Inactive Having problems with virus removal

Status
Not open for further replies.
J

jimixd

For the first time that I know of I have become infected with multiple threats.

I use AVG free edition to protect my system and it does seem to be very good at telling me I am infected. It doesn't however seem to be very good at getting rid of the said threats.

In addition I seem to be suffering from a virus that is redirecting all links followed from searches made in google or searches made from Chrome's URL bar.

I have followed your 8 step virus post and got to here.

Please see below the requested logs.

Please advise the best course of action from now.

Thanks in advance.


============


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5983

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

07/03/2011 20:52:15
mbam-log-2011-03-07 (20-52-15).txt

Scan type: Quick scan
Objects scanned: 143417
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


====================


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-07 21:01:14
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort1 Hitachi_HTS722020K9A300 rev.DC4OCA1H
Running: lhnj4yi4.exe; Driver: C:\Users\JAMESL~1\AppData\Local\Temp\pwloikow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 390721712 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskHitachi_HTS722020K9A300_________________DC4OCA1H#5&155f7073&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----



==========



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by James Love-Mead at 21:03:20.55 on 07/03/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2046.1143 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\avgcfgex.exe
C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\James Love-Mead\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Mediafour XPlay Explorer notifications: {4907c0ad-874d-44d9-b13e-7b0a4d8b9d3e} - c:\program files\mediafour\xplay 3\XPBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: DisableStartupSound = 1 (0x1)
mPolicies-system: DisplayLastLogonInfo = 1 (0x1)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-9-28 259176]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2010-3-15 148184]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-12-2 483688]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 21072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2009-12-2 550760]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2009-12-2 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-12-2 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2009-12-2 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-12-2 209768]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-20 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-25 1343400]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 136176]
S4 M4iPodWPDService;M4iPodWPDService;c:\program files\common files\mediafour\ipod\M4iPodWPDService.exe [2009-12-28 224256]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-03-07 20:49:02 -------- d-----w- c:\users\jamesl~1\appdata\roaming\Malwarebytes
2011-03-07 20:48:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-07 20:48:57 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-07 20:48:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 20:48:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 18:37:33 -------- d-----w- c:\windows\pss
2011-02-24 23:52:39 -------- d-----w- c:\users\jamesl~1\appdata\roaming\The Creative Assembly
2011-02-24 23:05:48 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-02-24 13:35:42 -------- d-----w- c:\users\jamesl~1\appdata\roaming\AVG
2011-02-17 16:20:59 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2011-02-15 19:26:10 181608 ----a-w- c:\progra~2\microsoft\windows\sqm\manifest\Sqm10137.bin
.
==================== Find3M ====================
.
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 05:38:24 73728 ----a-w- c:\windows\system32\wscsvc.dll
2010-12-21 05:38:24 51200 ----a-w- c:\windows\system32\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- c:\windows\system32\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_HTS722020K9A300 rev.DC4OCA1H -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85E8D5DC]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e937b8]; MOV EAX, [0x85e93834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82C8E448] -> \Device\Harddisk0\DR0[0x85E6A510]
3 CLASSPNP[0x88E0459E] -> ntkrnlpa!IofCallDriver[0x82C8E448] -> [0x85E70C98]
\Driver\atapi[0x85E6CE08] -> IRP_MJ_CREATE -> 0x85E8D5DC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskHitachi_HTS722020K9A300_________________DC4OCA1H#5&155f7073&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 21:03:52.99 ===============
 

Attachments

  • Attach.txt
    12.3 KB · Views: 1
Welcome to TechSpot! You have a rootkit which is why you haven't been able to clean with just the AV:

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
====================================
Follow with Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Results to step 1 below.

Moving to next step.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: MXG071
Logical Drives Mask: 0x0001000c

Kernel Drivers (total 182):
0x82C52000 \SystemRoot\system32\ntkrnlpa.exe
0x82C1B000 \SystemRoot\system32\halmacpi.dll
0x86198000 \SystemRoot\system32\kdcom.dll
0x83201000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83279000 \SystemRoot\system32\PSHED.dll
0x8328A000 \SystemRoot\system32\BOOTVID.dll
0x83292000 \SystemRoot\system32\CLFS.SYS
0x832D4000 \SystemRoot\system32\CI.dll
0x8337F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x833F0000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83417000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8345F000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x83468000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x83470000 \SystemRoot\system32\DRIVERS\pci.sys
0x8349A000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x834A5000 \SystemRoot\System32\drivers\partmgr.sys
0x834B6000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x834BE000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x834C9000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x834D9000 \SystemRoot\System32\drivers\volmgrx.sys
0x83524000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8352B000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x83539000 \SystemRoot\System32\drivers\mountmgr.sys
0x8354F000 \SystemRoot\system32\DRIVERS\atapi.sys
0x83558000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8357B000 \SystemRoot\system32\DRIVERS\msahci.sys
0x83585000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8358E000 \SystemRoot\system32\drivers\fltmgr.sys
0x835C2000 \SystemRoot\system32\drivers\fileinfo.sys
0x83624000 \SystemRoot\System32\Drivers\Ntfs.sys
0x83753000 \SystemRoot\System32\Drivers\msrpc.sys
0x8377E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x83791000 \SystemRoot\System32\Drivers\cng.sys
0x837EE000 \SystemRoot\System32\drivers\pcw.sys
0x83600000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x88E38000 \SystemRoot\system32\drivers\ndis.sys
0x88EEF000 \SystemRoot\system32\drivers\NETIO.SYS
0x88F2D000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x89014000 \SystemRoot\System32\drivers\tcpip.sys
0x8915D000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8918E000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x891CD000 \SystemRoot\System32\Drivers\spldr.sys
0x88F52000 \SystemRoot\System32\drivers\rdyboost.sys
0x891D5000 \SystemRoot\System32\Drivers\mup.sys
0x88F7F000 \SystemRoot\System32\Drivers\MDFSYSNT.sys
0x891E5000 \SystemRoot\System32\drivers\hwpolicy.sys
0x88FC6000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x891ED000 \SystemRoot\system32\DRIVERS\disk.sys
0x88E00000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x89000000 \SystemRoot\system32\DRIVERS\avgrkx86.sys
0x89005000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
0x8D60E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D62D000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0x8D639000 \SystemRoot\System32\Drivers\Null.SYS
0x8D640000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D647000 \SystemRoot\System32\drivers\vga.sys
0x8D653000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D674000 \SystemRoot\System32\drivers\watchdog.sys
0x8D681000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D689000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D691000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8D699000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D6A4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D6B2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D6C9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D6D4000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0x8D71C000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D74E000 \SystemRoot\system32\drivers\afd.sys
0x8D7A8000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8D7AF000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D7CE000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8D7DF000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D7ED000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x835E4000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8DE23000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DE64000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0x8DE68000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DE72000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8DE7C000 \SystemRoot\System32\drivers\discache.sys
0x8DE88000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DEA0000 \??\C:\Windows\system32\drivers\cbfs.sys
0x8DEC3000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8DED1000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0x8DF0D000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8DF2E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8FE23000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9091D000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x9091F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8DF40000 \SystemRoot\System32\drivers\dxgmms1.sys
0x909D6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8DF79000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x909E1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8FE00000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F032000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8F14A000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8F154000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
0x8F190000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x8F1BC000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8F238000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8F289000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8F2A1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F2AE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F2BB000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8F2C1000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8F2C5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8F2CE000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x8F2DB000 \SystemRoot\System32\Drivers\RootMdm.sys
0x8F2E3000 \SystemRoot\system32\drivers\modem.sys
0x8F2F0000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8F302000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F31A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F325000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F347000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F35F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F376000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8F38D000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x8F394000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F396000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F3CA000 \SystemRoot\system32\DRIVERS\nvoclock.sys
0x8F3D2000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F83A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8F87E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8F88F000 \SystemRoot\system32\drivers\HdAudio.sys
0x8F8DF000 \SystemRoot\system32\drivers\portcls.sys
0x8F90E000 \SystemRoot\system32\drivers\drmk.sys
0x8F927000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8F93E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8F940000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x8F94A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8F951000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8F95C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8F96F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8F97B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8F986000 \SystemRoot\system32\DRIVERS\point32.sys
0x8F98F000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x8F9C9000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x8F9CB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8F9D8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8F9E3000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x8F9ED000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8F800000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x82200000 \SystemRoot\System32\Drivers\bthport.sys
0x82264000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x82288000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x82295000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x82630000 \SystemRoot\System32\win32k.sys
0x822B0000 \SystemRoot\System32\drivers\Dxapi.sys
0x822BA000 \SystemRoot\system32\DRIVERS\monitor.sys
0x82890000 \SystemRoot\System32\TSDDD.dll
0x828C0000 \SystemRoot\System32\cdd.dll
0x828E0000 \SystemRoot\System32\ATMFD.DLL
0x822C5000 \SystemRoot\system32\drivers\luafv.sys
0x822E0000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x822E9000 \SystemRoot\system32\drivers\WudfPf.sys
0x82303000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x82313000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x82359000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x82369000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9BE2F000 \SystemRoot\system32\drivers\HTTP.sys
0x9BEB4000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9BECD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9BEDF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9BF02000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9BF3D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9BF70000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0x9B839000 \SystemRoot\system32\drivers\peauth.sys
0x9B8D0000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9B8DA000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x9B966000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x9B99C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9B9BD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9B9CA000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0x9BF79000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B9D4000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0x8237C000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B800000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0xA7E7A000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA7E8B000 \??\C:\Users\JAMESL~1\AppData\Local\Temp\pwloikow.sys
0xA7EA3000 \??\C:\Users\JAMESL~1\AppData\Local\Temp\mbr.sys
0x77820000 \Windows\System32\ntdll.dll
0x48470000 \Windows\System32\smss.exe
0x77A60000 \Windows\System32\apisetschema.dll

Processes (total 67):
0 System Idle Process
4 System
272 C:\Windows\System32\smss.exe
536 csrss.exe
624 C:\Windows\System32\wininit.exe
636 csrss.exe
684 C:\Windows\System32\services.exe
708 C:\Windows\System32\lsass.exe
716 C:\Windows\System32\lsm.exe
740 C:\Windows\System32\winlogon.exe
880 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\nvvsvc.exe
988 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\svchost.exe
1136 C:\Windows\System32\svchost.exe
1200 C:\Windows\System32\svchost.exe
1344 C:\Windows\System32\svchost.exe
1372 C:\Windows\System32\nvvsvc.exe
1464 C:\Windows\System32\svchost.exe
1596 C:\Windows\System32\spoolsv.exe
1636 C:\Windows\System32\svchost.exe
1724 C:\Program Files\AVG\AVG10\avgwdsvc.exe
1760 C:\Windows\System32\svchost.exe
1796 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
1880 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
528 C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
648 C:\Windows\System32\svchost.exe
972 C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
1292 C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
2948 C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3068 C:\Windows\System32\svchost.exe
3240 C:\Windows\System32\svchost.exe
2932 C:\Windows\System32\taskhost.exe
3004 C:\Windows\System32\taskeng.exe
3400 C:\Windows\System32\dwm.exe
3472 C:\Windows\explorer.exe
3536 C:\Windows\System32\taskeng.exe
3568 C:\Program Files\Google\Update\GoogleUpdate.exe
3800 C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
3864 C:\Windows\OEM02Mon.exe
3988 C:\Program Files\AVG\AVG10\avgtray.exe
3944 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3952 C:\Program Files\Microsoft IntelliType Pro\itype.exe
3784 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
3832 C:\Windows\System32\conhost.exe
4068 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
1120 C:\Windows\System32\SearchIndexer.exe
3604 C:\Program Files\Windows Media Player\wmpnetwk.exe
1512 C:\Windows\System32\svchost.exe
4608 dllhost.exe
4944 C:\Program Files\AVG\AVG10\avgui.exe
2828 C:\Program Files\AVG\AVG10\avgcfgex.exe
2680 C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
5580 C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
5436 C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
6132 C:\Users\James Love-Mead\AppData\Local\Google\Chrome\Application\chrome.exe
4428 C:\Windows\System32\notepad.exe
3196 C:\Windows\System32\notepad.exe
5228 C:\Windows\System32\notepad.exe
1768 C:\Windows\System32\notepad.exe
4740 WmiPrvSE.exe
2768 C:\Windows\System32\SearchProtocolHost.exe
2564 C:\Windows\System32\SearchFilterHost.exe
520 C:\Windows\System32\audiodg.exe
868 C:\Users\James Love-Mead\Downloads\MBRCheck.exe
5440 C:\Windows\System32\conhost.exe
3860 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: HitachiHTS722020K9A300, Rev: DC4OCA1H

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
 
Result of scan:

Thought that this might be the source but I could not delete it after download.

C:\Users\James Love-Mead\Downloads\Microsoft_Office_2010_(x64)_keygen\Microsoft_Office_2010_(x64)_keygen_by_aaocg.exe a variant of Win32/Nebuler.CP trojan
 
You're not suppose to delete it- that's my job!

But you are correct in thinking this might be a source for the malware:
C:\Users\James Love-Mead\Downloads\Microsoft_Office_2010_(x64)_keygen\Microsoft_Office_2010_(x6 4)_keygen_by_aaocg.exe a variant of Win32/Nebuler.CP trojan
Click to expand...

When you pirate a program- that is get a license or registration for a program from a torrent site to activate the program instead of paying for it, you are going to get malware with it.

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files  
C:\Users\James Love-Mead\Downloads\Microsoft_Office_2010_(x64)_keygen\Microsoft_Office_2010_(x6 4)_keygen_by_aaocg.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
    in your next reply.
 
Not found??? It was in the folder and now isn't... Have rerun virus scan and it came up with 0 threats this time... has it gone?


All processes killed
========== FILES ==========
File/Folder C:\Users\James Love-Mead\Downloads\Microsoft_Office_2010_(x64)_keygen\Microsoft_Office_2010_(x6 4)_keygen_by_aaocg.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: James Love-Mead
->Temp folder emptied: 152048 bytes
->Temporary Internet Files folder emptied: 219771 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 130975810 bytes
->Flash cache emptied: 2413 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15301229 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 140.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03092011_134113
 
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\steam\steamapps\common\empire total war\data\ui\campaign ui\pips\military-crackdown-repression.tga
scanner sequence 3.NA.11
----- EOF -----
 
It was probably removed by another program. Since Office was pirated, you will have to uninstall it for support to continue.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back