IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Advanced SystemCare Pro Review IObit Coupons A Good Utility Program From IObit IObit Driver Booster Pro Review IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs IObit Software Coupons & Promo Code

# Problem with hard-to-get-rid-of Malware (e-markettop)

## Recommended Posts

For over two weeks now, I've been plagued with a bit of malware which no software appear to be able to remove. I've tried Ad-aware, Trojan Remover, Avast anti-virus, NOD32, and Advanced SystemCare (with Malware Fighter v1.0) in full system scans/sweeps while in safe mode and I haven't been able to get rid of it.

That critter seems to initiate on startup of Windows XP and uses my Firefox5 browser to open windows to a marketshare page (I don't recommend viewing the link unless you know what you're getting yourself into: hxxp : //www.e-markettop.com/ ). Sometimes this will flash by as the browser opens and then hides it somehow (because I can type the address and I'll get a 'switch to tab' regarding it, which does not work when clicked on). Other times I'll get multiple browser windows opened, with one browser window showing the site but not being clickable. Other time it just arbitrarily closes my browser even though I suspect the page somehow still runs in the background.

I've tried uninstalling Firefox5 (purging all user settings) and making a Deep Care system sweep (while in safe mode) to erase all traces of it. When I rebooted Windows XP in that instance, it did not occur - but after installing a brand new version of Firefox5 and the next time I rebooted, the problem was back.

And all the while, no new virus/malware definition has come out that was capable of getting rid of it... so, I've decided to come here and point it out to experts in the field. I'm hoping you can either help me, or use the information provided to know what it is and make the next Malware Fighter update one capable of destroying the problem.

Thank you.

##### Share on other sites

Hi Zoberraz, welcome to IObit Forum! :grin:

Please follow the instructions in Guidelines for requesting malware removal assistance thread and wait for a Malware Fighter ro respond.

Cheers.

##### Share on other sites

Step 1 Complete

Ran Temporary File Cleaner (by OldTimer)

Step 2 Complete

Updated IObit Malware Fighter v1.0, rebooted in Safe Mode, and ran IObit Malware Fighter v1.0.

IObit Malware Fighter

OS: Windows XP

Version: 1.0.0.12

Define Version: 1040

Time Elapsed: 00:20:21

Objects Scanned: 70625

Threats Found: 2

Save Time: 7/2/2011 12:28:18 PM

|Name|Type|Description|ID|

Trojan.Generic - Quarantined, FILE, C:\WINDOWS\$NtServicePackUninstall$\wab.exe, 4041681

Trojan.KIdent - Quarantined, FILE, C:\System Volume Information\_restore{69A36010-4CC3-4B51-944E-8D57A6087250}\RP1296\A0230463.exe, 4007633

##### Share on other sites

Step 3 Complete

Ran DDS (by sUBs) while in Safe Mode.

Quoting dds.txt

.

DDS (Ver_2011-06-23.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by Administrator at 12:28:59 on 2011-07-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1586 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\IObit\IObit Malware Fighter\IMF.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Crystal.exe] c:\documents and settings\administrator.x2\application data\Crystal.exe

uRun: [nvwiz] c:\documents and settings\all users\nvwiz.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE

mRun: [amd_dc_opt] "c:\program files\amd\amd_dc_opt\amd_dc_opt.exe"

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [updateReminder] c:\program files\eset\UpdateReminder.exe

mRun: [iObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

LSP: c:\windows\system32\imon.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142612866375

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151080724187

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab

TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189

TCP: Interfaces\{72FCEED0-C01C-4620-87ED-2C30036E79B9} : DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator.x2\application data\mozilla\firefox\profiles\2uirzohw.default\

FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/

FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\ahnlab\asp\components\npaosmgr\npaosmgr.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-22 64288]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-19 13496]

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-12-4 6933]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-19 821080]

R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2006-11-26 31744]

S2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2006-12-4 28672]

S2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2006-3-26 507904]

S3 .nelinet;.nelinet; [x]

S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-6-19 239472]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-6-19 30368]

S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-6-19 16080]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S4 Bits16lofp;Bits16lofp; [x]

.

=============== Created Last 30 ================

.

2011-06-26 00:53:12 -------- d-----w- c:\documents and settings\administrator.x2\local settings\application data\Temp

2011-06-25 14:30:14 -------- d-----w- c:\documents and settings\administrator.x2\application data\NVIDIA

2011-06-24 22:43:14 -------- d-----w- c:\program files\common files\DivX Shared

2011-06-24 22:41:48 -------- d-----w- c:\documents and settings\all users\application data\DivX

2011-06-19 19:52:44 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-06-19 19:52:42 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-06-19 19:52:20 888424 ----a-w- c:\windows\system32\nvdispco32.dll

2011-06-19 19:52:20 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2011-06-19 19:15:57 -------- d-----w- c:\windows\system32\winrm

2011-06-19 19:15:57 -------- d-----w- c:\windows\system32\GroupPolicy

2011-06-19 19:15:48 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-06-19 18:43:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-06-19 18:43:12 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-06-19 18:43:06 -------- d-----w- c:\documents and settings\all users\application data\IObit

2011-06-19 18:41:39 -------- d-----w- c:\documents and settings\administrator.x2\application data\IObit

2011-06-19 18:41:35 -------- d-----w- c:\program files\IObit

2011-06-16 22:12:14 -------- d-----w- c:\program files\AVAST Software

2011-06-16 22:12:14 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-06-16 04:45:23 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-13 04:53:09 -------- d-----w- c:\program files\Combined Community Codec Pack

2011-06-13 04:36:09 -------- d-----w- c:\program files\Xvid

2011-06-13 04:19:22 719567 ----a-w- c:\documents and settings\administrator.x2\application data\Crystal.exe

2011-06-13 04:19:22 498688 ----a-w- c:\documents and settings\all users\nvwiz.exe

2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-06-29 23:13:41 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-23 23:22:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-24 20:55:00 4066168 ----a-w- c:\windows\system32\GameMon.des

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe

1999-04-06 13:27:22 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 03:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 03:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 03:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 03:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 03:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 12:29:33.51 ===============

##### Share on other sites

Step 3 Complete

Ran DDS (by sUBs) while in Safe Mode.

Quoting attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-23.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/10/2006 10:02:05 AM

System Uptime: 7/2/2011 12:02:04 PM (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | A8N32-SLI-Deluxe

Processor: AMD Athlon 64 X2 Dual Core Processor 4400+ | SOCKET 939 | 2210/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 119 GiB total, 49.437 GiB free.

D: is FIXED (NTFS) - 114 GiB total, 35.227 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller

Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&23E04D34&0&0018

Manufacturer: Marvell

Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller

PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&23E04D34&0&0018

Service: yukonwxp

.

==== System Restore Points ===================

.

RP1274: 5/20/2011 8:25:13 PM - System Checkpoint

RP1275: 5/22/2011 10:03:03 AM - System Checkpoint

RP1276: 5/23/2011 3:08:24 PM - System Checkpoint

RP1277: 5/25/2011 7:49:32 PM - System Checkpoint

RP1278: 5/26/2011 7:16:43 PM - Installed NCsoft Launcher

RP1279: 5/28/2011 3:00:39 AM - Software Distribution Service 3.0

RP1280: 5/30/2011 8:11:26 AM - System Checkpoint

RP1281: 6/4/2011 8:47:00 PM - System Checkpoint

RP1282: 6/8/2011 7:50:31 PM - System Checkpoint

RP1283: 6/11/2011 7:42:13 PM - System Checkpoint

RP1284: 6/13/2011 9:04:20 AM - System Checkpoint

RP1285: 6/14/2011 5:08:41 PM - System Checkpoint

RP1286: 6/16/2011 1:07:50 AM - Software Distribution Service 3.0

RP1287: 6/16/2011 6:12:14 PM - avast! Free Antivirus Setup

RP1288: 6/16/2011 7:25:39 PM - avast! Free Antivirus Setup

RP1289: 6/18/2011 11:14:15 AM - avast! Free Antivirus Setup

RP1290: 6/18/2011 11:49:57 AM - Restore Operation

RP1291: 6/19/2011 1:46:00 PM - avast! Free Antivirus Setup

RP1292: 6/19/2011 3:15:10 PM - Installed %1 %2.

RP1293: 6/19/2011 3:15:27 PM - Installed Windows XP Update for Microsoft Windows (KB971513).

RP1294: 6/19/2011 3:15:53 PM - Installed %1 %2.

RP1295: 6/19/2011 3:17:53 PM - Installed Windows XP KB2447568.

RP1296: 6/19/2011 3:18:12 PM - Installed Windows XP KB2492386.

RP1297: 6/23/2011 10:01:46 PM - System Checkpoint

RP1300: 6/25/2011 10:12:04 PM - System Checkpoint

RP1301: 6/26/2011 10:12:59 PM - System Checkpoint

RP1302: 6/29/2011 7:58:47 AM - System Checkpoint

RP1303: 6/29/2011 8:02:13 AM - Software Distribution Service 3.0

RP1304: 7/1/2011 3:44:07 PM - System Checkpoint

.

==== Installed Programs ======================

.

7-Zip 4.62

Acrobat.com

Aion

AMD Dual-Core Optimizer

Apple Application Support

Apple Software Update

ASUS Enhanced Display Driver

ASUS nVidia Driver

Autodesk 3ds Max 8

Autodesk DWF Viewer

Bandisoft MPEG-1 Decoder

BitTorrent

CDBurnerXP Pro 3

Character Builder

Combined Community Codec Pack 2010-10-10

DivX Setup

DNA

EA Installer

EA Shared Game Component: Activation

Fate/stay night English v3.1

Game Booster

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

hp instant support

HP Memories Disc

HP Photo and Imaging 2.0 - Scanners

IObit Malware Fighter

J2SE Runtime Environment 5.0 Update 3

J2SE Runtime Environment 5.0 Update 6

Joint Operations: Typhoon Rising

Logitech MouseWare 9.75

Macromedia Dreamweaver MX

Macromedia Extension Manager

Mass Effect 2

MDB Utilities 2.0.1 for 3ds Max

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

mIRC

Mozilla Firefox 5.0 (x86 en-US)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MSXML 6 Service Pack 2 (KB954459)

NCsoft Launcher

NOD32 antivirus system

NOD32 FiX v1.9

NVIDIA Control Panel 260.99

NVIDIA Drivers

NVIDIA FX Composer

NVIDIA Graphics Driver 260.99

NVIDIA Install Application

NVIDIA nView 135.36

NVIDIA nView Desktop Manager

NVIDIA PhysX

NVIDIA PhysX System Software 9.10.0514

PDF Settings

PunkBuster for Joint Operations

QuickTime

RealPlayer

Realtek AC'97 Audio

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Encoder (KB979332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Smart Defrag 2

Star Trek Online

System Requirements Lab

Tablet

The Witcher Enhanced Edition - "Side Effects"

The Witcher Enhanced Edition - "The Price of Neutrality"

Touch Manager

Unity Web Player

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB972636)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.4053

ViewSonic Monitor Drivers

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WebFldrs XP

Winamp (remove only)

Windows Defender Signatures

Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Encoder 9 Series

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

XML Paper Specification Shared Components Pack 1.0

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

7/2/2011 12:00:15 PM, error: Service Control Manager [7034] - The IMF Service service terminated unexpectedly. It has done this 1 time(s).

7/2/2011 12:00:15 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

7/2/2011 11:58:56 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 asuskbnt Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL

7/1/2011 11:25:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

7/1/2011 11:25:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

7/1/2011 11:25:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 asuskbnt Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip WS2IFSL

7/1/2011 11:25:32 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

7/1/2011 11:25:32 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

6/30/2011 7:09:41 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

6/28/2011 7:28:14 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

6/28/2011 7:28:14 AM, error: Service Control Manager [7000] - The .nelinet service failed to start due to the following error: The system cannot find the path specified.

.

==== End Of File ===========================

##### Share on other sites

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

**************************************************

* Open OTL

* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

:OTL
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

:services
Bits16lofp

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]


* Click Run Fix

* Click OK

* A report will open. Copy and Paste that report in your next reply.

************************************************************

P2P - I see you have P2P software installed on your machine (BitTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

***********************************************

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning

•Terminate memory threats before quarantining

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

************************************************

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

******************************************************

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

##### Share on other sites

OTL:

All processes killed

========== OTL ==========

========== SERVICES/DRIVERS ==========

Service Bits16lofp stopped successfully!

Service Bits16lofp deleted successfully!

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

->Temp folder emptied: 1110373 bytes

->Temporary Internet Files folder emptied: 673135 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 127900173 bytes

->Flash cache emptied: 1624 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb

OTL by OldTimer - Version 3.2.25.0 log created on 07022011_201653

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

SUPERAntiSpyware:

Appears to have come up empty.

SUPERAntiSpyware Scan Log

Generated 07/02/2011 at 09:17 PM

Application Version : 4.55.1000

Core Rules Database Version : 7367

Trace Rules Database Version: 5179

Scan type : Complete Scan

Total Scan Time : 00:53:11

Memory items scanned : 288

Memory threats detected : 0

Registry items scanned : 7808

Registry threats detected : 0

File items scanned : 103755

File threats detected : 0

Malwarebytes Anti-Malware:

This program does not appear to run on my computer. I sometimes get a small window that pops up with two buttons and then it vanishes before I can actually read the text content. Other times I click on the application, I get no reaction at all from the computer.

Security Check:

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8



Antivirus/Firewall Check:

Windows Firewall Enabled!

NOD32 antivirus system

Antivirus up to date!



Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Mozilla Firefox (x86 en-US..)



Process Check:

objlist.exe by Laurent

Eset nod32kui.exe

Eset nod32krn.exe

IObit IObit Malware Fighter IMFsrv.exe

IObit IObit Malware Fighter IMF.exe

End of Log`

##### Share on other sites

Malwarebytes Anti-Malware:

Went into Safe Mode (Networking) to use this software as well as update its definition.

Malwarebytes' Anti-Malware 1.51.0.1200

Database version: 7006

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/3/2011 9:07:49 AM

mbam-log-2011-07-03 (09-07-49).txt

Scan type: Full scan (C:\|)

Objects scanned: 276763

Time elapsed: 25 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Symptoms had abated yesterday, but on this morning's booting of my computer I got it again. I've had it both on startup, and it also opened while I was internet browsing and it terminated my session. A Malware Fighter v1.0 full scan came up empty.

##### Share on other sites

and save it to your Desktop.

* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Double click ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

##### Share on other sites

ComboFix:

ComboFix would not run normally on my OS, so I went into Safe Mode (/w networking). There, I managed to follow the operations left for me. The Microsoft Recovery Console was installed, and the malware scan followed up.

Here is the quoted log:

ComboFix 11-07-02.03 - Administrator 07/03/2011 15:49:30.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.51 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\IsUn0411.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))

.

.

2011-07-03 00:16 . 2011-07-03 00:16 -------- d-----w- C:\_OTL

2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\Malwarebytes

2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-03 00:04 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-03 00:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-03 00:04 . 2011-07-03 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\SUPERAntiSpyware.com

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-26 00:53 . 2011-06-26 00:53 -------- d-----w- c:\documents and settings\Administrator.X2\Local Settings\Application Data\Temp

2011-06-25 14:30 . 2011-06-25 14:30 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\NVIDIA

2011-06-24 22:43 . 2011-06-24 22:43 -------- d-----w- c:\program files\Common Files\DivX Shared

2011-06-24 22:41 . 2011-06-24 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-06-19 19:52 . 2011-06-19 19:52 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-06-19 19:52 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco32.dll

2011-06-19 19:52 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\winrm

2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\GroupPolicy

2011-06-19 19:15 . 2011-06-19 19:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-06-19 18:43 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-06-19 18:43 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-06-19 18:43 . 2011-06-19 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\IObit

2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\program files\IObit

2011-06-16 22:12 . 2011-06-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-06-16 22:12 . 2011-06-16 22:12 -------- d-----w- c:\program files\AVAST Software

2011-06-16 04:45 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-13 04:53 . 2011-06-13 04:53 -------- d-----w- c:\program files\Combined Community Codec Pack

2011-06-13 04:36 . 2011-06-13 04:52 -------- d-----w- c:\program files\Xvid

2011-06-13 04:19 . 2011-06-13 04:19 498688 ----a-w- c:\documents and settings\All Users\nvwiz.exe

2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-29 23:13 . 2009-10-29 17:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-23 23:22 . 2011-05-15 14:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31 . 2006-03-10 14:26 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-24 20:55 . 2011-05-04 23:21 4066168 ----a-w- c:\windows\system32\GameMon.des

2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-18 10:23 . 2009-01-22 05:28 16432 ----a-w- c:\windows\system32\lsdelete.exe

1999-04-06 13:27 . 1999-04-06 13:27 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

2011-06-16 04:17 . 2011-07-01 16:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nvwiz"="c:\documents and settings\All Users\nvwiz.exe" [2011-06-13 498688]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-03-26 921600]

"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-09-28 176128]

"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2010-11-03 413696]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

.

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-4 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"d:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"d:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=

"d:\\Games\\Mass Effect 2\\Binaries\\EACoreServer.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"d:\\Games\\Cryptic Studios\\Star Trek Online\\Playtest\\GameClient.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2009 1:19 AM 64288]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/19/2011 2:43 PM 13496]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/4/2006 5:19 PM 639224]

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [12/4/2006 5:33 PM 6933]

R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [11/26/2006 1:10 AM 31744]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/19/2011 2:42 PM 821080]

S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [12/4/2006 5:33 PM 28672]

S3 .nelinet;.nelinet; [x]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/19/2011 2:42 PM 30368]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/19/2011 2:42 PM 16080]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/19/2011 2:42 PM 239472]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

.

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-19 18:46]

.

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-19 00:19]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

LSP: c:\windows\system32\imon.dll

TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab

DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab

FF - ProfilePath - c:\documents and settings\Administrator.X2\Application Data\Mozilla\Firefox\Profiles\2uirzohw.default\

FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Crystal.exe - c:\documents and settings\Administrator.X2\Application Data\Crystal.exe

Notify-AtiExtEvent - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-03 15:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B788BE9B-1485-BE90-362D-06F65089EE55}*]

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:9e,f9,f0,1f,08,87,9f,4f,2a,12,fc,98,80,8b,f7,4d,24,91,23,28,6f,7d,aa,

6a,a8,b1,3d,3b,ef,7f,b2,de,d5,38,6e,3a,fc,35,74,65,0b,a8,ee,04,fa,a8,b5,61,\

"??"=hex:56,06,01,9b,20,cb,8c,b1,f7,33,c3,f8,9d,0e,0d,cc

.

"datasecu"=hex:9b,7d,6b,40,1b,38,3a,fb,79,47,ed,44,e7,a2,b7,52,36,92,cb,37,16,

49,ec,ef,ec,d5,43,27,37,16,6a,d2,4b,bf,68,bc,54,e6,84,21,39,02,25,c2,8f,fb,\

"rkeysecu"=hex:1c,c3,39,c1,e0,12,bb,2e,fd,cc,9f,94,da,48,2b,2c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(724)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2011-07-03 15:54:26

ComboFix-quarantined-files.txt 2011-07-03 19:54

.

Pre-Run: 51,206,238,208 bytes free

Post-Run: 51,143,602,176 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

.

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5

- - End Of File - - E86F4DA418FB5D06097673E892F506FF

##### Share on other sites

P2P - I see you have P2P software installed on your machine (BitTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

*************************************************

ComboFix would not run normally on my OS, so I went into Safe Mode (/w networking).

Something was blocking it from running. Please try this:

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

##### Share on other sites

ComboFix (blackpudding.bat):

That worked. Quoted log to follow:

ComboFix 11-07-03.01 - Administrator 07/03/2011 23:55:03.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -4:00]

Command switches used :: /killall

AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

.

((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))

.

.

2011-07-03 00:16 . 2011-07-03 00:16 -------- d-----w- C:\_OTL

2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\Malwarebytes

2011-07-03 00:04 . 2011-07-03 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-03 00:04 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-03 00:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-03 00:04 . 2011-07-03 00:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\SUPERAntiSpyware.com

2011-07-03 00:01 . 2011-07-03 00:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-26 00:53 . 2011-06-26 00:53 -------- d-----w- c:\documents and settings\Administrator.X2\Local Settings\Application Data\Temp

2011-06-25 14:30 . 2011-06-25 14:30 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\NVIDIA

2011-06-24 22:43 . 2011-06-24 22:43 -------- d-----w- c:\program files\Common Files\DivX Shared

2011-06-24 22:41 . 2011-06-24 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-06-19 19:52 . 2011-06-19 19:52 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-06-19 19:52 . 2011-06-19 19:52 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-06-19 19:52 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco32.dll

2011-06-19 19:52 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\winrm

2011-06-19 19:15 . 2011-06-19 19:15 -------- d-----w- c:\windows\system32\GroupPolicy

2011-06-19 19:15 . 2011-06-19 19:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-06-19 18:43 . 2011-02-23 21:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-06-19 18:43 . 2011-02-23 20:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-06-19 18:43 . 2011-06-19 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\documents and settings\Administrator.X2\Application Data\IObit

2011-06-19 18:41 . 2011-06-19 18:43 -------- d-----w- c:\program files\IObit

2011-06-16 22:12 . 2011-06-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-06-16 22:12 . 2011-06-16 22:12 -------- d-----w- c:\program files\AVAST Software

2011-06-16 04:45 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-06-13 04:53 . 2011-06-13 04:53 -------- d-----w- c:\program files\Combined Community Codec Pack

2011-06-13 04:36 . 2011-06-13 04:52 -------- d-----w- c:\program files\Xvid

2011-06-13 04:19 . 2011-06-13 04:19 498688 ----a-w- c:\documents and settings\All Users\nvwiz.exe

2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-29 23:13 . 2009-10-29 17:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-23 23:22 . 2011-05-15 14:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-02 15:31 . 2006-03-10 14:26 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-24 20:55 . 2011-05-04 23:21 4066168 ----a-w- c:\windows\system32\GameMon.des

2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-18 10:23 . 2009-01-22 05:28 16432 ----a-w- c:\windows\system32\lsdelete.exe

1999-04-06 13:27 . 1999-04-06 13:27 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

2011-06-16 04:17 . 2011-07-01 16:48 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nvwiz"="c:\documents and settings\All Users\nvwiz.exe" [2011-06-13 498688]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]

"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-03-26 921600]

"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-09-28 176128]

"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2010-11-03 413696]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-06-01 4385112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

.

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-4 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"d:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"d:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=

"d:\\Games\\Mass Effect 2\\Binaries\\EACoreServer.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"d:\\Games\\Cryptic Studios\\Star Trek Online\\Playtest\\GameClient.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2009 1:19 AM 64288]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/19/2011 2:43 PM 13496]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/4/2006 5:19 PM 639224]

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [12/4/2006 5:33 PM 6933]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/19/2011 2:42 PM 821080]

R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [12/4/2006 5:33 PM 28672]

R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [11/26/2006 1:10 AM 31744]

R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/19/2011 2:42 PM 239472]

R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/19/2011 2:42 PM 30368]

R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/19/2011 2:42 PM 16080]

S3 .nelinet;.nelinet; [x]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 12:27 PM 15232]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

.

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-19 18:46]

.

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-06-19 00:19]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

LSP: c:\windows\system32\imon.dll

TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://202.149.0.34/acqulia/cabs120/AcqVPlayerX.cab

DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://uniupdate.plaync.co.kr:8080/UniUpdTool/system/NCLauncher.cab

FF - ProfilePath - c:\documents and settings\Administrator.X2\Application Data\Mozilla\Firefox\Profiles\2uirzohw.default\

FF - prefs.js: browser.startup.homepage - hxxp://ca.yahoo.com/

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-04 00:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,91,0f,82,da,02,bb,40,94,db,35,\

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B788BE9B-1485-BE90-362D-06F65089EE55}*]

.

[HKEY_USERS\S-1-5-21-299502267-2000478354-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:9e,f9,f0,1f,08,87,9f,4f,2a,12,fc,98,80,8b,f7,4d,24,91,23,28,6f,7d,aa,

6a,a8,b1,3d,3b,ef,7f,b2,de,d5,38,6e,3a,fc,35,74,65,0b,a8,ee,04,fa,a8,b5,61,\

"??"=hex:56,06,01,9b,20,cb,8c,b1,f7,33,c3,f8,9d,0e,0d,cc

.

"datasecu"=hex:9b,7d,6b,40,1b,38,3a,fb,79,47,ed,44,e7,a2,b7,52,36,92,cb,37,16,

49,ec,ef,ec,d5,43,27,37,16,6a,d2,4b,bf,68,bc,54,e6,84,21,39,02,25,c2,8f,fb,\

"rkeysecu"=hex:1c,c3,39,c1,e0,12,bb,2e,fd,cc,9f,94,da,48,2b,2c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(836)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(4288)

c:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\ATKKBService.exe

c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe

c:\program files\Eset\nod32krn.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\wdfmgr.exe

c:\windows\SOUNDMAN.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Logitech\MouseWare\system\em_exec.exe

c:\program files\Netropa\Multimedia Keyboard\TrayMon.exe

c:\program files\Netropa\Onscreen Display\OSD.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2011-07-04 00:12:23 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-04 04:12

ComboFix2.txt 2011-07-03 19:54

.

Pre-Run: 50,951,057,408 bytes free

Post-Run: 50,929,287,168 bytes free

.

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5

- - End Of File - - 7DC393B806463CA2C363B85B2E6CDECE

##### Share on other sites

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.

* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal

* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.

* Select ALL of the checkboxes and then click OK and it will start scanning your system.

* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

* When done, click on Save Report

* Save it to the same location where you ran it from, such as C:RootRepeal

* Save it as rootrepeal.txt

* Then open that log and select all and copy/paste it back on your next reply please.

* Close RootRepeal.

##### Share on other sites

RootRepeal:

Unfortunately, the software does not appear to run on my computer.

Prior to using it, I have made sure that no antivirus program was still active on my computer (either I got a windows popup warning me I was unprotected/vulnerable, or that I was in Safe mode).

The two attempts made (normal, and Safe Mode), as instructed, resulted in my OS to all appearance freezing (all functions, including movement of the mouse pointer, would cease). There were some faint sounds from my machine indicating that some work might have been in progress, so I gave the benefit of the doubt and let RootRepeal 'work' overnight.

When I checked back, nothing. Given how earlier programs proposed have taken at most 1 hour to get their full scans done, I appears more likely that starting the scan actually does cause a freeze.

##### Share on other sites

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.

##### Share on other sites

Excuse me - I would like to verify: I run Windows XP Professional and not either Windows Vista or Windows 7. Would Rooter be safe to use for my present operating system?

Also for your information: I have not had sign of the symptoms of late. I uncertainly believe this might date my first attempt to use ComboFix.

##### Share on other sites

I run Windows XP Professional and not either Windows Vista or Windows 7. Would Rooter be safe to use for my present operating system?

Yes, it will be safe. Those instructions are there for Vista or Windows 7 users.

I have not had sign of the symptoms of late

I'm quite sure the problems have been fix but I want to make sure with a few more scans.

##### Share on other sites

Rooter:

Clicked to open the executable. Clicked Scan. The process was very short and gave me this text file:

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 3

[32_bits] - x86 Family 15 Model 35 Stepping 2, AuthenticAMD

.

[wscsvc] (Security Center) RUNNING (state:4)

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Enabled

.

Internet Explorer 8.0.6001.18702

Mozilla Firefox 5.0 (en-US)

.

A:\ [Removable]

C:\ [Fixed-NTFS] .. ( Total:118 Go - Free:46 Go )

D:\ [Fixed-NTFS] .. ( Total:114 Go - Free:34 Go )

E:\ [CD_Rom]

.

Scan : 16:53.59

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (752)

______ \??\C:\WINDOWS\system32\winlogon.exe (824)

______ C:\WINDOWS\system32\services.exe (872)

______ C:\WINDOWS\system32\lsass.exe (884)

______ C:\WINDOWS\system32\nvsvc32.exe (1060)

______ C:\WINDOWS\system32\svchost.exe (1092)

______ C:\WINDOWS\system32\svchost.exe (1144)

______ C:\WINDOWS\System32\svchost.exe (1276)

______ C:\WINDOWS\system32\svchost.exe (1328)

______ C:\WINDOWS\System32\svchost.exe (1572)

______ C:\WINDOWS\system32\spoolsv.exe (1628)

______ C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (1664)

______ C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe (1892)

______ C:\WINDOWS\Explorer.EXE (1904)

______ C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe (1972)

______ C:\WINDOWS\SOUNDMAN.EXE (396)

______ C:\Program Files\Eset\nod32kui.exe (404)

______ C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (448)

______ C:\WINDOWS\system32\RUNDLL32.EXE (548)

______ C:\Program Files\DivX\DivX Update\DivXUpdate.exe (576)

______ C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe (628)

______ C:\Program Files\Logitech\MouseWare\system\em_exec.exe (664)

______ C:\WINDOWS\system32\WTablet\TabUserW.exe (888)

______ C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (1540)

______ C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe (1604)

______ C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe (1712)

______ C:\Program Files\Netropa\Onscreen Display\OSD.exe (1716)

______ C:\WINDOWS\ATKKBService.exe (1968)

______ C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (700)

______ C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe (388)

______ C:\Program Files\Eset\nod32krn.exe (424)

______ C:\WINDOWS\system32\svchost.exe (772)

______ C:\WINDOWS\system32\Tablet.exe (784)

______ C:\WINDOWS\system32\wdfmgr.exe (1232)

______ C:\Program Files\IObit\IObit Malware Fighter\IMF.exe (2156)

______ C:\WINDOWS\system32\wbem\unsecapp.exe (2692)

______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2864)

______ C:\WINDOWS\System32\alg.exe (2940)

______ C:\Program Files\IObit\Advanced SystemCare 4\ASC.exe (4032)

______ C:\Program Files\Mozilla Firefox\firefox.exe (3264)

______ C:\Program Files\Mozilla Firefox\plugin-container.exe (3876)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:127302626304)

\Device\Harddisk0\Partition0 (Start_Offset:127302658560 | Length:122754078720)

\Device\Harddisk0\Partition2 (Start_Offset:127302690816 | Length:122754046464)

.

.

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 16:54.01

.

C:\Rooter\$\Rooter_1.txt - (09/07/2011 | 16:54.01)

##### Share on other sites

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.