Inactive Wham. Virus hit last night, ertfor.b? 8-steps included

[tylerd]

AVG detected a serious hit as I was downloading a file using ABC torrent client. It quickly unloaded a multitude of infected files into my system (SONY VIAO laptop windows 7 premium).

Symptoms:
Slow running, error messages on startup (duch.dll and another dll, I should have screen shotted), slow boot up, system restore inaccessible, windows explorer randomly malfunctions and has to restart.

First I uninstalled AVG free as the virus would cause the program to endlessly pop up with warnings making any usage of the computer slow and futile. I downloaded Microsoft Security Essentials and updated. It detected ertfor.b and removed it. Still the symptoms remained so I did a google search for ertfor.b and found your forum and started the 8 steps.

Ran TFC and restarted. 17,000mb cleared

Downloaded, updated and ran a full system scan with malwarebytes

----------------------------------------------------------------------------------------
first full scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4586

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/09/2010 10:03:07 AM
mbam-log-2010-09-10 (10-03-07).txt

Scan type: Quick scan
Objects scanned: 136073
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 10
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 27
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\cmd.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\user.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\csrss.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\setup.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win16.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\drweb.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\win.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF196$ (Adware.StreetAds) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqtw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mque (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqyc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mquvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqvpc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqqsc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqurb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqva (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uledeweciqusol (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvtdhfngre (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\$ntUninstallmtf196$ (Adware.StreetAds) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\nvsvc32.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\cmd.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\user.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\spoolsv.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\csrss.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\setup.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win16.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\drweb.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\win.exe (Trojan.Downloader) -> Delete on reboot.
C:\Windows\$ntUninstallmtf196$\apUninstall.exe (Adware.StreetAds) -> Quarantined and deleted successfully.
C:\Users\tyler\AppData\Local\Temp\skaioejiesfjoee.tmp (Malware.Trace) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------------------------

Second Full Scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4586

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/09/2010 12:22:55 PM
mbam-log-2010-09-10 (12-22-55).txt

Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 262892
Time elapsed: 41 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\tyler\AppData\Local\Mozilla\Firefox\Profiles\il97otd1.default\Cache\64321B95d01 (Rogue.Installer) -> No action taken.
C:\Users\tyler\Downloads\setupxv.exe (Rogue.Installer) -> No action taken.
C:\Windows\Tasks\RegClean Scheduled Scan.job (Rogue.RegClean) -> No action taken.

----------------------------------------------------------------------------------

These infected registry entries and files can't seem to be removed even after restart.

There are two startup processes that i do not recognize and have disabled to hopefully prevent further downloading or hijack.
Lvtdhfngmtd and Lvtdhfngotd

After doing another quick scan to confirm the infection is still here I tried another deletion and ran DDS I can include logs if you need them.

Since MBAM removed the majority of the infection I do not get messages on startup. System recover still says it requires 'administrator privileges' to run (which I am), there is a general slowness and windows explorer still crashes spontaneously (once it happened as the infected registry entry was detected by MBAM).
I have deleted all internet temp files and am not accessing any accounts for fear they may be hijacked.
I hope you can help. I'm sorry I don't have the log from the first Microsoft Scan, but hopefully this info is enough to get to the bottom of things.


Thank you!

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[tylerd]

Thank you for the response

Here are the DDS logs, I am running 64 bit so I can't run GMER?

This is the latest MBAM log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4586

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/09/2010 1:53:32 PM
mbam-log-2010-09-10 (13-53-32).txt

Scan type: Quick scan
Objects scanned: 134765
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

I don't see any current AV program running. What happened?

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

• 
  Close browsers before scanning.
  Scan for tracking cookies.
  Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.

• 
  Click Preferences, then click the Statistics/Logs tab.
  Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  Please copy and paste the Scan Log results in your next reply.

* Click Close to exit the program.
Post SUPERAntiSpyware log.

 

[tylerd]

Ah, I uninstalled AVG and installed Microsoft Security Essentials. I probably did the scan between this point in time, which explains the lack of anti virus showing in the log.

I rebooted after superantispyware and did a MBAM scan, the infected registry entry is clean! no viruses or malware.
However as I was writing this windows explorer quit again. Maybe I should enable the unknown start up tasks I disabled? I can't find any information about them online. Any suggestions?

Here are the logs as requested.


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VPCEB11FD
Logical Drives Mask: 0x00000074

Kernel Drivers (total 188):
0x02E66000 \SystemRoot\system32\ntoskrnl.exe
0x02E1D000 \SystemRoot\system32\hal.dll
0x00BAC000 \SystemRoot\system32\kdcom.dll
0x00C01000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C45000 \SystemRoot\system32\PSHED.dll
0x00C59000 \SystemRoot\system32\CLFS.SYS
0x00CB7000 \SystemRoot\system32\CI.dll
0x00E76000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F1A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F29000 \SystemRoot\system32\drivers\ACPI.sys
0x00F80000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F89000 \SystemRoot\system32\drivers\msisadrv.sys
0x00F93000 \SystemRoot\system32\drivers\pci.sys
0x00FC6000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FD3000 \SystemRoot\System32\drivers\partmgr.sys
0x00FE8000 \SystemRoot\system32\drivers\compbatt.sys
0x00FF1000 \SystemRoot\system32\drivers\BATTC.SYS
0x00E00000 \SystemRoot\system32\drivers\volmgr.sys
0x00E15000 \SystemRoot\System32\drivers\volmgrx.sys
0x00D77000 \SystemRoot\System32\drivers\mountmgr.sys
0x010A8000 \SystemRoot\system32\drivers\iaStor.sys
0x012B0000 \SystemRoot\system32\drivers\amdxata.sys
0x012BB000 \SystemRoot\system32\drivers\fltmgr.sys
0x01307000 \SystemRoot\system32\drivers\fileinfo.sys
0x0131B000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01435000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01327000 \SystemRoot\System32\Drivers\msrpc.sys
0x015D8000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01385000 \SystemRoot\System32\Drivers\cng.sys
0x01400000 \SystemRoot\System32\drivers\pcw.sys
0x01411000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016EF000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01802000 \SystemRoot\System32\drivers\tcpip.sys
0x0168B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01000000 \SystemRoot\system32\drivers\volsnap.sys
0x016D5000 \SystemRoot\System32\Drivers\spldr.sys
0x0104C000 \SystemRoot\System32\drivers\rdyboost.sys
0x016DD000 \SystemRoot\System32\Drivers\mup.sys
0x017E1000 \SystemRoot\System32\drivers\hwpolicy.sys
0x00D91000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x017EA000 \SystemRoot\system32\drivers\disk.sys
0x00DCB000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x03CA8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03CD2000 \SystemRoot\System32\Drivers\Null.SYS
0x03CDB000 \SystemRoot\System32\Drivers\Beep.SYS
0x03CE2000 \SystemRoot\System32\drivers\vga.sys
0x03CF0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03D15000 \SystemRoot\System32\drivers\watchdog.sys
0x03D25000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03D2E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03D37000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03D40000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03D4B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x03D5C000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03D7A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03D87000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03A00000 \SystemRoot\system32\drivers\afd.sys
0x03DCC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03DD5000 \SystemRoot\system32\DRIVERS\pacer.sys
0x01086000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02CEF000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02CFE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02D19000 \SystemRoot\system32\drivers\termdd.sys
0x02D2D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02D7E000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02D8A000 \SystemRoot\system32\drivers\mssmbios.sys
0x02D95000 \SystemRoot\System32\drivers\discache.sys
0x02DA4000 \SystemRoot\System32\Drivers\dfsc.sys
0x02DC2000 \SystemRoot\system32\drivers\blbdrive.sys
0x02DD3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04888000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x04266000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0435A000 \SystemRoot\System32\drivers\dxgmms1.sys
0x043A0000 \SystemRoot\system32\drivers\HECIx64.sys
0x043B1000 \SystemRoot\system32\drivers\usbehci.sys
0x04200000 \SystemRoot\system32\drivers\USBPORT.SYS
0x043C2000 \SystemRoot\system32\drivers\HDAudBus.sys
0x0442E000 \SystemRoot\system32\DRIVERS\athrx.sys
0x045AB000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x045B8000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x045D8000 \SystemRoot\system32\drivers\rimssne64.sys
0x04400000 \SystemRoot\system32\drivers\risdsne64.sys
0x04800000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x04865000 \SystemRoot\system32\drivers\i8042prt.sys
0x04418000 \SystemRoot\system32\drivers\kbdclass.sys
0x02C00000 \SystemRoot\system32\drivers\Apfiltr.sys
0x043E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04427000 \SystemRoot\system32\drivers\SFEP.sys
0x04256000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x02C44000 \SystemRoot\system32\drivers\Impcd.sys
0x02C6A000 \SystemRoot\system32\drivers\intelppm.sys
0x045F8000 \SystemRoot\system32\drivers\CmBatt.sys
0x02C80000 \SystemRoot\system32\drivers\CompositeBus.sys
0x02C90000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x02CA6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04FF3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x05015000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x05044000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0505F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x05080000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0509A000 \SystemRoot\system32\drivers\swenum.sys
0x0509C000 \SystemRoot\system32\drivers\ks.sys
0x050DF000 \SystemRoot\system32\DRIVERS\umbus.sys
0x050F1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0514B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05C9A000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x05EB5000 \SystemRoot\system32\drivers\portcls.sys
0x05EF2000 \SystemRoot\system32\drivers\drmk.sys
0x05F14000 \SystemRoot\system32\drivers\ksthunk.sys
0x05F1A000 \SystemRoot\system32\DRIVERS\IntcDAud.sys
0x05F5B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x05F78000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05F7A000 \SystemRoot\System32\Drivers\usbvideo.sys
0x05FA8000 \SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
0x00010000 \SystemRoot\System32\win32k.sys
0x05FB2000 \SystemRoot\System32\drivers\Dxapi.sys
0x05FBE000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03A8A000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x05FCC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x05FDF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x05C00000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x05C19000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05C22000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x05C2F000 \SystemRoot\system32\DRIVERS\nvnnio.sys
0x05C58000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00550000 \SystemRoot\System32\TSDDD.dll
0x00790000 \SystemRoot\System32\cdd.dll
0x05C66000 \SystemRoot\system32\drivers\luafv.sys
0x05160000 \SystemRoot\system32\drivers\WudfPf.sys
0x05181000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05196000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x05FED000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x02CCA000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02842000 \SystemRoot\system32\drivers\HTTP.sys
0x0290A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x02928000 \SystemRoot\System32\drivers\mpsdrv.sys
0x02940000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0296D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x029BB000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03EEB000 \SystemRoot\system32\drivers\peauth.sys
0x03F91000 \SystemRoot\System32\Drivers\secdrv.SYS
0x03F9C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03FC9000 \SystemRoot\System32\drivers\tcpipreg.sys
0x03E00000 \SystemRoot\System32\DRIVERS\srv2.sys
0x078B8000 \SystemRoot\System32\DRIVERS\srv.sys
0x0794E000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77740000 \Windows\System32\ntdll.dll
0x477F0000 \Windows\System32\smss.exe
0xFFA60000 \Windows\System32\apisetschema.dll
0xFF480000 \Windows\System32\autochk.exe
0xFF970000 \Windows\System32\advapi32.dll
0xFF790000 \Windows\System32\setupapi.dll
0xFF740000 \Windows\System32\Wldap32.dll
0xFF6A0000 \Windows\System32\clbcatq.dll
0xFF680000 \Windows\System32\imagehlp.dll
0xFF670000 \Windows\System32\lpk.dll
0xFF540000 \Windows\System32\rpcrt4.dll
0xFF4F0000 \Windows\System32\ws2_32.dll
0xFF480000 \Windows\System32\autochk.exe
0xFF3B0000 \Windows\System32\usp10.dll
0xFF3A0000 \Windows\System32\nsi.dll
0xFF380000 \Windows\System32\sechost.dll
0xFF270000 \Windows\System32\msctf.dll
0xFF0F0000 \Windows\System32\urlmon.dll
0xFEEE0000 \Windows\System32\ole32.dll
0x77620000 \Windows\System32\kernel32.dll
0xFEE00000 \Windows\System32\oleaut32.dll
0x77910000 \Windows\System32\normaliz.dll
0xFED60000 \Windows\System32\comdlg32.dll
0x77900000 \Windows\System32\psapi.dll
0xFECC0000 \Windows\System32\msvcrt.dll
0xFEC90000 \Windows\System32\imm32.dll
0xFEB60000 \Windows\System32\wininet.dll
0xFDDD0000 \Windows\System32\shell32.dll
0x77520000 \Windows\System32\user32.dll
0xFDB70000 \Windows\System32\iertutil.dll
0xFDAF0000 \Windows\System32\difxapi.dll
0xFDA70000 \Windows\System32\shlwapi.dll
0xFDA30000 \Windows\System32\wintrust.dll
0xFD9F0000 \Windows\System32\cfgmgr32.dll
0xFD9D0000 \Windows\System32\devobj.dll
0xFD860000 \Windows\System32\crypt32.dll
0xFD7C0000 \Windows\System32\comctl32.dll
0xFD750000 \Windows\System32\KernelBase.dll
0xFD740000 \Windows\System32\msasn1.dll
0x778F0000 \Windows\SysWOW64\normaliz.dll

Processes (total 79):
0 System Idle Process
4 System
308 C:\Windows\System32\smss.exe
484 csrss.exe
544 C:\Windows\System32\wininit.exe
568 csrss.exe
600 C:\Windows\System32\services.exe
628 C:\Windows\System32\lsass.exe
636 C:\Windows\System32\lsm.exe
740 C:\Windows\System32\svchost.exe
820 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
336 C:\Windows\System32\svchost.exe
380 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\winlogon.exe
1176 C:\Windows\System32\spoolsv.exe
1204 C:\Windows\System32\svchost.exe
1380 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
1428 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
1540 C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
1576 C:\Windows\System32\svchost.exe
1716 C:\Windows\System32\taskhost.exe
1752 C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
1796 C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
1816 C:\Windows\System32\dwm.exe
1848 C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
1900 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
1952 C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
2020 dllhost.exe
1868 C:\Windows\System32\taskeng.exe
1412 C:\Program Files\Sony\VAIO Care\VAIOCareService.exe
2088 C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
2132 C:\Windows\System32\igfxtray.exe
2164 C:\Windows\System32\hkcmd.exe
2176 C:\Windows\System32\igfxpers.exe
2232 C:\Windows\System32\igfxsrvc.exe
2256 C:\Program Files\Apoint\Apoint.exe
2340 C:\Program Files\Apoint\ApMsgFwd.exe
2424 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
2616 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
2648 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
2688 C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
2696 C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
2752 C:\Program Files (x86)\Sony\SmartWi Connection Utility\CCP.exe
2780 C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
2844 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2932 C:\Program Files\Apoint\Apvfb.exe
2940 C:\Program Files\Apoint\ApntEx.exe
2956 C:\Windows\System32\conhost.exe
2984 C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
1308 C:\Program Files (x86)\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe
2600 C:\Program Files (x86)\Sony\SmartWi Connection Utility\PowerManager.exe
3116 C:\Program Files\Sony\VAIO Power Management\SPMService.exe
3356 WmiPrvSE.exe
3516 WUDFHost.exe
3708 C:\Windows\System32\SearchIndexer.exe
4072 C:\Program Files\Windows Media Player\wmpnetwk.exe
3488 C:\Windows\System32\svchost.exe
4112 C:\Windows\System32\svchost.exe
5024 C:\Program Files\Java\jre6\bin\jusched.exe
5048 C:\Program Files\Sony\VAIO Care\VCsystray.exe
4436 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
2584 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
4956 C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
4004 C:\Windows\System32\svchost.exe
4508 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
4840 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
3872 C:\Program Files\iPod\bin\iPodService.exe
4892 C:\Program Files (x86)\iTunes\iTunesHelper.exe
4172 C:\Program Files\Java\jre6\bin\jucheck.exe
4356 C:\Windows\explorer.exe
4056 C:\Windows\System32\audiodg.exe
1660 C:\Windows\System32\SearchProtocolHost.exe
3884 C:\Windows\System32\SearchFilterHost.exe
1676 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
1328 C:\Users\tyler\Downloads\MBRCheck.exe
2904 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`37e00000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM320II, Rev: 2AC101C4

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

================================================================

 

[tylerd]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/12/2010 at 02:08 AM

Application Version : 4.42.1000

Core Rules Database Version : 5491
Trace Rules Database Version: 3303

Scan type : Complete Scan
Total Scan Time : 01:06:53

Memory items scanned : 328
Memory threats detected : 0
Registry items scanned : 13820
Registry threats detected : 1
File items scanned : 133933
File threats detected : 55

Malware.Trace
(x86) HKU\S-1-5-21-114913183-1313831441-2921357569-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER#NOFOLDEROPTIONS

Adware.Tracking Cookie
ia.media-imdb.com [ C:\Users\tyler\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JTQAMMVK ]
C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@advertising[1].txt
C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@doubleclick[1].txt
C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@sonycanada.112.2o7[1].txt
C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\tyler@sonyelectronicssupportus.112.2o7[1].txt
.collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.collective-media.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.kontera.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.legolas-media.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.legolas-media.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.atdmt.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.atdmt.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.casalemedia.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.advertising.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.apmebf.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.ru4.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.ru4.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.fastclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.clickfuse.com [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\tyler\AppData\Roaming\Mozilla\Firefox\Profiles\il97otd1.default\cookies.sqlite ]

Thank you!

 

[Broni]

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[tylerd]

Done and done, files attached.
Couldn't copy and paste text, over character limit.

 

[Broni]

What happened to AVG?

======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
  O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
  O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20:[b]64bit:[/b] - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
  O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O33 - MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\Shell - "" = AutoRun
  O33 - MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\Shell\AutoRun\command - "" = D:\WD SmartWare.exe -- File not found
  [2010/09/10 11:18:38 | 000,000,000 | ---D | C] -- C:\Users\tyler\AppData\Roaming\RegClean
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=======================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[tylerd]

I uninstalled AVG in favor of microsoft security essentials, good choice?

====================================================================

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A9007C0-4076-11D3-8789-0000F8105754}\ not found.
File {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.
File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}\ not found.
File {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ not found.
File {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui\ deleted successfully.
C:\Windows\SysNative\igfxdev.dll moved successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{463a5b5c-2568-11df-b5ac-0024bebcdabf}\ not found.
File D:\WD SmartWare.exe not found.
C:\Users\tyler\AppData\Roaming\RegClean\Log folder moved successfully.
C:\Users\tyler\AppData\Roaming\RegClean folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: tyler
->Temp folder emptied: 119157 bytes
->Temporary Internet Files folder emptied: 45755668 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 72797958 bytes
->Flash cache emptied: 1747 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 45734 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 142057135 bytes

Total Files Cleaned = 249.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: tyler
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.0 log created on 09132010_103710

Files\Folders moved on Reboot...
C:\Users\tyler\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

 

[tylerd]

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.0.32.18
Adobe Reader 9.1.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[tylerd]

Monday, September 13, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 13, 2010 11:32:59
Records in database: 4213809
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
E:\
F:\
G:\
Scan statistics
Objects scanned 139507
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:58:49

No threats found. Scanned area is clean.
Selected area has been scanned.

 

[Broni]

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
On this page:

make sure, you have both boxes UN-checked AND (important!) click on Decline button

========================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.

 

[Broni]

BTW, I prefer MSE over AVG

 

[tylerd]

before the resetting the restore point i was thinking of enabling the two startup processes i disabled when the virus hit.
Lvtdhfngmtd
and
Lvtdhfngotd

I am free of malware, but Windows explorer still randomly crashes, maybe this could be the issue.? any thoughts?

thank you for your help this far.

 

[Broni]

Lvtdhfngmtd
and
Lvtdhfngotd

What would those be for??

Windows explorer still randomly crashes

What exactly happens and what are you doing, when it happens?

 

[tylerd]

I have no idea what the processes are for, google search says nothing either...

it crashes sometimes when firefox is open, sometimes when i'm browsing files. I've come back to see the error message (windows explorer is not responding) over top of my screen saver.
it seems really spontaneous.

 

[Broni]

I have no idea what the processes are for

Do you see those processes right now in Task Manager?
They're surely not legit.

 

[tylerd]

nope not running in task manager.
also windows explorer seems to quit halfway through malware bytes quick scan. its done that consistantly a few times.

but the good news is maleware bytes and super spyware say I'm clean. Thank you for you're help!!!!

I still don't have access to system restore. it says I'm not an administrator, even though i am. That's probably a Microsoft OS issue though

 

[Broni]

nope not running in task manager.

You scared me for a moment...LOL

Regarding system restore...
Please, re-run #1 from my reply #13 and post resulting log.

 

[tylerd]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: tyler
->Temp folder emptied: 107955194 bytes
->Temporary Internet Files folder emptied: 13021140 bytes
->Java cache emptied: 135240 bytes
->FireFox cache emptied: 91581863 bytes
->Flash cache emptied: 2023 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1822070 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 44229956 bytes

Total Files Cleaned = 247.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: tyler
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error creating restore point.

OTL by OldTimer - Version 3.2.12.0 log created on 09142010_191508

Files\Folders moved on Reboot...
C:\Users\tyler\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

 

[Broni]

Yeah, we have:

Error creating restore point.

Open Windows Explorer.
Go Tools>Folder options>View tab
UN-check "Hide protected operating system files".
Click OK.
Restart Windows Explorer.
In C drive you'll see System Volume Information folder.
Right click on it, click "Properties", then "Security" tab.
Make sure, you have full control of it, meaning all checkmarks are in:

Report on findings.

 

[tylerd]

hmm everything is checked except for "special permissions"

 

[Broni]

I still don't have access to system restore.

What is the exact message, you're getting and at what exact point?

 

[tylerd]

control panel>recovery
the button labeled (open system restore) is faded and unusable. there is a message box above it that says "some settings are managed by your system administrator. why can't I change some settings?" and it goes on to explain in a help document that computers in a network or group or that are managed by an admin may not have access to certain features.
I am not connected to a network, or group. my user status is set to admin...

Go Windows...