (18-42-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209245
Time elapsed: 13 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-10 19:28:01
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005c ST336032 rev.3.CH
Running: x2cxlfql.exe; Driver: C:\Users\user\AppData\Local\Temp\kwldapob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----
 
DDS logs: DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by user at 19:30:41 on 2012-01-10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1772 [GMT -8:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: Trend Micro Internet Security *Enabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\WEATHE~2\bar\1.bin\gcbarsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WeatherBlink\bar\1.bin\gcbrmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uURLSearchHooks: N/A: {8ba2cfef-a1bc-4964-aadc-33be1ae5a33c} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Search Assistant BHO: {9b9dcae3-be34-424c-8d73-75e305a9e091} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Toolbar BHO: {dc9051c2-8f55-479a-97a4-747980d9047f} - c:\progra~1\weathe~2\bar\1.bin\gcbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: WeatherBlink: {f20de5e0-2a6e-4c54-985f-1cf59551ce39} - c:\program files\weatherblink\bar\1.bin\gcbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [HughesNetTools_McciTrayApp] c:\program files\hughesnettools\1\McciTrayApp_SSR.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WeatherBlink Browser Plugin Loader] c:\progra~1\weathe~2\bar\1.bin\gcbrmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\downlo~1.lnk - c:\program files\c&s publishing\download manager\DownloadManager.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3EEC59CC-1F1E-42AC-9E9D-32BAC3D126D1} - hxxp://phughescw.hughes.motive.com/wizlet/spaceway/static/controls/Mcci_6-1-0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 67.142.165.10 67.142.165.11
TCP: Interfaces\{39FA1E33-520C-4EDD-9377-B6BBF16F7A49} : DhcpNameServer = 66.82.4.8
TCP: Interfaces\{8FFC7F1D-16AC-4FA1-BA20-8EBE0B8FCC68} : DhcpNameServer = 67.142.165.10 67.142.165.11
TCP: Interfaces\{FC73F33B-2631-48E4-A30D-B941FC2B0C7F} : DhcpNameServer = 66.82.4.8
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-1-6 15672]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-15 141840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-24 47640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-15 50256]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-9-29 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-15 234512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-7 20464]
R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
.
=============== Created Last 30 ================
.
2012-01-07 19:08:14 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2012-01-07 19:08:10 -------- d-----w- c:\programdata\Malwarebytes
2012-01-07 19:08:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 19:08:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 04:53:27 25944 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2012-01-07 04:53:27 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2012-01-07 04:53:27 -------- d-----w- c:\users\user\appdata\roaming\IObit
2012-01-07 04:53:20 -------- d-----w- c:\program files\IObit
2012-01-07 00:41:21 -------- d-----w- c:\programdata\AVAST Software
2012-01-07 00:41:21 -------- d-----w- c:\program files\AVAST Software
2012-01-06 04:00:49 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-12-14 20:20:32 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 20:20:31 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 20:20:27 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 20:20:25 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 20:20:22 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-12-14 20:20:20 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 20:20:16 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2011-12-21 01:16:53 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-21 01:16:46 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-12-21 01:16:35 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-12-21 01:16:33 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-11-11 15:38:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 19:31:49.63 ===============
 
DDS logs: Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 8/20/2008 4:09:58 PM
System Uptime: 1/10/2012 7:17:40 PM (0 hours ago)
.
Motherboard: ECS | | Nettle3
Processor: AMD Phenom(tm) 9500 Quad-Core Processor | Socket AM2 | 1100/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 326 GiB total, 235.389 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.255 GiB free.
E: is FIXED (NTFS) - 335 GiB total, 334.832 GiB free.
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
6400_Help
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.6
Bing Bar
Bing Rewards Client Installer
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Cards_Calendar_OrderGift_DoMorePlugout
Compatibility Pack for the 2007 Office system
CustomerResearchQFolder
CyberLink DVD Suite Deluxe
Delivery Manager
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
Document Downloader
Download Manager
Enhanced Multimedia Keyboard Solution
eSupportQFolder
Fax
Formatta Filler 7.0
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
GPBaseService2
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Customer Participation Program 10.0
HP Easy Setup - Frontend
HP Imaging Device Functions 10.0
HP Officejet J6400 Series
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Total Care Advisor
HP Update
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
HughesNetTools
J6400
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LabelPrint
LightScribe System Software 1.10.23.1
LightScribeTemplateLabeler
LogMeIn
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 60 day trial
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft UI Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSVCSetup
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 6.1
My HP Games
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
OGA Notifier 2.0.0048.0
Power2Go
PowerDirector
ProductContext
PSSWCORE
Python 2.5
QuickBooks
QuickBooks Pro 2009
Realtek High Definition Audio Driver
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Shop for HP Supplies
Smart Defrag 2
SmartWebPrinting
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SolutionCenter
Status
StreetSmart Pro
SupportSoft Assisted Service
Toolbox
TrayApp
Trend Micro Internet Security
Trojan Killer 2.1
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
VideoToolkit01
WeatherBug Gadget
WebReg
Yahoo! Detect
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
1/7/2012 8:22:40 AM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/7/2012 12:47:05 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.102. The computer with the IP address 192.168.1.115 did not allow the name to be claimed by this computer.
1/7/2012 12:39:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/7/2012 12:39:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
1/7/2012 12:39:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/7/2012 12:38:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/7/2012 12:38:45 PM, Error: EventLog [6008] - The previous system shutdown at 12:36:46 PM on 1/7/2012 was unexpected.
1/7/2012 10:39:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi spldr tmtdi Wanarpv6
1/7/2012 10:39:40 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/6/2012 9:38:44 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the QBCFMonitorService service to connect.
1/5/2012 7:50:54 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user user-PC\user SID (S-1-5-21-419807706-895616609-190428675-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
1/5/2012 7:46:15 PM, Error: EventLog [6008] - The previous system shutdown at 6:49:59 PM on 1/5/2012 was unexpected.
1/5/2012 6:36:05 PM, Error: EventLog [6008] - The previous system shutdown at 5:41:29 PM on 1/5/2012 was unexpected.
1/5/2012 5:29:36 PM, Error: EventLog [6008] - The previous system shutdown at 5:27:23 PM on 1/5/2012 was unexpected.
1/10/2012 7:19:50 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
1/10/2012 7:18:03 PM, Error: EventLog [6008] - The previous system shutdown at 7:15:21 PM on 1/10/2012 was unexpected.
1/10/2012 7:14:39 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
1/10/2012 3:23:47 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.102. The computer with the IP address 192.168.1.147 did not allow the name to be claimed by this computer.
.
==== End Of File ===========================
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===========================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Back