TechSpot

Windows -- Delayed write failed virus.. advice? (Broni please view)

Solved
By LiquidPaper
Jan 6, 2012
  1. Hello,

    I just signed up to this forum to ask a question about a virus my friend's computer just got this afternoon. She opened an e-mail in her spam that was supposedly from 'USPS'. Of course, it wasn't, and when she opened the attachment it must of downloaded the virus.

    Syptoms:
    All of her desktop icons disappeard (except for the Internet Explorer icon).
    The background disappeard (went black).
    1 big pop-up showed up stating:
    Then another 20 - 22 pop-ups showed up saying:
    We didn't click on either pop-up. Instead I shut the computer off with the power button and got on a back-up laptop and started trying to find out what kinda bug we caught. At first I thought it was the 'System Fix' virus. It told me to download the 'Trojan Killer' to scan and fix the problem. I turned the computer back on -when prompted with how I wanted to start the computer "safe mode, safe mode with networking, ect..." it automatically started under regular start-up. When the computer loaded, the pop-up's showed up again of course. I noticed though that I still had programs under my 'start' menu. If it was the 'System Fix' virus, those should have been gone too. At this point I had already started downloading the Trojan Killer. I stopped the download forced the computer off again. After doing more research, I found the symptoms for the "Windows -- Delayed write failed" virus. This website pretty much described my problem to a 'T'. http://trojan-removal-guide.com/windows-%E2%80%93-delayed-write-failed-problem-description/ Since the site seemed to have the virus down, I went ahead and followed the steps to fix it. I download the Trojan Killer, ran the program (wound up buying it for $40) and then follwed the last three steps in the video. (Downloading and running Kadpersky TDSS Killer, and Trojan Killer's 'unhide' and 'restore' programs). Once this was done, I restarted the computer.

    The pop-ups were gone, but only about half of the desktop icons were back. (Had four rows of icons, now there are only two). Also, the background was still black. I was able to change it though. I was pretty confident that it was fixed, except for the fact that half the icons are still missing and that I realized something else was missing too. The 'Quick Launch' feature on the Windows Vista toolbar. I went into the toolbar properties and even though the option is selected, the buttons that should be just to the right of the 'start' button are not there. So now, here is my question (finally, right?). Did I get rid of the virus completely or do you think there could still be some pieces left behind. I'm going to continueing researching it as much as possible, seeing as the computer that has been infected is a family / business computer that must be used on a daily basis.

    I know you probably get PM's like this all the time, and probably people saying you "I know you probably get PM's like this all the time". haha I was just wondering if you could shed some light on my situation. When I was browsing the internet I stumbled upon you a thread were you helped someone get through a virus problem using the Registry. On my personal laptop, about a year ago, I got hit with the Windows Vista Security 2011 virus. At that point, I wound up finding someone helpful, like you, and they pointed me in the direction of a site that helped me put a patch in my computer (at which time was almost totally disabled) by adding things to my Registry. If you don't have the time to help, that is totally understandable. Please, if you could just send me a quick 'no' or anything? That way I know you at least got this and I'm not wasting anymore of your time.

    If you've read this message to this far, thank you! I'd greatly appreciate any and all input you have.

    Happy Holidays,
    LiquidPaper
  2. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Wow, thanks for replying! I have read and acknowledged your rules!

    Update:

    Last night the computer was okay enough print a couple pictures. Had a background and half the icons back. I mentioned the "Quick Launch" feature was gone though. I left today though and my friend's husband turned on the computer and let it sit on all day. When we came home: the screen was black again, all my desktop icons are gone (except internet explorer), and I had TONS of pop-ups everywhere. As of now, I am running the trojan killer again (sorry, I started it up before I saw this post). All the zillions of pop-ups disappeared. All that is left is the Trojan Killer scan, and two other programs minimized on the bar. "System Check" and "iexplore.exe is requesting your permission" -I haven't clicked on any of these things. Also, there is another pop-up on the bottom right of the screen that says:

    When you say I must copy all of the logs, what do you mean? And right now I am on a different laptop. I'm not sure if the infected computer is internet capable. Thank you so much for replying!
  4. Broni

    Broni Malware Annihilator Posts: 46,479   +252

  5. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    BRONI!!! THANK YOU!!! It is FIXED!! All the icons are back, there are no strange pop-ups, the background is set, the "Quick Launch" features are all back too! I can not express my gratitude enough!!!! Thank you, thank you, thank you!!!!

    :D
  6. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Good news :)

    But....we just started :)

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
  7. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Oh boy lol Alright!

    I guess my half-hour spent victory dancing was wasted too soon! :eek: :rolleyes:

    Well, since it was my friend's computer I was working on -I can't do it right now. I'm at home. However, I did tell them to keep the computer turned 'off' until I saw your reply. I am busy tomorrow, so I won't be able to do this. However, Tuesday I am going to their house. So I will do it then and get back to your promptly.

    I just glanced over the guide and noticed "Avast" on your list of suggested anti-virus programs.. I had already downloaded that program, but I think the virus had got to it. Because the first time I ran a full scan (took 2 1/2 hours), it came back with viruses. I had it 'delete' them. Then when I asked it to do another full scan, it ran for 12 minutes said everything was perfect! So, could it be that the program was corrupted by the virus? If I deleted Avast, then re-installed it could I still use it? (I'm sorry, I totally forgot to mention Avast earlier. Major no-no! When I started this thread my eyes were ready to fall out of me head :dead:) I believe the same thing happened with the "Trojan Killer" too. I did tell you about that program though!

    So do you suggest I just download one of the other anti-virus programs off that list, or un-install and re-install avast?

    Thank you!
  8. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Yes, you can reinstall Avast if you feel it's not working correctly.
  9. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Okay, thank you!
  10. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Quick Question:

    They have Trend Micro Internet Security on their computer (it was installed before the virus). Do I need to download Avast (or other AV program) or will Trend Micro be okay? -I'm working on it right now.
  11. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    TM will be fine if it's in working condition.
    You have to check.
     
  12. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Hmm.. I was just looking in their Trend Micro Internet Security and it says that it has "4" files quarantined. When I opened it up to see what files, it listed only (3).

    File Name: Date Quarantined: File Location:
    Realtek_AC97.exe 2012/01/05 23:37 C:\Users\user\AppData\Local\Temp
    dhjtgelvm.scr 2012/01/07 08:47 C:\Users\user\AppData\Local\Temp
    A940.tmp 2012/01/05 23:35 C:\Users\user\AppData\Local\Temp

    Under "Status" each one says "Virus Found"
  13. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    How could I check? Or would it be okay if I just went ahead and downloaded Avast fresh.
  14. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    See if you can open TM, update, run some quick scan.
  15. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Okay!
  16. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Okay, I just finished the TM Scan. This is what it came up with.

    It found 14 threats -all which it says were "Successfully removed".

    8 of them were Cookies.

    4 of them were classified as Trojans. All of them were called "TSC_GENCLEAN"

    The other 2 were "Compressed files"

    I am going ahead and continuing with steps 2 - 5 since TM seems to be working!
  17. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    I was going through TM and I looked at the quarentine folder again. It said there were two new quarentined files.

    USPS report.zip and USPS report (1).zip

    These have to be one of the main viruses! This whole thing originated from them opening a 'USPS e-mail' and running the attachment!
  18. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    I was running the GMER scan the screen turned blue and the computer re-booted.
  19. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    it said stuff about the computer crashing??
  20. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Hmm, it came back! I ran the scan again everything went fine. I finished the steps. The requested logs are coming in the following posts!
  21. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    Malwarebytes Anti-Malware log

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.10.06

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    user :: USER-PC [administrator]

    Protection: Enabled

    1/10/2012 6:42:14 PM
    mbam-log-2012-01-10 (18-42-14).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 209245
    Time elapsed: 13 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  22. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    GMER log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-10 19:28:01
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005c ST336032 rev.3.CH
    Running: x2cxlfql.exe; Driver: C:\Users\user\AppData\Local\Temp\kwldapob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----
  23. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    DDS logs: DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by user at 19:30:41 on 2012-01-10
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1772 [GMT -8:00]
    .
    AV: Trend Micro Internet Security *Enabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    SP: Trend Micro Internet Security *Enabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\PROGRA~1\WEATHE~2\bar\1.bin\gcbarsvc.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\RtHDVCpl.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\WeatherBlink\bar\1.bin\gcbrmon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\hp\kbd\kbd.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
    uSearch Page = hxxp://www.google.com
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
    uURLSearchHooks: N/A: {8ba2cfef-a1bc-4964-aadc-33be1ae5a33c} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Search Assistant BHO: {9b9dcae3-be34-424c-8d73-75e305a9e091} - c:\program files\weatherblink\bar\1.bin\gcSrcAs.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Toolbar BHO: {dc9051c2-8f55-479a-97a4-747980d9047f} - c:\progra~1\weathe~2\bar\1.bin\gcbar.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: WeatherBlink: {f20de5e0-2a6e-4c54-985f-1cf59551ce39} - c:\program files\weatherblink\bar\1.bin\gcbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [KBD] c:\hp\kbd\KbdStub.EXE
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [HughesNetTools_McciTrayApp] c:\program files\hughesnettools\1\McciTrayApp_SSR.exe
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [WeatherBlink Browser Plugin Loader] c:\progra~1\weathe~2\bar\1.bin\gcbrmon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\downlo~1.lnk - c:\program files\c&s publishing\download manager\DownloadManager.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {3EEC59CC-1F1E-42AC-9E9D-32BAC3D126D1} - hxxp://phughescw.hughes.motive.com/wizlet/spaceway/static/controls/Mcci_6-1-0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 67.142.165.10 67.142.165.11
    TCP: Interfaces\{39FA1E33-520C-4EDD-9377-B6BBF16F7A49} : DhcpNameServer = 66.82.4.8
    TCP: Interfaces\{8FFC7F1D-16AC-4FA1-BA20-8EBE0B8FCC68} : DhcpNameServer = 67.142.165.10 67.142.165.11
    TCP: Interfaces\{FC73F33B-2631-48E4-A30D-B941FC2B0C7F} : DhcpNameServer = 66.82.4.8
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-1-6 15672]
    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-15 141840]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-24 47640]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-15 50256]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-9-29 36368]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-15 234512]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-7 20464]
    R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
    .
    =============== Created Last 30 ================
    .
    2012-01-07 19:08:14 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
    2012-01-07 19:08:10 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-07 19:08:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-07 19:08:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-07 04:53:27 25944 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2012-01-07 04:53:27 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2012-01-07 04:53:27 -------- d-----w- c:\users\user\appdata\roaming\IObit
    2012-01-07 04:53:20 -------- d-----w- c:\program files\IObit
    2012-01-07 00:41:21 -------- d-----w- c:\programdata\AVAST Software
    2012-01-07 00:41:21 -------- d-----w- c:\program files\AVAST Software
    2012-01-06 04:00:49 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-12-14 20:20:32 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 20:20:31 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-14 20:20:27 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 20:20:25 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 20:20:22 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-12-14 20:20:20 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 20:20:16 2048 ----a-w- c:\windows\system32\tzres.dll
    .
    ==================== Find3M ====================
    .
    2011-12-21 01:16:53 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-12-21 01:16:46 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-12-21 01:16:35 30592 ----a-w- c:\windows\system32\LMIport.dll
    2011-12-21 01:16:33 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-11-11 15:38:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 19:31:49.63 ===============
  24. LiquidPaper

    LiquidPaper Newcomer, in training Topic Starter Posts: 49

    DDS logs: Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/20/2008 4:09:58 PM
    System Uptime: 1/10/2012 7:17:40 PM (0 hours ago)
    .
    Motherboard: ECS | | Nettle3
    Processor: AMD Phenom(tm) 9500 Quad-Core Processor | Socket AM2 | 1100/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 326 GiB total, 235.389 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.255 GiB free.
    E: is FIXED (NTFS) - 335 GiB total, 334.832 GiB free.
    F: is CDROM ()
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    6400_Help
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.4.6
    Bing Bar
    Bing Rewards Client Installer
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Cards_Calendar_OrderGift_DoMorePlugout
    Compatibility Pack for the 2007 Office system
    CustomerResearchQFolder
    CyberLink DVD Suite Deluxe
    Delivery Manager
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Document Downloader
    Download Manager
    Enhanced Multimedia Keyboard Solution
    eSupportQFolder
    Fax
    Formatta Filler 7.0
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPBaseService
    GPBaseService2
    Hardware Diagnostic Tools
    Hewlett-Packard Active Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Customer Participation Program 10.0
    HP Easy Setup - Frontend
    HP Imaging Device Functions 10.0
    HP Officejet J6400 Series
    HP On-Screen Cap/Num/Scroll Lock Indicator
    HP Photosmart Essential 2.5
    HP Picasso Media Center Add-In
    HP Smart Web Printing 4.60
    HP Solution Center 13.0
    HP Total Care Advisor
    HP Update
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    HughesNetTools
    J6400
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    LabelPrint
    LightScribe System Software 1.10.23.1
    LightScribeTemplateLabeler
    LogMeIn
    Malwarebytes Anti-Malware version 1.60.0.1800
    MarketResearch
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 60 day trial
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft UI Engine
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    MSVCSetup
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    muvee autoProducer 6.1
    My HP Games
    NVIDIA Drivers
    OCR Software by I.R.I.S. 10.0
    OGA Notifier 2.0.0048.0
    Power2Go
    PowerDirector
    ProductContext
    PSSWCORE
    Python 2.5
    QuickBooks
    QuickBooks Pro 2009
    Realtek High Definition Audio Driver
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Shop for HP Supplies
    Smart Defrag 2
    SmartWebPrinting
    Snapfish Picture Mover
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    Status
    StreetSmart Pro
    SupportSoft Assisted Service
    Toolbox
    TrayApp
    Trend Micro Internet Security
    Trojan Killer 2.1
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    VideoToolkit01
    WeatherBug Gadget
    WebReg
    Yahoo! Detect
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/7/2012 8:22:40 AM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    1/7/2012 12:47:05 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.102. The computer with the IP address 192.168.1.115 did not allow the name to be claimed by this computer.
    1/7/2012 12:39:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/7/2012 12:39:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    1/7/2012 12:39:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/7/2012 12:38:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/7/2012 12:38:45 PM, Error: EventLog [6008] - The previous system shutdown at 12:36:46 PM on 1/7/2012 was unexpected.
    1/7/2012 10:39:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi spldr tmtdi Wanarpv6
    1/7/2012 10:39:40 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/6/2012 9:38:44 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the QBCFMonitorService service to connect.
    1/5/2012 7:50:54 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user user-PC\user SID (S-1-5-21-419807706-895616609-190428675-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/5/2012 7:46:15 PM, Error: EventLog [6008] - The previous system shutdown at 6:49:59 PM on 1/5/2012 was unexpected.
    1/5/2012 6:36:05 PM, Error: EventLog [6008] - The previous system shutdown at 5:41:29 PM on 1/5/2012 was unexpected.
    1/5/2012 5:29:36 PM, Error: EventLog [6008] - The previous system shutdown at 5:27:23 PM on 1/5/2012 was unexpected.
    1/10/2012 7:19:50 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    1/10/2012 7:18:03 PM, Error: EventLog [6008] - The previous system shutdown at 7:15:21 PM on 1/10/2012 was unexpected.
    1/10/2012 7:14:39 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
    1/10/2012 3:23:47 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.102. The computer with the IP address 192.168.1.147 did not allow the name to be claimed by this computer.
    .
    ==== End Of File ===========================
  25. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.