Problem with hard-to-get-rid-of Malware (e-markettop)

Zoberraz · July 2, 2011

For over two weeks now, I've been plagued with a bit of malware which no software appear to be able to remove. I've tried Ad-aware, Trojan Remover, Avast anti-virus, NOD32, and Advanced SystemCare (with Malware Fighter v1.0) in full system scans/sweeps while in safe mode and I haven't been able to get rid of it.

That critter seems to initiate on startup of Windows XP and uses my Firefox5 browser to open windows to a marketshare page (I don't recommend viewing the link unless you know what you're getting yourself into: hxxp : //www.e-markettop.com/ ). Sometimes this will flash by as the browser opens and then hides it somehow (because I can type the address and I'll get a 'switch to tab' regarding it, which does not work when clicked on). Other times I'll get multiple browser windows opened, with one browser window showing the site but not being clickable. Other time it just arbitrarily closes my browser even though I suspect the page somehow still runs in the background.

I've tried uninstalling Firefox5 (purging all user settings) and making a Deep Care system sweep (while in safe mode) to erase all traces of it. When I rebooted Windows XP in that instance, it did not occur - but after installing a brand new version of Firefox5 and the next time I rebooted, the problem was back.

And all the while, no new virus/malware definition has come out that was capable of getting rid of it... so, I've decided to come here and point it out to experts in the field. I'm hoping you can either help me, or use the information provided to know what it is and make the next Malware Fighter update one capable of destroying the problem.

Thank you.

enoskype · July 2, 2011

Hi Zoberraz, welcome to IObit Forum! :grin:

Please follow the instructions in Guidelines for requesting malware removal assistance thread and wait for a Malware Fighter ro respond.

Cheers.

Zoberraz · July 2, 2011

Step 1 Complete

Ran Temporary File Cleaner (by OldTimer)

Step 2 Complete

Updated IObit Malware Fighter v1.0, rebooted in Safe Mode, and ran IObit Malware Fighter v1.0.

IObit Malware Fighter

OS: Windows XP
Version: 1.0.0.12
Define Version: 1040
Time Elapsed: 00:20:21
Objects Scanned: 70625
Threats Found: 2
Save Time: 7/2/2011 12:28:18 PM

|Name|Type|Description|ID|
Trojan.Generic - Quarantined, FILE, C:\WINDOWS\$NtServicePackUninstall$\wab.exe, 4041681
Trojan.KIdent - Quarantined, FILE, C:\System Volume Information\_restore{69A36010-4CC3-4B51-944E-8D57A6087250}\RP1296\A0230463.exe, 4007633

Zoberraz · July 2, 2011

Step 3 Complete

Ran DDS (by sUBs) while in Safe Mode.

Quoting dds.txt

.
DDS (Ver_2011-06-23.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Administrator at 12:28:59 on 2011-07-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1586 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\IObit\IObit Malware Fighter\IMF.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Crystal.exe] c:\documents and settings\administrator.x2\application data\Crystal.exe
uRun: [nvwiz] c:\documents and settings\all users\nvwiz.exe
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [soundMan] SOUNDMAN.EXE
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [updateReminder] c:\program files\eset\UpdateReminder.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
LSP: c:\windows\system32\imon.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142612866375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151080724187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab
TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
TCP: Interfaces\{72FCEED0-C01C-4620-87ED-2C30036E79B9} : DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.x2\application data\mozilla\firefox\profiles\2uirzohw.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
FF - plugin: c:\documents and settings\administrator.x2\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\ahnlab\asp\components\npaosmgr\npaosmgr.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-22 64288]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-19 13496]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-12-4 6933]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-19 821080]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 2151640]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-11-26 31744]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-19 353168]
S2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2006-12-4 28672]
S2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-3-26 507904]
S3 .nelinet;.nelinet; [x]
S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-6-19 239472]
S3 Fletad2kv;Fletad2kv; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-6-19 30368]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-6-19 16080]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S4 Bits16lofp;Bits16lofp; [x]
.
=============== Created Last 30 ================
.
2011-06-26 00:53:12 -------- d-----w- c:\documents and settings\administrator.x2\local settings\application data\Temp
2011-06-25 14:30:14 -------- d-----w- c:\documents and settings\administrator.x2\application data\NVIDIA
2011-06-24 22:43:14 -------- d-----w- c:\program files\common files\DivX Shared
2011-06-24 22:41:48 -------- d-----w- c:\documents and settings\all users\application data\DivX
2011-06-19 19:52:44 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-19 19:52:42 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-19 19:52:42 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-19 19:52:20 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2011-06-19 19:52:20 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2011-06-19 19:15:57 -------- d-----w- c:\windows\system32\winrm
2011-06-19 19:15:57 -------- d-----w- c:\windows\system32\GroupPolicy
2011-06-19 19:15:48 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-06-19 18:43:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-06-19 18:43:12 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-06-19 18:43:06 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-06-19 18:41:39 -------- d-----w- c:\documents and settings\administrator.x2\application data\IObit
2011-06-19 18:41:35 -------- d-----w- c:\program files\IObit
2011-06-16 22:12:14 -------- d-----w- c:\program files\AVAST Software
2011-06-16 22:12:14 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-16 04:45:23 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-13 04:53:09 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-06-13 04:36:09 -------- d-----w- c:\program files\Xvid
2011-06-13 04:19:22 719567 ----a-w- c:\documents and settings\administrator.x2\application data\Crystal.exe
2011-06-13 04:19:22 498688 ----a-w- c:\documents and settings\all users\nvwiz.exe
2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-06-29 23:13:41 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-23 23:22:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-24 20:55:00 4066168 ----a-w- c:\windows\system32\GameMon.des
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
1999-04-06 13:27:22 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 03:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 03:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 03:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 03:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 03:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 12:29:33.51 ===============

Zoberraz · July 2, 2011

Step 3 Complete

Ran DDS (by sUBs) while in Safe Mode.

Quoting attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/10/2006 10:02:05 AM
System Uptime: 7/2/2011 12:02:04 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A8N32-SLI-Deluxe
Processor: AMD Athlon 64 X2 Dual Core Processor 4400+ | SOCKET 939 | 2210/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 119 GiB total, 49.437 GiB free.
D: is FIXED (NTFS) - 114 GiB total, 35.227 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&23E04D34&0&0018
Manufacturer: Marvell
Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&23E04D34&0&0018
Service: yukonwxp
.
==== System Restore Points ===================
.
RP1274: 5/20/2011 8:25:13 PM - System Checkpoint
RP1275: 5/22/2011 10:03:03 AM - System Checkpoint
RP1276: 5/23/2011 3:08:24 PM - System Checkpoint
RP1277: 5/25/2011 7:49:32 PM - System Checkpoint
RP1278: 5/26/2011 7:16:43 PM - Installed NCsoft Launcher
RP1279: 5/28/2011 3:00:39 AM - Software Distribution Service 3.0
RP1280: 5/30/2011 8:11:26 AM - System Checkpoint
RP1281: 6/4/2011 8:47:00 PM - System Checkpoint
RP1282: 6/8/2011 7:50:31 PM - System Checkpoint
RP1283: 6/11/2011 7:42:13 PM - System Checkpoint
RP1284: 6/13/2011 9:04:20 AM - System Checkpoint
RP1285: 6/14/2011 5:08:41 PM - System Checkpoint
RP1286: 6/16/2011 1:07:50 AM - Software Distribution Service 3.0
RP1287: 6/16/2011 6:12:14 PM - avast! Free Antivirus Setup
RP1288: 6/16/2011 7:25:39 PM - avast! Free Antivirus Setup
RP1289: 6/18/2011 11:14:15 AM - avast! Free Antivirus Setup
RP1290: 6/18/2011 11:49:57 AM - Restore Operation
RP1291: 6/19/2011 1:46:00 PM - avast! Free Antivirus Setup
RP1292: 6/19/2011 3:15:10 PM - Installed %1 %2.
RP1293: 6/19/2011 3:15:27 PM - Installed Windows XP Update for Microsoft Windows (KB971513).
RP1294: 6/19/2011 3:15:53 PM - Installed %1 %2.
RP1295: 6/19/2011 3:17:53 PM - Installed Windows XP KB2447568.
RP1296: 6/19/2011 3:18:12 PM - Installed Windows XP KB2492386.
RP1297: 6/23/2011 10:01:46 PM - System Checkpoint
RP1298: 6/24/2011 6:40:29 PM - Removed Adobe Reader 9.4.5.
RP1299: 6/24/2011 6:41:04 PM - Installed Adobe Reader X (10.1.0).
RP1300: 6/25/2011 10:12:04 PM - System Checkpoint
RP1301: 6/26/2011 10:12:59 PM - System Checkpoint
RP1302: 6/29/2011 7:58:47 AM - System Checkpoint
RP1303: 6/29/2011 8:02:13 AM - Software Distribution Service 3.0
RP1304: 7/1/2011 3:44:07 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.62
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Photoshop CS3
Adobe Reader X (10.1.0)
Adobe Setup
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced SystemCare 4
Adventure Tools
Aion
AMD Dual-Core Optimizer
Apple Application Support
Apple Software Update
ASUS Enhanced Display Driver
ASUS nVidia Driver
Autodesk 3ds Max 8
Autodesk DWF Viewer
Bandisoft MPEG-1 Decoder
BitTorrent
CDBurnerXP Pro 3
Character Builder
Combined Community Codec Pack 2010-10-10
DivX Content Uploader
DivX Setup
DNA
EA Installer
EA Shared Game Component: Activation
Fate/stay night English v3.1
Game Booster
getPlus® for Adobe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Scanners
IObit Malware Fighter
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Joint Operations: Typhoon Rising
Logitech MouseWare 9.75
Macromedia Dreamweaver MX
Macromedia Extension Manager
Mass Effect 2
MDB Utilities 2.0.1 for 3ds Max
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIRC
Mozilla Firefox 5.0 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
NCsoft Launcher
NOD32 antivirus system
NOD32 FiX v1.9
NVIDIA Control Panel 260.99
NVIDIA Drivers
NVIDIA FX Composer
NVIDIA Graphics Driver 260.99
NVIDIA Install Application
NVIDIA nView 135.36
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
PDF Settings
PunkBuster for Joint Operations
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Smart Defrag 2
Star Trek Online
Sun Download Manager 2.0 (web)
System Requirements Lab
Tablet
The Witcher Enhanced Edition - "Side Effects"
The Witcher Enhanced Edition - "The Price of Neutrality"
Touch Manager
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
ViewSonic Monitor Drivers
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp (remove only)
Windows Defender Signatures
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
7/2/2011 12:00:15 PM, error: Service Control Manager [7034] - The IMF Service service terminated unexpectedly. It has done this 1 time(s).
7/2/2011 12:00:15 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/2/2011 11:58:56 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 asuskbnt Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
7/1/2011 11:25:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/1/2011 11:25:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/1/2011 11:25:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 asuskbnt Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip WS2IFSL
7/1/2011 11:25:32 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/1/2011 11:25:32 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/30/2011 7:09:41 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
6/28/2011 7:28:14 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/28/2011 7:28:14 AM, error: Service Control Manager [7000] - The .nelinet service failed to start due to the following error: The system cannot find the path specified.
.
==== End Of File ===========================

Superdave · July 2, 2011

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

**************************************************

Download OTL to your desktop.

* Open OTL

* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

:OTL
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

:services 
Fletad2kv
Bits16lofp

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix

* OTLI2 may ask to reboot the machine. Please do so if asked.

* Click OK

* A report will open. Copy and Paste that report in your next reply.

************************************************************

P2P - I see you have P2P software installed on your machine (BitTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

***********************************************

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

************************************************

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

******************************************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1

Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Zoberraz · July 3, 2011

OTL:

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
Service Fletad2kv stopped successfully!
Service Fletad2kv deleted successfully!
Service Bits16lofp stopped successfully!
Service Bits16lofp deleted successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.X2
->Temp folder emptied: 1110373 bytes
->Temporary Internet Files folder emptied: 673135 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 127900173 bytes
->Flash cache emptied: 1624 bytes

User: ADMINI~1~X2

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb

OTL by OldTimer - Version 3.2.25.0 log created on 07022011_201653

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

SUPERAntiSpyware:

Appears to have come up empty.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2011 at 09:17 PM

Application Version : 4.55.1000

Core Rules Database Version : 7367
Trace Rules Database Version: 5179

Scan type : Complete Scan
Total Scan Time : 00:53:11

Memory items scanned : 288
Memory threats detected : 0
Registry items scanned : 7808
Registry threats detected : 0
File items scanned : 103755
File threats detected : 0

Malwarebytes Anti-Malware:

This program does not appear to run on my computer. I sometimes get a small window that pops up with two buttons and then it vanishes before I can actually read the text content. Other times I click on the application, I get no reaction at all from the computer.

Security Check:

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
NOD32 antivirus system
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Adobe Flash Player 10.3.181.26
Adobe Reader X (10.1.0)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Eset nod32kui.exe
Eset nod32krn.exe
IObit IObit Malware Fighter IMFsrv.exe
IObit IObit Malware Fighter IMF.exe
``````````End of Log````````````

Zoberraz · July 3, 2011

Malwarebytes Anti-Malware:

Went into Safe Mode (Networking) to use this software as well as update its definition.

Malwarebytes' Anti-Malware 1.51.0.1200
http://www.malwarebytes.org

Database version: 7006

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/3/2011 9:07:49 AM
mbam-log-2011-07-03 (09-07-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 276763
Time elapsed: 25 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Symptoms had abated yesterday, but on this morning's booting of my computer I got it again. I've had it both on startup, and it also opened while I was internet browsing and it terminated my session. A Malware Fighter v1.0 full scan came up empty.

Superdave · July 3, 2011

Please download ComboFix http://img7.imageshack.us/img7/4930/combofix.gif from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.

It would be easiest to download using Internet Explorer.

If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Double click ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Zoberraz · July 3, 2011

ComboFix:

ComboFix would not run normally on my OS, so I went into Safe Mode (/w networking). There, I managed to follow the operations left for me. The Microsoft Recovery Console was installed, and the malware scan followed up.

Here is the quoted log:

ComboFix 11-07-02.03 - Administrator 07/03/2011 15:49:30.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -4:00]
Running from: c:\documents and settings\Administrator.X2\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.X2\Application Data\Crystal.exe
c:\documents and settings\Administrator.X2\My Documents\DPE.DUS
c:\documents and settings\Administrator.X2\WINDOWS
c:\windows\IsUn0411.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-03 00:16 . 2011-07-03 00:16 -------- d-----w- C:\_OTL
2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\Malwarebytes
2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-03 00:04 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-03 00:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 00:04 . 2011-07-03 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\SUPERAntiSpyware.com
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-26 00:53 . 2011-06-26 00:53 -------- d-----w- c:\documents and settings\Administrator.X2\Local Settings\Application Data\Temp
2011-06-25 14:30 . 2011-06-25 14:30 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\NVIDIA
2011-06-24 22:43 . 2011-06-24 22:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-06-24 22:41 . 2011-06-24 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-19 19:52 . 2011-06-19 19:52 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-19 19:52 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2011-06-19 19:52 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\winrm
2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\GroupPolicy
2011-06-19 19:15 . 2011-06-19 19:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-06-19 18:43 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-06-19 18:43 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-06-19 18:43 . 2011-06-19 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\IObit
2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\program files\IObit
2011-06-16 22:12 . 2011-06-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-16 22:12 . 2011-06-16 22:12 -------- d-----w- c:\program files\AVAST Software
2011-06-16 04:45 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-13 04:53 . 2011-06-13 04:53 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-06-13 04:36 . 2011-06-13 04:52 -------- d-----w- c:\program files\Xvid
2011-06-13 04:19 . 2011-06-13 04:19 498688 ----a-w- c:\documents and settings\All Users\nvwiz.exe
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-29 23:13 . 2009-10-29 17:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-23 23:22 . 2011-05-15 14:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2006-03-10 14:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-24 20:55 . 2011-05-04 23:21 4066168 ----a-w- c:\windows\system32\GameMon.des
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 10:23 . 2009-01-22 05:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
1999-04-06 13:27 . 1999-04-06 13:27 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2011-06-16 04:17 . 2011-07-01 16:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvwiz"="c:\documents and settings\All Users\nvwiz.exe" [2011-06-13 498688]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-03-26 921600]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-09-28 176128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2010-11-03 413696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-4 110592]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-4 114688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"d:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"d:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=
"d:\\Games\\Mass Effect 2\\Binaries\\EACoreServer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Games\\Cryptic Studios\\Star Trek Online\\Playtest\\GameClient.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2009 1:19 AM 64288]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/19/2011 2:43 PM 13496]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/4/2006 5:19 PM 639224]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [12/4/2006 5:33 PM 6933]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 1:28 PM 2151640]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [11/26/2006 1:10 AM 31744]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/19/2011 2:41 PM 353168]
S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/19/2011 2:42 PM 821080]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [12/4/2006 5:33 PM 28672]
S3 .nelinet;.nelinet; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/19/2011 2:42 PM 30368]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/19/2011 2:42 PM 16080]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/19/2011 2:42 PM 239472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 11:19]
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-07-03 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-19 18:46]
.
2011-07-03 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-19 00:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
LSP: c:\windows\system32\imon.dll
TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab
DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab
FF - ProfilePath - c:\documents and settings\Administrator.X2\Application Data\Mozilla\Firefox\Profiles\2uirzohw.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Crystal.exe - c:\documents and settings\Administrator.X2\Application Data\Crystal.exe
Notify-AtiExtEvent - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 15:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B788BE9B-1485-BE90-362D-06F65089EE55}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:9e,f9,f0,1f,08,87,9f,4f,2a,12,fc,98,80,8b,f7,4d,24,91,23,28,6f,7d,aa,
6a,a8,b1,3d,3b,ef,7f,b2,de,d5,38,6e,3a,fc,35,74,65,0b,a8,ee,04,fa,a8,b5,61,\
"??"=hex:56,06,01,9b,20,cb,8c,b1,f7,33,c3,f8,9d,0e,0d,cc
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:9b,7d,6b,40,1b,38,3a,fb,79,47,ed,44,e7,a2,b7,52,36,92,cb,37,16,
49,ec,ef,ec,d5,43,27,37,16,6a,d2,4b,bf,68,bc,54,e6,84,21,39,02,25,c2,8f,fb,\
"rkeysecu"=hex:1c,c3,39,c1,e0,12,bb,2e,fd,cc,9f,94,da,48,2b,2c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-03 15:54:26
ComboFix-quarantined-files.txt 2011-07-03 19:54
.
Pre-Run: 51,206,238,208 bytes free
Post-Run: 51,143,602,176 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
- - End Of File - - E86F4DA418FB5D06097673E892F506FF

Superdave · July 3, 2011

P2P - I see you have P2P software installed on your machine (BitTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

*************************************************

ComboFix would not run normally on my OS, so I went into Safe Mode (/w networking).

Something was blocking it from running. Please try this:

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

Zoberraz · July 4, 2011

ComboFix (blackpudding.bat):

That worked. Quoted log to follow:

ComboFix 11-07-03.01 - Administrator 07/03/2011 23:55:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -4:00]
Running from: c:\documents and settings\Administrator.X2\desktop\blackpudding.bat
Command switches used :: /killall
AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.X2\Desktop\blackpudding.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))
.
.
2011-07-03 00:16 . 2011-07-03 00:16 -------- d-----w- C:\_OTL
2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\Malwarebytes
2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-03 00:04 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-03 00:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 00:04 . 2011-07-03 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\SUPERAntiSpyware.com
2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-26 00:53 . 2011-06-26 00:53 -------- d-----w- c:\documents and settings\Administrator.X2\Local Settings\Application Data\Temp
2011-06-25 14:30 . 2011-06-25 14:30 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\NVIDIA
2011-06-24 22:43 . 2011-06-24 22:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-06-24 22:41 . 2011-06-24 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-19 19:52 . 2011-06-19 19:52 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-19 19:52 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2011-06-19 19:52 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\winrm
2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\GroupPolicy
2011-06-19 19:15 . 2011-06-19 19:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-06-19 18:43 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-06-19 18:43 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-06-19 18:43 . 2011-06-19 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\IObit
2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\program files\IObit
2011-06-16 22:12 . 2011-06-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-16 22:12 . 2011-06-16 22:12 -------- d-----w- c:\program files\AVAST Software
2011-06-16 04:45 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-13 04:53 . 2011-06-13 04:53 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-06-13 04:36 . 2011-06-13 04:52 -------- d-----w- c:\program files\Xvid
2011-06-13 04:19 . 2011-06-13 04:19 498688 ----a-w- c:\documents and settings\All Users\nvwiz.exe
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-29 23:13 . 2009-10-29 17:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-23 23:22 . 2011-05-15 14:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2006-03-10 14:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-24 20:55 . 2011-05-04 23:21 4066168 ----a-w- c:\windows\system32\GameMon.des
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 10:23 . 2009-01-22 05:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
1999-04-06 13:27 . 1999-04-06 13:27 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2011-06-16 04:17 . 2011-07-01 16:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvwiz"="c:\documents and settings\All Users\nvwiz.exe" [2011-06-13 498688]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
"Crystal.exe"="c:\documents and settings\Administrator.X2\Application Data\Crystal.exe" [bU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-03-26 921600]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-09-28 176128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-28 1191216]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2010-11-03 413696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-4 110592]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-4 114688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"d:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"d:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=
"d:\\Games\\Mass Effect 2\\Binaries\\EACoreServer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Games\\Cryptic Studios\\Star Trek Online\\Playtest\\GameClient.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2009 1:19 AM 64288]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/19/2011 2:43 PM 13496]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/4/2006 5:19 PM 639224]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [12/4/2006 5:33 PM 6933]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/19/2011 2:41 PM 353168]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/19/2011 2:42 PM 821080]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 1:28 PM 2151640]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [12/4/2006 5:33 PM 28672]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [11/26/2006 1:10 AM 31744]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/19/2011 2:42 PM 239472]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/19/2011 2:42 PM 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/19/2011 2:42 PM 16080]
S3 .nelinet;.nelinet; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 12:27 PM 15232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 11:19]
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-07-04 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-19 18:46]
.
2011-07-04 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-19 00:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
LSP: c:\windows\system32\imon.dll
TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab
DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab
FF - ProfilePath - c:\documents and settings\Administrator.X2\Application Data\Mozilla\Firefox\Profiles\2uirzohw.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-04 00:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B788BE9B-1485-BE90-362D-06F65089EE55}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:9e,f9,f0,1f,08,87,9f,4f,2a,12,fc,98,80,8b,f7,4d,24,91,23,28,6f,7d,aa,
6a,a8,b1,3d,3b,ef,7f,b2,de,d5,38,6e,3a,fc,35,74,65,0b,a8,ee,04,fa,a8,b5,61,\
"??"=hex:56,06,01,9b,20,cb,8c,b1,f7,33,c3,f8,9d,0e,0d,cc
.
[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:9b,7d,6b,40,1b,38,3a,fb,79,47,ed,44,e7,a2,b7,52,36,92,cb,37,16,
49,ec,ef,ec,d5,43,27,37,16,6a,d2,4b,bf,68,bc,54,e6,84,21,39,02,25,c2,8f,fb,\
"rkeysecu"=hex:1c,c3,39,c1,e0,12,bb,2e,fd,cc,9f,94,da,48,2b,2c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4288)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\ATKKBService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Netropa\Multimedia Keyboard\TrayMon.exe
c:\program files\Netropa\Onscreen Display\OSD.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-07-04 00:12:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-04 04:12
ComboFix2.txt 2011-07-03 19:54
.
Pre-Run: 50,951,057,408 bytes free
Post-Run: 50,929,287,168 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
- - End Of File - - 7DC393B806463CA2C363B85B2E6CDECE

Superdave · July 4, 2011

* Download the following tool: RootRepeal - Rootkit Detector

* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.

* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal

* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.

* Select ALL of the checkboxes and then click OK and it will start scanning your system.

* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

* When done, click on Save Report

* Save it to the same location where you ran it from, such as C:RootRepeal

* Save it as rootrepeal.txt

* Then open that log and select all and copy/paste it back on your next reply please.

* Close RootRepeal.

Zoberraz · July 6, 2011

RootRepeal:

Unfortunately, the software does not appear to run on my computer.

Prior to using it, I have made sure that no antivirus program was still active on my computer (either I got a windows popup warning me I was unprotected/vulnerable, or that I was in Safe mode).

The two attempts made (normal, and Safe Mode), as instructed, resulted in my OS to all appearance freezing (all functions, including movement of the mouse pointer, would cease). There were some faint sounds from my machine indicating that some work might have been in progress, so I gave the benefit of the doubt and let RootRepeal 'work' overnight.

When I checked back, nothing. Given how earlier programs proposed have taken at most 1 hour to get their full scans done, I appears more likely that starting the scan actually does cause a freeze.

Superdave · July 6, 2011

Ok. Please try this one.

Please download Rooter and Save it to your desktop.

Double click it to start the tool.Vista and Windows7 run as administrator.
Click Scan.
Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

Zoberraz · July 6, 2011

Excuse me - I would like to verify: I run Windows XP Professional and not either Windows Vista or Windows 7. Would Rooter be safe to use for my present operating system?

Also for your information: I have not had sign of the symptoms of late. I uncertainly believe this might date my first attempt to use ComboFix.

Superdave · July 6, 2011

I run Windows XP Professional and not either Windows Vista or Windows 7. Would Rooter be safe to use for my present operating system?

Yes, it will be safe. Those instructions are there for Vista or Windows 7 users.

I have not had sign of the symptoms of late

I'm quite sure the problems have been fix but I want to make sure with a few more scans.

Zoberraz · July 9, 2011

Rooter:

Clicked to open the executable. Clicked Scan. The process was very short and gave me this text file:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 35 Stepping 2, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[sharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 5.0 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:118 Go - Free:46 Go )
D:\ [Fixed-NTFS] .. ( Total:114 Go - Free:34 Go )
E:\ [CD_Rom]
.
Scan : 16:53.59
Path : C:\Documents and Settings\Administrator.X2\Desktop\Rooter.exe
User : Administrator ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [system Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (752)
______ \??\C:\WINDOWS\system32\csrss.exe (800)
______ \??\C:\WINDOWS\system32\winlogon.exe (824)
______ C:\WINDOWS\system32\services.exe (872)
______ C:\WINDOWS\system32\lsass.exe (884)
______ C:\WINDOWS\system32\nvsvc32.exe (1060)
______ C:\WINDOWS\system32\svchost.exe (1092)
______ C:\WINDOWS\system32\svchost.exe (1144)
______ C:\WINDOWS\System32\svchost.exe (1276)
______ C:\WINDOWS\system32\svchost.exe (1328)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1412)
______ C:\WINDOWS\System32\svchost.exe (1572)
______ C:\WINDOWS\system32\spoolsv.exe (1628)
______ C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (1664)
______ C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe (1892)
______ C:\WINDOWS\Explorer.EXE (1904)
______ C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe (1972)
______ C:\WINDOWS\SOUNDMAN.EXE (396)
______ C:\Program Files\Eset\nod32kui.exe (404)
______ C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (448)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (456)
______ C:\WINDOWS\system32\RUNDLL32.EXE (548)
______ C:\Program Files\DivX\DivX Update\DivXUpdate.exe (576)
______ C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (628)
______ C:\Program Files\Logitech\MouseWare\system\em_exec.exe (664)
______ C:\WINDOWS\system32\WTablet\TabUserW.exe (888)
______ C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (1540)
______ C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe (1604)
______ C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe (1712)
______ C:\Program Files\Netropa\Onscreen Display\OSD.exe (1716)
______ C:\WINDOWS\ATKKBService.exe (1968)
______ C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (700)
______ C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe (388)
______ C:\Program Files\Eset\nod32krn.exe (424)
______ C:\WINDOWS\system32\svchost.exe (772)
______ C:\WINDOWS\system32\Tablet.exe (784)
______ C:\WINDOWS\system32\wdfmgr.exe (1232)
______ C:\Program Files\IObit\IObit Malware Fighter\IMF.exe (2156)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (2692)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2864)
______ C:\WINDOWS\System32\alg.exe (2940)
______ C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe (4032)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3264)
______ C:\Program Files\Mozilla Firefox\plugin-container.exe (3876)
______ C:\Documents and Settings\Administrator.X2\Desktop\Rooter.exe (1392)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:127302626304)
\Device\Harddisk0\Partition0 (Start_Offset:127302658560 | Length:122754078720)
\Device\Harddisk0\Partition2 (Start_Offset:127302690816 | Length:122754046464)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\SmartDefrag_Startup.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 16:54.01
.
C:\Rooter$\Rooter_1.txt - (09/07/2011 | 16:54.01)

Superdave · July 9, 2011

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log

Problem with hard-to-get-rid-of Malware (e-markettop)

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived