[Closed- Porn] Trojan removal help

Status
Not open for further replies.
R

rcboosted

Posts: 39   +0
I downloaded a screen saver disguised as a jpg and ran it by accident. virustotal.com says it's a trojan, although their site is down, so I don't have the exact name. But the trojan has an .exe file called bsp_06.exe that runs during start up. According to virustotal.com only drweb detected it. So I downloaded dr web 7.0 for pc and ran an express scan, it found nothing. I then downloaded cureit.exe from drweb and ran it under safe mode. It cleaned out a bunch of files, but upon reboot to normal windows, I saw 3 command prompts running bsp_06.exe during start up. Remembering that I had used combofix.exe as recommended here 2 years ago, I found it still sitting on my desktop. I ran it, combofix.exe updated itself and said Volsnap.sys is infected, and it did a bunch of clean up, rebooted my box. After the reboot, I rand combofix.exe again, it still says c:\windows\system32\Drivers\Volsnap.sys is infected, but the 2nd time it did very little clean up.

How can I make sure I'm trojan-free and/or virus/spyware/worm-free?
 
Okay, let's remove your random attempts to clean the system. I note that Broni had you run the OTL Cleanup in 2010. I don't think that removes Combofix and it should have been removed- and you shouldn't be using it without a helper instructing you.

To start: Uninstall directions,[/b]
Click START> then RUN> type Combofix /Uninstall in the runbox > click OK. Note the space between the X and the U, it needs to be there.
CF_Uninstall-1.jpg


Uninstall Dr. Web and Cure it. Be sure they aren't running on startup. Reboot the compute when finished.

Don't run any scans or clean up programs other than those I instruct you to do.

---------------------------------------------------
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==================================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.
 
Thank you for the reply. I have uninstalled cureit, drweb, combofix, and malwarebytes. Downloaded and installed the malwarebytes version specified in the 5 steps thread, updated it, and ran a quick scan. Nothing was found. Log is on the other PC while it is running a scan with GMER will attach log later. Question regarding GMER. The instruction said a quick scan will be run on start up of GMER, but I didn't see a quick scan. Unless the 3 second it took to list out the few items in the list was the quick scan? I wasn't sure, so I clicked on the Scan button and it is taking a really long time to scan at the moment. Please advise. Also, I have 3 drives, only C:\ is checked, should all 3 be checked?
 
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.19.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
rcboosted :: I5-750 [administrator]

5/19/2012 12:42:44 PM
mbam-log-2012-05-19 (12-42-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201774
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-19 18:59:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3500320AS rev.SD1A
Running: 7d1c78py.exe; Driver: C:\DOCUME~1\rcboosted\LOCALS~1\Temp\kwtdrpoc.sys


---- System - GMER 1.0.15 ----

SSDT E1C39B08 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6936380, 0x5414D5, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B21412D0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B2141450] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B21416A0] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B2141560] \??\C:\WINDOWS\system32\vsdatant.sys (TrueVector Device Driver/Zone Labs LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c9b4d9
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c9b4d9@001f200a30a7 0x16 0xB9 0x5A 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c9b4d9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000272c9b4d9@001f200a30a7 0x16 0xB9 0x5A 0x67 ...

---- EOF - GMER 1.0.15 ----
 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by rcboosted at 19:05:53 on 2012-05-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2198 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pogoplug\HBPLUG\HBADMIN.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synology\Assistant\UsbClientService.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Pogoplug] "c:\program files\pogoplug\PogoplugMonitor.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"
mRun: [Cpu Level Up help] "c:\program files\asus\ai suite\CpuLevelUpHelp.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MPlayerForWindows_UpdateReminder] "c:\program files\mplayer for windows\AutoUpdate.exe" /L=1033 /TASK
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [WTClient] WTClient.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307} : NameServer = 192.168.1.1
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-1-1 11448]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.02\AsSysCtrlService.exe [2010-1-1 90112]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R2 DokanCEDriver;DokanCEDriver;c:\program files\pogoplug\dokance.sys [2012-1-30 54592]
R2 HBAdmin;HBAdmin;c:\program files\pogoplug\hbplug\hbadmin.exe [2012-1-30 738112]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-4-16 689416]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
R2 UsbClientService;UsbClientService;c:\program files\synology\assistant\UsbClientService.exe [2011-2-17 245760]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2011-2-17 46304]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-6 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-6 1393144]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-1 1381632]
R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [2011-11-3 34624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-1-23 10384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-11-13 30312]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-4-16 894216]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-11-13 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-11-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-11-13 121576]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-19 19:42:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-19 05:50:05 -------- d-sh--w- C:\DrWeb Quarantine
2012-05-19 03:15:02 -------- d-----w- C:\username123
2012-05-18 06:27:57 -------- d-----w- c:\documents and settings\rcboosted\Doctor Web
2012-05-18 06:26:44 -------- d-----w- c:\program files\common files\Doctor Web
2012-05-18 06:26:14 -------- d-----w- c:\program files\DrWeb
2012-05-18 06:26:14 -------- d-----w- c:\documents and settings\all users\application data\Doctor Web
2012-05-13 19:36:55 -------- d-----w- C:\Ascot Hills Park
2012-05-01 02:45:11 -------- d-----w- c:\documents and settings\rcboosted\application data\.purple
2012-05-01 02:40:15 -------- d-----w- c:\program files\Pidgin
2012-04-22 23:04:43 -------- d-----w- C:\Python27
2012-04-22 21:58:56 -------- d-----w- c:\documents and settings\rcboosted\application data\Arduino
.
==================== Find3M ====================
.
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-18 20:52:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-21 07:12:15 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2012-02-21 07:12:15 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2012-02-21 07:12:15 197952 ----a-w- c:\windows\system32\FTLang.dll
.
============= FINISH: 19:06:05.95 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2010 12:40:45 AM
System Uptime: 5/19/2012 12:37:48 PM (7 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P7P55D EVO
Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | LGA1156 | 2675/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 123.111 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 9.943 GiB free.
E: is FIXED (NTFS) - 112 GiB total, 35.933 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
Z: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek PCIe GBE Family Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_83A31043&REV_03\4&3B3118C8&0&00E7
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek PCIe GBE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_83A31043&REV_03\4&3B3118C8&0&00E7
Service: RTLE8023xp
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_820D1043&REV_10\4&34079B1D&0&20F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8169/8110 Family Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8167&SUBSYS_820D1043&REV_10\4&34079B1D&0&20F0
Service: RTL8023xp
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
ACDSee Classic
ACDSee Pro 3
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Media Player
Adobe Photoshop CS5
Adobe Photoshop Lightroom 2.7
Adobe Reader X (10.1.3)
AI Suite
ASUSUpdate
Avidemux 2.5
Bing Maps 3D
Blender
CamStudio
Canon Camera Access Library
Canon Camera Support Core Library
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Codec
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.7
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3/E4 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Castle Link
CCleaner (remove only)
CDDRV_Installer
Cisco Systems VPN Client 5.0.02.0090
Combined Community Codec Pack 2008-05-17
CoreAVC Professional Edition
CrystalDiskMark 3.0.1b
DIRECTV Player
DVR Client
Dynamic-Photo HDR 4.5
erLT
Foxit Reader
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP USB Disk Storage Format Tool
Intel(R) Solid-State Drive Toolbox
Java Auto Updater
Java(TM) 6 Update 27
JMicron JMB36X Driver
KhalInstallWrapper
League of Legends
LiveUpdate 2.0 (Symantec Corporation)
Logitech SetPoint
Malwarebytes Anti-Malware version 1.61.0.1400
ManyCam 2.4 (remove only)
MC-300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MPlayer for Windows (Full Package)
Nero 8 Micro 8.3.2.1b
NewsLeecher v3.8 Final
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenOffice.org 3.2
OpenSCAD (remove only)
Opera 11.64
Pando Media Booster
PDF Settings CS5
PerfectDisk 2008 Professional
Photomatix Pro version 3.2.7
Pidgin
Platform
Pogoplug
Python 2.6 pyserial-2.5
Python 2.6.5
Python 2.7 pyreadline-1.7.1
Python 2.7 pyserial-2.5
Python 2.7.2
QuickPar 0.9
R/C Data Recorder (BETA Version)
ratDVD 0.78.1444
REALTEK GbE & FE Ethernet PCI-E NIC Driver
SAMSUNG USB Driver for Mobile Phones
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB2647516)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spybot - Search & Destroy
StarCraft II
Symantec AntiVirus
SyncBack
Synology Assistant (remove only)
The KMPlayer
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
VLC media player 1.0.3
Winamp
Windows Internet Explorer 8
Windows Live Mail
Windows Live Messenger
Windows Live Safety Scanner
WinRAR archiver
wxPython 2.8.12.0 (unicode) for Python 2.7
x264vfw - H.264/MPEG-4 AVC codec (remove only)
XML Paper Specification Shared Components Pack 1.0
Your Uninstaller! 2008 Version 6.0
ZScreen 3.27.0.0
.
==== Event Viewer Messages From Past Week ========
.
5/18/2012 8:19:10 PM, error: Service Control Manager [7031] - The UsbClientService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
5/18/2012 8:15:01 PM, error: Service Control Manager [7034] - The WinTab Service service terminated unexpectedly. It has done this 1 time(s).
5/18/2012 12:35:46 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
5/18/2012 12:35:45 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.
5/18/2012 12:24:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/18/2012 12:24:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO AsUpIO DrWebWfp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SYMTDI Tcpip
5/18/2012 12:24:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/18/2012 12:24:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/18/2012 12:24:00 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The LBeepKE service failed to start due to the following error: A device attached to the system is not functioning.
5/17/2012 11:47:20 PM, error: Service Control Manager [7000] - The helpsvc service failed to start due to the following error: The system cannot find the file specified.
5/17/2012 11:39:40 PM, error: Service Control Manager [7034] - The DokanCEMounter service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
I don't know what you put into Virus Total to have it bring up Dr. Web. You also just left bsp_06.exe which is not a proper entry. What was the path? So for now, we are going to ignore the Virustotal/Dr.Web, et all findings and work with what I have you run.

For the first part you need to run Error Checking (CHKDSK) on 2 of the drives per the following:
5/18/2012 12:35:46 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
5/18/2012 12:35:45 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.

It will be set at the C Drive, so you will need to run it twice- setting for E and then D.
If you have not run the Error Check on these drives, it may take a while. Let it finish. The system will reboot when through.
--------------------------------------
Where to set Error Checking up
You can do the Error Check from Command Prompt:
Using the Command Prompt should have been this: Start> Run> type in cmd> type in Chkdsk /f/r followed by a reboot. Chkdsk will start in a few seconds

Or Windows Explorer:
Right click on Start> Explore> My Computer> Right click on Local Drive (usually C)> Properties> Tools> Error Check> check both boxes on the screen that comes up> Apply> Close the message and reboot for the Error Checking to start.

The choices in Error Checking:
  1. CHKDSK or Error Check alone will only scan the current drive but will not fix errors on the disc or attempt to recover bad sectors. Using Start or Enter begins the process without a reboot.
  2. VolumeSpecifies the drive letter other than the Local Drive (followed by a colon), mount point, or volume name.) To have the checking use a different drive, the Command Chkdsk is followed by the drive letter, then a colon such as chkdsk volume E:
  3. File Errors can be found and fixed using the switch /F The nag message that comes up can be closed and the system rebooted to start the checking.
  4. Recovery of readable information in bad sectors can be done by using the switch /R This implies that the /F switch has also been used. Locates bad sectors and recovers readable information (implies /F).The nag message that comes up can be closed and the system rebooted to start the checking.

(Please note: this is not meant to include all of the options available for Error Checking- just the appropriate options here)
================================================
When you have completed checking both drives, please go on to the following:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------

  • Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
    • Double click combofix.exe
      cf-icon.jpg
      & follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
      Click to expand...
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • Close any open browsers.
  • Before you run the Combofix scan, please disable any security software you have running.
    (If you need help with this, please see HERE)
  • Click on Yes, to continue scanning for malware
  • If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
==================================================
Please tell me what is being done here: StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat

Please leave the Combofix and Eset scan logs in your next reply.
 
D:\ and E:\ were checked last time when I ran combofix before posting here. But I checked again with surface scan etc all checked. Here's combofix' log, running Eset right now...

ComboFix 12-05-20.10 - rcboosted 05/20/2012 21:44:46.11.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2194 [GMT -7:00]
Running from: c:\documents and settings\rcboosted\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-21 to 2012-05-21 )))))))))))))))))))))))))))))))
.
.
2012-05-19 19:42 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-19 05:50 . 2012-05-19 05:50 -------- d-sh--w- C:\DrWeb Quarantine
2012-05-19 03:15 . 2012-05-19 03:15 -------- d-----w- C:\username123
2012-05-18 06:27 . 2012-05-19 03:07 -------- d-----w- c:\documents and settings\rcboosted\Doctor Web
2012-05-18 06:26 . 2012-05-18 06:26 -------- d-----w- c:\program files\Common Files\Doctor Web
2012-05-18 06:26 . 2012-05-19 05:55 -------- d-----w- c:\program files\DrWeb
2012-05-18 06:26 . 2012-05-19 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2012-05-13 19:36 . 2012-05-13 19:43 -------- d-----w- C:\Ascot Hills Park
2012-05-01 02:45 . 2012-05-18 06:43 -------- d-----w- c:\documents and settings\rcboosted\Application Data\.purple
2012-05-01 02:40 . 2012-05-01 02:40 -------- d-----w- c:\program files\Pidgin
2012-04-22 23:04 . 2012-04-22 23:09 -------- d-----w- C:\Python27
2012-04-22 21:58 . 2012-04-22 21:58 -------- d-----w- c:\documents and settings\rcboosted\Application Data\Arduino
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 13:14 . 2008-04-13 22:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-04-13 23:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2008-04-13 19:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-18 20:52 . 2011-09-18 14:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-13 02:53 . 2012-03-13 02:53 63080 ----a-r- c:\documents and settings\rcboosted\Application Data\Microsoft\Installer\{5F3783B7-F809-45A7-8A92-A44B441FDA7C}\ARPPRODUCTICON.exe
2012-03-01 11:01 . 2008-06-05 01:36 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-06-05 01:35 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-06-05 01:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-06-05 01:35 385024 ------w- c:\windows\system32\html.iec
2012-02-21 07:12 . 2012-02-21 07:12 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2012-02-21 07:12 . 2012-02-21 07:12 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2012-02-21 07:12 . 2012-02-21 07:12 197952 ----a-w- c:\windows\system32\FTLang.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"Pogoplug"="c:\program files\Pogoplug\PogoplugMonitor.exe" [2012-01-31 234304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-01-01 33636352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2008-12-11 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-03-01 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-08-20 603136]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-08-21 887936]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2010-02-06 254376]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"WTClient"="WTClient.exe" [2009-10-30 32768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\rcboosted\Start Menu\Programs\Startup\
hosts.bat [2010-10-18 84]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-1-23 813584]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2010-11-14 6144]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pogoplug\\HBPLUG\\HBPLUG.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57221:TCP"= 57221:TCP:pando Media Booster
"57221:UDP"= 57221:UDP:pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
.
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [1/1/2010 2:44 AM 11448]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [1/1/2010 4:36 PM 90112]
R2 DokanCEDriver;DokanCEDriver;c:\program files\Pogoplug\dokance.sys [1/30/2012 6:04 PM 54592]
R2 HBAdmin;HBAdmin;c:\program files\Pogoplug\HBPLUG\hbadmin.exe [1/30/2012 6:04 PM 738112]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [4/16/2008 2:00 PM 689416]
R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/1/2010 2:18 AM 1381632]
R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [11/3/2011 11:19 AM 34624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2010 11:35 PM 10384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/13/2010 12:04 AM 30312]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [4/16/2008 2:00 PM 894216]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 4:18 PM 169192]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/13/2010 12:04 AM 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/13/2010 12:04 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/13/2010 12:04 AM 121576]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002Core.job
- c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
.
2012-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002UA.job
- c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307}: NameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-20 21:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1532)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2012-05-20 21:50:13
ComboFix-quarantined-files.txt 2012-05-21 04:50
ComboFix2.txt 2012-05-19 07:11
.
Pre-Run: 131,721,080,832 bytes free
Post-Run: 131,701,743,616 bytes free
.
- - End Of File - - ACD3BA2999E274B2959770000898D2B4
 
Oh btw, the bsp_06.exe was what I saw running during start up, I don't have the path. The actual screen saver was scanned by virustotal as a trojan. It listed as a Trojan.DownLoader5.3395 by DrWeb.

Just a FYI, this is what DrWeb says about it.

Edit: Unrequested Dr. Web log deleted by Bobbye
 
Result of the ESETScan. the android stuff are my root kit for the phone.

C:\Android\one.click.root.exploitv2.4.0.zip Android/Exploit.RageCage.A trojan
C:\Android\one.click.root.exploitv2.5.5.zip Android/Exploit.RageCage.A trojan
C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip Android/Exploit.RageCage.A trojan
C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-flasher-fixed.zip Android/Exploit.RageCage.A trojan
C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe a variant of Win32/Injector.FUH trojan
C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe a variant of Win32/Injector.FUH trojan


=======================

regarding StartupFolder: c:\documents and settings\rcboosted\start menu\programs\startup\hosts.bat

I had some legit programs that made changes to my hosts file, but I have custom hosts I put in manually, so I made a separate copy and used that batch file to copy over the current one on start up. It's harmless and it is done by me.

Also, note that the original screen saver trojan file is still on the HD, neither combofix nor ESETScan found it as a threat.

I'm also noticing some new spam emails I have not seen before this happened in my yahoo mail boxes. (2 accounts)
 
Sorry- I have not been well and I'm very far behind.

I can only find 1 English speaking, safe site that identifies this entry as malware: %APPDATA%\bsp06.exe. This is a files created by the malware.
You also did not give me the path of the file. Where it is located can make the difference between legitimate file and malware.
http://www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader3.61672.html

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Files
C:\Android\one.click.root.exploitv2.4.0.zip 
C:\Android\one.click.root.exploitv2.5.5.zip 
C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip 
C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-flasher-fixed.zip 
C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe 
C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------------------
It looks like the files above have already been handled by Dr. Web. Please contact Google regarding patches for their Android. There are quite a few of them.

the bsp_06.exe was what I saw running during start up, I don't have the path. The actual screen saver was scanned by virustotal as a trojan.
Click to expand...

I need specifics.
=====================================================
I have uninstalled cureit, drweb, combofix, and malwarebytes. Downloaded and installed the malwarebytes version specified
Click to expand...

2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
Actually, Mbam and Dr.Web were still on the system.
=====================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::

Folder::
C:\DrWeb Quarantine
C:\username123
c:\documents and settings\rcboosted\Doctor Web
c:\program files\Common Files\Doctor Web
c:\program files\DrWeb
c:\documents and settings\All Users\Application Data\Doctor Web 
c:\documents and settings\rcboosted\Application Data\.purple
c:\documents and settings\rcboosted\Application Data\Arduino
DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
=====================================================
These are all directories that you set up?
C:\Ascot Hills Park
c:\program files\Pidgin
C:\Python27
Click to expand...
 
Hope you're feeling better.

I will run these when I get home. However, the Android files should not be a threat. They were scanned as threat I think because it uses exploits of the mobile phone to root it. The following are what I'm referring to, can I omit them from the OTMoveIt3?

C:\Android\one.click.root.exploitv2.4.0.zip
C:\Android\one.click.root.exploitv2.5.5.zip
C:\Android\em\OneClickRootCWM3.0.2.5-EC05.zip
C:\Android\Epic uSD backup 2.22.2011\download\one.click.clockworkmod2.5.1.0-fl

=========================================

regarding:

the bsp_06.exe was what I saw running during start up, I don't have the path. The actual screen saver was scanned by virustotal as a trojan. I need specifics.
Click to expand...

Before I posted here, I did the following:

So I ran the screen saver file from my download directory. It had a strange name with a fake .jpg extension. After it ran, it started to install things in the background. I then went to virustotal.com to scan that screen saver file, which reported it as a trojan by Dr.Web, the one I posted the specifics before. (now removed) After my own efforts to remove it by cureit and drweb and combofix (named username123.exe from previous download) upon reboot, I saw command prompts come up and executing bsp_06.exe I do not have the location of the file or where it executed from. As suggested by drweb, I then ran cureit.exe under safemode, which seems to have removed bsp_06.exe, at least upon reboot, no command prompt came up executing bsp_06.exe.

Since then I have not seen bsp_06.exe. The original screen saver file is still sitting in my download directory. I hope this clears things up a bit.

=========================================


regarding combofix.exe, the following are installed by me and are still in use:

c:\documents and settings\rcboosted\Application Data\.purple
c:\documents and settings\rcboosted\Application Data\Arduino

Is combofix.exe just going to scan it? It won't remove it I hope.


=========================================

All those 3 directories were set up by me, Ascot Hills Park, pidgin, and Python27.
 
Do not run this script if these are valid processes being used:
c:\documents and settings\rcboosted\Application Data\.purple
c:\documents and settings\rcboosted\Application Data\Arduino

Is combofix.exe just going to scan it? It won't remove it I hop
Click to expand...


They are set to be removed.
 
OTMoveit. I removed the entries for Android files.


All processes killed
========== FILES ==========
C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\A0000121.exe moved successfully.
File/Folder C:\Documents and Settings\rcboosted\DoctorWeb\Quarantine\Stargate SG 1 Atlantis Mega Pack rar [ttf,cur,jpg gif,wsz,wal exe].exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Opera cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: rcboosted
->Temp folder emptied: 1621816 bytes
->Temporary Internet Files folder emptied: 7653373 bytes
->Java cache emptied: 2177852 bytes
->Google Chrome cache emptied: 304483661 bytes
->Opera cache emptied: 22561099 bytes
->Flash cache emptied: 3511717 bytes

User: LocalService
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 270336 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 326.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 05252012_211742

Files moved on Reboot...

Registry entries deleted on Reboot...
 
ComboFix. I removed the entries for .purple and Arduino.


ComboFix 12-05-26.01 - rcboosted 05/25/2012 21:33:09.12.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2090 [GMT -7:00]
Running from: c:\documents and settings\rcboosted\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\rcboosted\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Doctor Web
c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwservice.log
c:\documents and settings\All Users\Application Data\Doctor Web\Logs\dwupdater.log
c:\documents and settings\All Users\Application Data\Doctor Web\Logs\netfilter.log
c:\documents and settings\All Users\Application Data\Doctor Web\Logs\spiderg3.log
c:\documents and settings\rcboosted\Doctor Web
c:\documents and settings\rcboosted\Doctor Web\dwscanner(3492).log
c:\documents and settings\rcboosted\Doctor Web\dwscanner(3992).log
c:\documents and settings\rcboosted\Doctor Web\dwscanner.log
C:\DrWeb Quarantine
c:\program files\Common Files\Doctor Web
c:\program files\DrWeb
c:\program files\DrWeb\drweboem.key
C:\username123
c:\username123\023.dat
c:\username123\023v.dat
c:\username123\023w7.dat
c:\username123\AppDataFile.cfx
c:\username123\AppDataFolder.cfx
c:\username123\appinit.bad
c:\username123\asp.str
c:\username123\Assoc.cmd
c:\username123\ATTRIB.cfxxe
c:\username123\Auto-RC.cmd
c:\username123\av.cmd
c:\username123\av.vbs
c:\username123\AWF.cmd
c:\username123\badclsid.c
c:\username123\Boot-Rk.cmd
c:\username123\Boot.bat
c:\username123\BootDrv.vbs
c:\username123\c.bat
c:\username123\c.mrk
c:\username123\Catch-sub.cmd
c:\username123\catchme.cfxxe
c:\username123\CCS.bat
c:\username123\CF-Script.cmd
c:\username123\CF25060.cfxxe
c:\username123\CFVersionOld
c:\username123\CHCP.bat
c:\username123\clsid.c
c:\username123\Combobatch.bat
c:\username123\ComboFix-Download.cfxxe
c:\username123\Create.cmd
c:\username123\Creg.dat
c:\username123\CregC.cmd
c:\username123\CregC.dat
c:\username123\CSCRIPT.cfxxe
c:\username123\CSet.cmd
c:\username123\dd.cfxxe
c:\username123\ddsDo.sed
c:\username123\DelClsid.bat
c:\username123\DelClsid64.bat
c:\username123\desktop.ini
c:\username123\DesktopFile.cfx
c:\username123\DPF.str
c:\username123\DrvRun.vbs
c:\username123\dumphive.cfxxe
c:\username123\embedded.sed
c:\username123\ERDNT.e_e
c:\username123\ERDNTDOS.LOC
c:\username123\ERDNTWIN.LOC
c:\username123\ERUNT.cfxxe
c:\username123\erunt.dat
c:\username123\ERUNT.LOC
c:\username123\Exe.reg
c:\username123\extract.cfxxe
c:\username123\FavoriteFolder.cfx
c:\username123\FavoritesFile.cfx
c:\username123\FD-SV.cmd
c:\username123\ffdefstr.dll
c:\username123\FileKill.cfxxe
c:\username123\files.pif
c:\username123\Fin.dat
c:\username123\FIND3M.bat
c:\username123\FIXLSP.bat
c:\username123\FKMGen.cmd
c:\username123\ForeignWht
c:\username123\GetHive.cmd
c:\username123\grep.cfxxe
c:\username123\gsar.cfxxe
c:\username123\handle.cfxxe
c:\username123\HDPEInfo.cfxxe
c:\username123\hidec.exe
c:\username123\history.bat
c:\username123\hwid.pif
c:\username123\iexplore.exe
c:\username123\image001.gif
c:\username123\Imefile.dat
c:\username123\Install-RC.cmd
c:\username123\katch.cmd
c:\username123\Kill-All.cmd
c:\username123\kmd.dat
c:\username123\Lang.bat
c:\username123\List-B.bat
c:\username123\List-C.bat
c:\username123\List-D.bat
c:\username123\List.bat
c:\username123\lnkread.vbs
c:\username123\LocalAppDataFile.cfx
c:\username123\LocalAppDataFolder.cfx
c:\username123\LocalService.dat
c:\username123\LocalServiceNetworkRestricted.dat
c:\username123\LocalSettingsFile.cfx
c:\username123\LocalSystemNetworkRestricted.dat
c:\username123\mbr.cfxxe
c:\username123\mbr.chk
c:\username123\md5sum.pif
c:\username123\Mirrors
c:\username123\MoveIt.bat
c:\username123\mtee.cfxxe
c:\username123\MtPt00
c:\username123\mynul.dat
c:\username123\N_\13819
c:\username123\N_\14250
c:\username123\N_\18566
c:\username123\N_\21789
c:\username123\N_\2346
c:\username123\N_\24425
c:\username123\N_\25199
c:\username123\N_\27146
c:\username123\N_\27388
c:\username123\N_\29293
c:\username123\N_\2991
c:\username123\N_\30182
c:\username123\N_\3341
c:\username123\N_\3579
c:\username123\N_\3785
c:\username123\N_\3921
c:\username123\N_\6935
c:\username123\N_\8257
c:\username123\N_\9689
c:\username123\N_\pingtest
c:\username123\ncmd.com
c:\username123\ND_.bat
c:\username123\ND_64.bat
c:\username123\ndis_combofix.dat
c:\username123\netsvc.bad.dat
c:\username123\netsvc.dat
c:\username123\netsvc.vista.dat
c:\username123\netsvc.xp.dat
c:\username123\NetworkService.dat
c:\username123\NirCmd.cfxxe
c:\username123\NircmdB.exe
c:\username123\NirCmdC.cfxxe
c:\username123\NIRKMD.cfxxe
c:\username123\NlsLanguageDefault
c:\username123\NT-OS.cmd
c:\username123\NULL
c:\username123\OSid.vbs
c:\username123\OsVer
c:\username123\pausep.cfxxe
c:\username123\PersonalFile.cfx
c:\username123\PersonalFolder.cfx
c:\username123\PEV.cfxxe
c:\username123\pev.exe
c:\username123\pevb.cfxxe
c:\username123\PING.cfxxe
c:\username123\Policies.dat
c:\username123\powp.dat
c:\username123\Prep.inf
c:\username123\ProfilesFile.cfx
c:\username123\ProfilesFolder.cfx
c:\username123\ProgramsFile.cfx
c:\username123\ProgramsFolder.cfx
c:\username123\Purity.dat
c:\username123\PV.cfxxe
c:\username123\pv.com
c:\username123\RCLink.dat
c:\username123\REGDACL.sed
c:\username123\RegDo.sed
c:\username123\region.dat
c:\username123\RegScan.cmd
c:\username123\RegScan64.cmd
c:\username123\Resident.txt
c:\username123\restore_pt.vbs
c:\username123\Rkey.cmd
c:\username123\rmbr.cfxxe
c:\username123\rogues.dat
c:\username123\ROUTE.cfxxe
c:\username123\run2.sed
c:\username123\Rust.str
c:\username123\s0rt.cfxxe
c:\username123\safeboot.dat
c:\username123\safeboot.def.dat
c:\username123\safeboot.def.vista.dat
c:\username123\Safeboot.def.w7.dat
c:\username123\sed.cfxxe
c:\username123\SetEnvmt.bat
c:\username123\setpath.cfxxe
c:\username123\SF.exe
c:\username123\sfx.cmd
c:\username123\SnapShot.cmd
c:\username123\SRestore.cmd
c:\username123\srizbi.md5
c:\username123\Start_dat
c:\username123\StartMenuFile.cfx
c:\username123\StartMenuFolder.cfx
c:\username123\StartUpFile.cfx
c:\username123\SuppScan.cmd
c:\username123\svc_wht.dat
c:\username123\SvcDrv.vbs
c:\username123\svchost.dat
c:\username123\svchost.vista.dat
c:\username123\svchost.vista.x64.dat
c:\username123\svchost.w7.dat
c:\username123\svchost.w7.x64.dat
c:\username123\SWREG.cfxxe
c:\username123\swreg.exe
c:\username123\swsc.cfxxe
c:\username123\swxcacls.cfxxe
c:\username123\system_ini.dat
c:\username123\tail.cfxxe
c:\username123\TemplatesFile.cfx
c:\username123\TemplatesFolder.cfx
c:\username123\toolbar.sed
c:\username123\Update-CF.cmd
c:\username123\VerCF.bat
c:\username123\version.txt
c:\username123\VikPev00
c:\username123\VInfo
c:\username123\VInfo2
c:\username123\Vipev.dat
c:\username123\vistaMcode.dat
c:\username123\vistareg.dat
c:\username123\vun.dat
c:\username123\VwinTemp.dacl
c:\username123\w_sock.dll
c:\username123\w2k_sock.dll
c:\username123\w2kreg.dat
c:\username123\w7Mcode.dat
c:\username123\w7reg.dat
c:\username123\Wmi_rem.vbs
c:\username123\XP.mac
c:\username123\xpmcode.dat
c:\username123\xpreg.dat
c:\username123\XPSBoot.reg
c:\username123\zDomain.dat
c:\username123\zhsvc.dat
c:\username123\zip.cfxxe
.
c:\windows\system32\Drivers\Volsnap.sys . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
.
.
2012-05-26 04:17 . 2012-05-26 04:17 -------- d-----w- C:\_OTM
2012-05-21 04:56 . 2012-05-21 04:56 -------- d-----w- c:\program files\ESET
2012-05-19 19:42 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 19:36 . 2012-05-13 19:43 -------- d-----w- C:\Ascot Hills Park
2012-05-01 02:45 . 2012-05-18 06:43 -------- d-----w- c:\documents and settings\rcboosted\Application Data\.purple
2012-05-01 02:40 . 2012-05-01 02:40 -------- d-----w- c:\program files\Pidgin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-11 13:14 . 2008-04-13 22:54 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-04-13 23:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2008-04-13 19:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-18 20:52 . 2011-09-18 14:29 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-13 02:53 . 2012-03-13 02:53 63080 ----a-r- c:\documents and settings\rcboosted\Application Data\Microsoft\Installer\{5F3783B7-F809-45A7-8A92-A44B441FDA7C}\ARPPRODUCTICON.exe
2012-03-01 11:01 . 2008-06-05 01:36 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-06-05 01:35 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-06-05 01:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-06-05 01:35 385024 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-21_04.49.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-26 04:20 . 2012-05-26 04:20 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"Pogoplug"="c:\program files\Pogoplug\PogoplugMonitor.exe" [2012-01-31 234304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-01-01 33636352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"ASUS Update Checker"="c:\program files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe" [2008-12-11 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-03-01 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-08-20 603136]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-08-21 887936]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2010-02-06 254376]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"WTClient"="WTClient.exe" [2009-10-30 32768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\rcboosted\Start Menu\Programs\Startup\
hosts.bat [2010-10-18 84]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-1-23 813584]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2010-11-14 6144]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Pogoplug\\HBPLUG\\HBPLUG.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57221:TCP"= 57221:TCP:pando Media Booster
"57221:UDP"= 57221:UDP:pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
.
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [1/1/2010 2:44 AM 11448]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [1/1/2010 4:36 PM 90112]
R2 DokanCEDriver;DokanCEDriver;c:\program files\Pogoplug\dokance.sys [1/30/2012 6:04 PM 54592]
R2 HBAdmin;HBAdmin;c:\program files\Pogoplug\HBPLUG\hbadmin.exe [1/30/2012 6:04 PM 738112]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [4/16/2008 2:00 PM 689416]
R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]
R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/1/2010 2:18 AM 1381632]
R3 xcetap0;XCETAP0 Adapter;c:\windows\system32\drivers\xcetap0.sys [11/3/2011 11:19 AM 34624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2010 11:35 PM 10384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/13/2010 12:04 AM 30312]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [4/16/2008 2:00 PM 894216]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 4:18 PM 169192]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/13/2010 12:04 AM 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/13/2010 12:04 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/13/2010 12:04 AM 121576]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002Core.job
- c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-2000478354-682003330-1002UA.job
- c:\documents and settings\rcboosted\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: Interfaces\{B4309C5F-C7E9-4B11-A357-B2031DEF8307}: NameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 21:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1956)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2012-05-25 21:39:04
ComboFix-quarantined-files.txt 2012-05-26 04:39
ComboFix2.txt 2012-05-21 04:50
ComboFix3.txt 2012-05-19 07:11
.
Pre-Run: 131,561,881,600 bytes free
Post-Run: 131,534,647,296 bytes free
.
- - End Of File - - 37B542F6CE8F2A14E2540EF8C4CDC574
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
Volsnap.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook 30.07.11 by jpshortstuff
Log created at 13:26 on 26/05/2012 by rcboosted
Administrator - Elevation successful

========== filefind ==========

Searching for "Volsnap.*"
No files found.

-= EOF =-
 
When I scan the screen saver file on virustotal.com now, there are quite a few (12) more hits now than before when it was just Dr.Web.
 
From virustotal >> Copy the entry, save the log and paste it in your next reply.

Have you considered just removing the screen saver?
 
Thanks for the reply. It's not an actual screen saver though. I kept it so I can run it against virustotal for scans, I've since removed the file itself. Here's what virustotal had to say about it, it's a bit hard to read.

SHA256: c53565c4775af3cb9232122e3c8524486b4cba6913c5899c95985b539522d6d7
SHA1: 7a6943756bde75ada1db8c71f8a054324802d920
MD5: efe11c369e70f1534e579aed74057bca
File size: 801.5 KB ( 820736 bytes )
File name: IMG_001 By gpj.SCR
File type: Win32 EXE
Detection ratio: 12 / 41
Analysis date: 2012-05-27 07:09:36 UTC ( 1 day, 12 hours ago )


0
0
More detailsAntivirus Result Update
AntiVir TR/Jorik.Shakblades.gdw 20120526
Antiy-AVL - 20120527
Avast Win32:Malware-gen 20120526
AVG - 20120527
BitDefender - 20120527
ByteHero - 20120522
CAT-QuickHeal - 20120526
ClamAV - 20120526
Commtouch - 20120526
Comodo - 20120527
DrWeb Trojan.DownLoader5.3395 20120527
Emsisoft - 20120527
eSafe - 20120524
F-Prot - 20120526
F-Secure - 20120527
Fortinet W32/Jorik_Shakblades.GDW!tr 20120527
GData Win32:Malware-gen 20120527
Ikarus - 20120527
Jiangmin - 20120527
K7AntiVirus - 20120525
Kaspersky Trojan.Win32.Jorik.Shakblades.gdw 20120527
McAfee - 20120527
McAfee-GW-Edition - 20120527
Microsoft - 20120527
NOD32 - 20120526
Norman - 20120526
nProtect - 20120526
Panda - 20120526
PCTools - 20120522
Rising - 20120524
Sophos Mal/Generic-L 20120527
SUPERAntiSpyware - 20120526
Symantec Trojan.Gen 20120527
TheHacker - 20120526
TotalDefense - 20120525
TrendMicro TROJ_GEN.R47C8EQ 20120527
TrendMicro-HouseCall TROJ_GEN.R47C8EQ 20120526
VBA32 Trojan.Jorik.Shakblades.gdw 20120525
VIPRE Trojan.Win32.Generic!BT 20120527
ViRobot - 20120526
VirusBuster - 20120525
 
I'm lost! You want to remove a screen saver that isn't actually a screen saver! Only Dr. Web finds this malware which was removed.

You are using all of the files I can't identify.

Please clarify just what it is you need my help with.
 
I guess the thread got convoluted a bit, I apologize. So it all started with the file I downloaded and ran. It installed something in the background which included bsp_06.exe popping up in 3 command prompts during start up. I scanned the file with virustotal and it identified the file as a trojan. My early efforts to clean it with cureit and Combix seems to have failed, but with your help, I think most of offending files, processes and registry entries were cleaned. But I don't know if my PC's trojan-free or not.

Usually these cleaning threads comes with a "Mr. Clean" seal of approval of the PC being free of infection. :) I just don't know if we're there or not. Also, I noticed I got new spam emails in 2 of my yahoo email accounts since the infection, I don't know if they're related or not. I don't know if this trojan was responsible. (ie. stole my password? logged my keys? etc) What did it do to my system? Anything I need to worry about, and what should I do now as a clean up effort?
 
Status
Not open for further replies.

Similar threads

R
Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #
2
Replies
32
Views
3K
Broni
Broni
S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
Humza
WD asks users to unplug their My Book Live drives from the internet following mass data...
Replies
22
Views
3K
captaincranky
captaincranky

Latest posts

Back