Jump to content

Can't run or install Malwarebytes get run time error


Recommended Posts

Can't run Malwarebytes to post it's log but here is Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:21:24 PM, on 2/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Windows\Explorer.EXE

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE

C:\Program Files\InkSaver\InkSaver.exe

C:\Windows\system32\RUNDLL32.EXE

C:\Windows\RTHDCPL.EXE

C:\Program Files\Saitek\Software\Profiler.exe

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Saitek\Software\SaiMfd.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\program files\powerstrip\pstrip.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Windows\system32\nvsvc32.exe

C:\Windows\system32\PnkBstrA.exe

C:\Windows\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [inkSaver] C:\Program Files\InkSaver\InkSaver.exe hide

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O15 - Trusted Zone: http://asia.msi.com.tw

O15 - Trusted Zone: http://global.msi.com.tw

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///E:/HDTV%20Calibration%20Wizard/components/hidinputmonitorx.ocx

O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///E:/HDTV%20Calibration%20Wizard/components/A9.ocx

O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///E:/HDTV%20Calibration%20Wizard/components/wmvhdrating.ocx

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: adfyck.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Dave/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--

End of file - 9616 bytes

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Ok thanks so much for the help. Here is my two log files

ComboFix

ComboFix 09-02-04.01 - Dave 2009-02-04 15:42:17.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1626 [GMT -5:00]

Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))

.

2009-02-03 19:12 . 2009-02-03 19:12 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Acronis

2009-02-03 19:07 . 2009-02-03 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis

2009-02-03 19:07 . 2009-02-03 19:07 441,760 --a------ c:\windows\system32\drivers\timntr.sys

2009-02-03 19:07 . 2009-02-03 19:07 368,480 --a------ c:\windows\system32\drivers\tdrpman.sys

2009-02-03 19:07 . 2009-02-03 19:07 132,224 --a------ c:\windows\system32\drivers\snapman.sys

2009-02-03 19:07 . 2009-02-03 19:07 44,384 --a------ c:\windows\system32\drivers\tifsfilt.sys

2009-02-03 18:57 . 2009-02-03 19:05 <DIR> d-------- c:\program files\Runtime Software

2009-02-03 18:16 . 2009-02-03 18:16 <DIR> d-------- c:\program files\Trend Micro

2009-02-03 18:14 . 2009-02-03 18:14 <DIR> d-------- c:\documents and settings\Dave\Application Data\Thinstall

2009-02-03 18:00 . 2009-02-03 18:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-03 18:00 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-03 18:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-03 16:44 . 2009-02-03 16:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-03 16:44 . 2009-02-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-30 21:19 . 2009-01-30 21:35 <DIR> d-------- c:\program files\HD Tune Pro

2009-01-25 13:43 . 2009-02-02 19:47 <DIR> d--h----- C:\_gsdata_

2009-01-25 11:51 . 2009-01-25 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\GoodSync

2009-01-25 11:48 . 2009-01-25 11:48 <DIR> d-------- c:\program files\Siber Systems

2009-01-25 11:48 . 2009-02-02 19:43 <DIR> d-------- c:\documents and settings\Dave\Application Data\GoodSync

2009-01-25 10:53 . 2009-01-25 11:01 <DIR> d-------- c:\program files\Cobian Backup 9

2009-01-25 10:42 . 2009-01-25 10:42 <DIR> d-------- c:\program files\Comodo

2009-01-25 10:42 . 2009-01-25 10:42 <DIR> d-------- c:\documents and settings\Dave\Application Data\Comodo

2009-01-25 10:36 . 2009-01-25 10:39 <DIR> d-------- c:\documents and settings\Dave\Application Data\FileBoss

2009-01-24 22:34 . 2006-12-21 15:18 497,496 --a------ c:\windows\system32\XceedZip.dll

2009-01-24 14:25 . 2009-01-24 14:29 <DIR> d-------- c:\program files\VS Revo Group

2009-01-24 08:28 . 2009-01-24 08:28 <DIR> d-------- c:\program files\Softland

2009-01-23 22:43 . 2009-01-23 22:45 <DIR> d-------- c:\program files\MSECACHE

2009-01-23 21:10 . 2009-01-24 08:28 <DIR> d-------- c:\documents and settings\Dave\Application Data\Softland

2009-01-23 21:10 . 2009-01-23 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Softland

2009-01-19 18:28 . 2009-01-19 18:32 <DIR> d-------- c:\documents and settings\Dave\Application Data\U3

2009-01-17 18:25 . 2009-01-17 18:25 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-01-15 10:45 . 2009-01-15 10:45 <DIR> d-------- c:\documents and settings\Dave\Sun

2009-01-06 19:20 . 2009-01-06 19:20 <DIR> d-------- c:\program files\Avira

2009-01-06 19:20 . 2009-01-06 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-06 19:12 . 2009-01-06 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8

2009-01-06 16:57 . 2009-01-14 16:04 32,298 --a------ c:\windows\diagerr.xml

2009-01-06 16:57 . 2009-01-14 16:04 1,905 --a------ c:\windows\diagwrn.xml

2009-01-05 20:01 . 2009-01-05 21:00 <DIR> d-------- c:\program files\ZD Soft

2009-01-04 21:31 . 2009-01-04 21:31 <DIR> d-------- c:\documents and settings\Dave\Application Data\PDM

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-04 20:33 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5

2009-02-04 00:08 --------- d-----w c:\documents and settings\Dave\Application Data\uTorrent

2009-02-04 00:08 --------- d-----w c:\documents and settings\Dave\Application Data\Free Download Manager

2009-02-03 15:11 --------- d-----w c:\documents and settings\Dave\Application Data\AdobeUM

2009-01-29 01:30 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-25 02:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-24 19:42 --------- d-----w c:\program files\PSP Pandora Deluxe

2008-12-31 17:32 3,888 ----a-w c:\windows\system32\drivers\NTHANDLE.SYS

2008-12-31 05:33 --------- d-----w c:\program files\PowerDataRecovery

2008-12-31 02:08 --------- d-----w c:\program files\Paraben Corporation

2008-12-29 22:30 --------- d-----w c:\program files\Common Files\AVSMedia

2008-12-29 22:30 --------- d-----w c:\program files\AVS4YOU

2008-12-24 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\AVSVideoBurner

2008-12-24 01:10 --------- d-----w c:\documents and settings\Dave\Application Data\AVS4YOU

2008-12-14 13:24 --------- d-----w c:\documents and settings\Dave\Application Data\yoclient

2008-12-13 03:10 --------- d-----w c:\program files\Common Files\Research In Motion

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-10-01 22:02 256 ----a-w c:\documents and settings\Dave\pool.bin

2008-09-01 01:38 12,288 ----a-w c:\program files\PSP Pandora Deluxe;msipl.bin

2008-01-04 03:44 22,328 ----a-w c:\documents and settings\Dave\Application Data\PnkBstrK.sys

2007-06-16 12:33 47,360 ------w c:\documents and settings\Dave\Application Data\pcouffin.sys

2008-03-27 12:15 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-03-27 12:15 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-03-27 12:15 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-03-27 12:15 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-03-27 12:15 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2007-10-07 01:33 88 --sh--r c:\windows\system32\F1B2D9D325.sys

2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll

2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll

2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll

2008-08-22 21:46 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-02-03_17.54.36.71 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-04 20:38:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4b4.dat

+ 2009-02-04 20:38:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_60c.dat

+ 2009-02-04 20:39:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_658.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-13 8425472]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]

"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

"InkSaver"="c:\program files\InkSaver\InkSaver.exe" [2003-10-20 458752]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-13 81920]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]

"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-08-19 159744]

"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-08-19 98304]

"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2004-08-19 135168]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-09-17 737408]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"nwiz"="nwiz.exe" [2007-04-13 c:\windows\system32\nwiz.exe]

"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Dave\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-06-07 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=adfyck.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

"VIDC.I420"= i420vfw.dll

"VIDC.ZDSV"= scrvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Programs\\UTorrent\\utorrent.exe"=

"c:\\Windows\\system32\\sessmgr.exe"=

"c:\\Program Files\\ScanSoft\\OmniForm Premium 5.0\\EReg\\NAVBrowser.exe"=

"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"d:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\Programs\\UltraVnc\\vncviewer.exe"=

"d:\\Programs\\UltraVnc\\winvnc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25687:TCP"= 25687:TCP:Utorrent

"26587:UDP"= 26587:UDP:Utorrent

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2007-08-02 210224]

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]

R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-06-23 56576]

R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]

S3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [2008-08-04 30976]

S3 lrpdyhqpam;lrpdyhqpam;\??\d:\programs\Glider\lrpdyhqpam.sys --> d:\programs\Glider\lrpdyhqpam.sys [?]

S3 NCBULK;NetChip USB client driver;c:\windows\system32\drivers\NcBulk.SYS [2007-08-25 53189]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [2001-08-17 12032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41cf7030-7f5e-11dd-bd50-0019db6da6c3}]

\Shell\AutoRun\command - h:\.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5620ad34-f3a6-11dc-bcff-0019db6da6c3}]

\Shell\AutoRun\command - H:\Autorun.exe /run

\Shell\Shell00\Command - H:\Autorun.exe /run

\Shell\Shell01\Command - H:\Autorun.exe /action

\Shell\Shell02\Command - H:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96091f8f-149c-11dc-a4d7-8e74698d9dfb}]

\Shell\AutoRun\command - h:\.\Start.exe

.

.

------- Supplementary Scan -------

.

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm

LSP: %SYSTEMROOT%\system32\nvLsp.dll

Trusted Zone: com.tw\asia.msi

Trusted Zone: com.tw\global.msi

Trusted Zone: com.tw\www.msi

Trusted Zone: turbotax.com

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\6zumk00h.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - plugin: c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-04 15:43:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-1425521274-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{22424396-6B09-EB64-AADE-45E6E5B45C9B}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"jacpcnghpjbifdkfnklc"=hex:6a,61,62,6b,6e,6c,6e,64,6e,63,67,66,69,68,6a,63,69,

61,68,6a,00,04

"iaeoacjjmbfleiakdf"=hex:6a,61,62,6b,6e,6c,6e,64,6e,63,67,66,69,68,6a,63,69,61,

68,6a,00,04

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,f1,69,17,d5,2f,

6b,4d,64,c8,28,51,af,b0,29,a3,98,e7,d7,77,14,2a,6a,70,2e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,1c,4c,1b,49,c5,

e3,4e,42,71,3b,04,66,8b,46,0d,96,16,1d,50,06,f9,25,75,00,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,01,61,45,31,d5,

70,bc,a6,25,da,ec,7e,55,20,c9,26,19,6e,be,ef,79,0c,b4,a5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,dc,3a,b2,c7,e2,

1b,c2,cc,3e,1e,9e,e0,57,5a,93,61,0b,30,ba,8d,92,be,a8,ac,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,dd,cb,45,14,6d,

87,a1,59,cd,44,cd,b9,a6,33,6c,cd,d7,2b,27,aa,a7,67,52,2c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,a9,40,1e,8c,f7,

92,f9,7f,b0,18,ed,a7,3f,8d,37,a4,6b,b9,28,9a,cd,1e,b9,3d,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,b7,da,fe,23,66,

cf,dc,82,31,77,e1,ba,b1,f8,68,02,d3,6a,99,dc,10,60,c8,10,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,d9,bb,82,ed,50,

de,c3,37,83,6c,56,8b,a0,85,96,ab,3b,50,a3,db,21,89,8e,b9,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,47,30,cf,ba,ec,

25,8b,1d,51,fa,6e,91,28,9e,14,cc,47,c8,62,97,ce,90,e2,28,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,54,3a,b6,9f,8a,

66,53,ba,b1,cd,45,5a,a8,c4,f8,b9,2d,4d,83,0e,b6,13,03,60,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,a0,77,67,6f,e3,

d9,12,81,e3,0e,66,d5,eb,bc,2f,6b,3b,19,38,9e,a6,82,01,06,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,63,71,ef,7a,1d,

73,2d,ef,fa,ea,66,7f,d4,3b,6b,70,d5,c9,d6,01,96,5a,b5,a6,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1132)

c:\windows\system32\nvLsp.dll

.

Completion time: 2009-02-04 15:44:44

ComboFix-quarantined-files.txt 2009-02-04 20:44:20

ComboFix2.txt 2009-02-03 22:55:30

Pre-Run: 15,119,130,624 bytes free

Post-Run: 15,133,630,464 bytes free

278 --- E O F --- 2009-01-15 08:01:48

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:47:25 PM, on 2/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE

C:\Program Files\InkSaver\InkSaver.exe

C:\Windows\system32\RUNDLL32.EXE

C:\Windows\RTHDCPL.EXE

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Saitek\Software\SaiMfd.exe

C:\program files\powerstrip\pstrip.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Windows\system32\nvsvc32.exe

C:\Windows\system32\PnkBstrA.exe

C:\Windows\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Windows\system32\wscntfy.exe

C:\Windows\explorer.exe

C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [inkSaver] C:\Program Files\InkSaver\InkSaver.exe hide

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O15 - Trusted Zone: http://asia.msi.com.tw

O15 - Trusted Zone: http://global.msi.com.tw

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///E:/HDTV%20Calibration%20Wizard/components/hidinputmonitorx.ocx

O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///E:/HDTV%20Calibration%20Wizard/components/A9.ocx

O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///E:/HDTV%20Calibration%20Wizard/components/wmvhdrating.ocx

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: adfyck.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Dave/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg

--

End of file - 9413 bytes

Link to post
Share on other sites

  • Root Admin

What is in this folder and what is it for? d:\programs\Glider\ it is loading a file at boot time named: lrpdyhqpam.sys

STEP 1

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O20 - AppInit_DLLs: adfyck.dll
  • O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Dave/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 2

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
NPF

File::
c:\windows\system32\drivers\npf.sys
c:\windows\system32\adfyck.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41cf7030-7f5e-11dd-bd50-0019db6da6c3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5620ad34-f3a6-11dc-bcff-0019db6da6c3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96091f8f-149c-11dc-a4d7-8e74698d9dfb}]

REGNULL::
[HKEY_USERS\S-1-5-21-602162358-1425521274-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{22424396-6B09-EB64-AADE-45E6E5B45C9B}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 3

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

"What is in this folder and what is it for? d:\programs\Glider\ it is loading a file at boot time named: lrpdyhqpam.sys

"

I have no ideal what this file is. Glider was a bot program for World of warcraft, this has been long deleted. I done a drive search and did not find any such file or directory

BTW I had to download a different file search cause I'v found out that my windows search does not work now. I click search and get nothing.

I done what you said, to the letter and still can't install ( get run time errors ) or run Malwarebytes (get run time errors). I uninstalled the old Malwarebytes ( got run time errors while uninstalling, but it seams to uninstall ok ) Downloaded a new fresh copy of Malwarebytes and still can't install it, without getting "run time errors"

Can't post MBAM cause I can't get it to run still.

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:03:20 PM, on 2/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Windows\Explorer.EXE

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE

C:\Windows\system32\RUNDLL32.EXE

C:\Windows\RTHDCPL.EXE

C:\Program Files\Saitek\Software\SaiSmart.exe

C:\Program Files\Saitek\Software\SaiMfd.exe

C:\program files\powerstrip\pstrip.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\Windows\system32\nvsvc32.exe

C:\Windows\system32\PnkBstrA.exe

C:\Windows\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [inkSaver] C:\Program Files\InkSaver\InkSaver.exe hide

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe

O4 - HKLM\..\Run: [saiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe

O4 - HKLM\..\Run: [saiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O15 - Trusted Zone: http://asia.msi.com.tw

O15 - Trusted Zone: http://global.msi.com.tw

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///E:/HDTV%20Calibration%20Wizard/components/hidinputmonitorx.ocx

O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///E:/HDTV%20Calibration%20Wizard/components/A9.ocx

O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///E:/HDTV%20Calibration%20Wizard/components/wmvhdrating.ocx

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O24 - Desktop Component 0: (no name) - (no file)

--

End of file - 9051 bytes

Link to post
Share on other sites

  • Root Admin

Just hang in there, some times it takes a while to find and remove all this junk.

Please run the following tool. Don't forget you MUST be in SAFE MODE in order to run the cleaning process.

Choose options 2 and 3 for cleaning in Safe Mode.

You may want to print the Web page because you won't have Internet access in Safe Mode

Please download and run this tool. Follow the instructions provided on the page

SmitFraudFix

When that tool is done Please download and run the following file to repair file and registry permissions

fixacl.exe

Then delete your copy of Combofix.exe and download a NEW fresh copy and run it again and post back all the logs.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Link to post
Share on other sites

Ok done all that, still can't run Malwarebytes. :D

But I"m sure it will work one day.

Thanks for all the help, you all sure know a lot about this stuff.

Smitfraudfix

SmitFraudFix v2.392

Scan done at 17:01:32.73, Fri 02/06/2009

Run from C:\Documents and Settings\Dave\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

Link to post
Share on other sites

  • Root Admin

STEP 1

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
lrpdyhqpam

File::
d:\programs\Glider\lrpdyhqpam.sys

Registry::
[-HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 2

Please go here: and download the Microsoft Visual Basic 6 run-time files and install them on your system.

Then see if you can install MBAM now or not. Please download a NEW copy of MBAM to install.

Link to post
Share on other sites

Well so far so good, Looks like that might have it fixed. I install Malwarebytes and did a scan. And even my desktop search works again. Once again Thanks for taking the time to work through this problem. :D

Malwarebytes

Malwarebytes' Anti-Malware 1.33

Database version: 1736

Windows 5.1.2600 Service Pack 3

2/7/2009 8:04:33 AM

mbam-log-2009-02-07 (08-04-26).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 182601

Time elapsed: 38 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix

ComboFix 09-02-06.02 - Dave 2009-02-07 7:15:28.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1618 [GMT -5:00]

Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dave\Desktop\cfscript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

d:\programs\Glider\lrpdyhqpam.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LRPDYHQPAM

-------\Service_lrpdyhqpam

((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))

.

2009-02-03 19:12 . 2009-02-03 19:12 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Acronis

2009-02-03 19:07 . 2009-02-03 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis

2009-02-03 19:07 . 2009-02-03 19:07 441,760 --a------ c:\windows\system32\drivers\timntr.sys

2009-02-03 19:07 . 2009-02-03 19:07 368,480 --a------ c:\windows\system32\drivers\tdrpman.sys

2009-02-03 19:07 . 2009-02-03 19:07 132,224 --a------ c:\windows\system32\drivers\snapman.sys

2009-02-03 19:07 . 2009-02-03 19:07 44,384 --a------ c:\windows\system32\drivers\tifsfilt.sys

2009-02-03 18:16 . 2009-02-03 18:16 <DIR> d-------- c:\program files\Trend Micro

2009-02-03 18:14 . 2009-02-03 18:14 <DIR> d-------- c:\documents and settings\Dave\Application Data\Thinstall

2009-02-03 16:44 . 2009-02-03 16:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-03 16:44 . 2009-02-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-25 13:43 . 2009-02-02 19:47 <DIR> d--h----- C:\_gsdata_

2009-01-25 11:51 . 2009-01-25 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\GoodSync

2009-01-25 11:48 . 2009-01-25 11:48 <DIR> d-------- c:\program files\Siber Systems

2009-01-25 11:48 . 2009-02-02 19:43 <DIR> d-------- c:\documents and settings\Dave\Application Data\GoodSync

2009-01-25 10:53 . 2009-01-25 11:01 <DIR> d-------- c:\program files\Cobian Backup 9

2009-01-25 10:42 . 2009-01-25 10:42 <DIR> d-------- c:\program files\Comodo

2009-01-25 10:42 . 2009-01-25 10:42 <DIR> d-------- c:\documents and settings\Dave\Application Data\Comodo

2009-01-25 10:36 . 2009-01-25 10:39 <DIR> d-------- c:\documents and settings\Dave\Application Data\FileBoss

2009-01-24 22:34 . 2006-12-21 15:18 497,496 --a------ c:\windows\system32\XceedZip.dll

2009-01-23 22:43 . 2009-01-23 22:45 <DIR> d-------- c:\program files\MSECACHE

2009-01-23 21:10 . 2009-01-24 08:28 <DIR> d-------- c:\documents and settings\Dave\Application Data\Softland

2009-01-23 21:10 . 2009-01-23 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Softland

2009-01-19 18:28 . 2009-01-19 18:32 <DIR> d-------- c:\documents and settings\Dave\Application Data\U3

2009-01-17 18:25 . 2009-01-17 18:25 <DIR> d-------- c:\program files\Microsoft Silverlight

2009-01-15 10:45 . 2009-01-15 10:45 <DIR> d-------- c:\documents and settings\Dave\Sun

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-07 12:12 --------- d-----w c:\documents and settings\Dave\Application Data\uTorrent

2009-02-07 12:11 --------- d-----w c:\documents and settings\Dave\Application Data\Free Download Manager

2009-02-07 12:08 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5

2009-02-07 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-06 22:37 3,888 ----a-w c:\windows\system32\drivers\NTHANDLE.SYS

2009-02-03 15:11 --------- d-----w c:\documents and settings\Dave\Application Data\AdobeUM

2009-01-29 01:30 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-25 02:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-07 00:20 --------- d-----w c:\program files\Avira

2009-01-07 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-01-07 00:12 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8

2009-01-06 02:00 --------- d-----w c:\program files\ZD Soft

2009-01-05 02:31 --------- d-----w c:\documents and settings\Dave\Application Data\PDM

2008-12-31 05:33 --------- d-----w c:\program files\PowerDataRecovery

2008-12-29 22:30 --------- d-----w c:\program files\Common Files\AVSMedia

2008-12-29 22:30 --------- d-----w c:\program files\AVS4YOU

2008-12-24 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\AVSVideoBurner

2008-12-24 01:10 --------- d-----w c:\documents and settings\Dave\Application Data\AVS4YOU

2008-12-14 13:24 --------- d-----w c:\documents and settings\Dave\Application Data\yoclient

2008-12-13 03:10 --------- d-----w c:\program files\Common Files\Research In Motion

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-10-01 22:02 256 ----a-w c:\documents and settings\Dave\pool.bin

2008-01-04 03:44 22,328 ----a-w c:\documents and settings\Dave\Application Data\PnkBstrK.sys

2007-06-16 12:33 47,360 ------w c:\documents and settings\Dave\Application Data\pcouffin.sys

2008-03-27 12:15 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-03-27 12:15 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-03-27 12:15 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-03-27 12:15 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-03-27 12:15 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2007-10-07 01:33 88 --sh--r c:\windows\system32\F1B2D9D325.sys

2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll

2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll

2008-08-22 21:46 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-02-03_17.54.36.71 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2008-08-22 21:46:27 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-06 23:57:36 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-08-22 21:46:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-06 23:57:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-08-22 21:46:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-06 23:57:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-06 01:59:07 267,008 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-02-06 22:09:40 267,008 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-02-07 12:18:04 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1dc.dat

+ 2009-02-07 12:18:03 16,384 ----atw c:\windows\temp\Perflib_Perfdata_284.dat

+ 2009-02-07 12:18:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_300.dat

+ 2008-07-29 13:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-07-29 08:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 13:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 13:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 08:54:12 312,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll

+ 2008-07-29 13:05:08 875,520 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll

+ 2008-07-29 13:05:08 1,180,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll

+ 2008-07-29 13:05:12 5,937,144 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll

+ 2008-07-29 13:05:12 5,982,720 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll

+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll

+ 2008-07-29 11:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll

+ 2008-07-29 13:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2008-07-29 13:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2008-07-29 11:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 13:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 13:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-13 8425472]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]

"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

"InkSaver"="c:\program files\InkSaver\InkSaver.exe" [2003-10-20 458752]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-13 81920]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]

"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-08-19 159744]

"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-08-19 98304]

"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2004-08-19 135168]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-09-17 737408]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"nwiz"="nwiz.exe" [2007-04-13 c:\windows\system32\nwiz.exe]

"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Dave\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-06-07 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.MJPG"= Pvmjpg21.dll

"VIDC.PIM1"= pclepim1.dll

"VIDC.I420"= i420vfw.dll

"VIDC.ZDSV"= scrvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"d:\\Programs\\UTorrent\\utorrent.exe"=

"c:\\Windows\\system32\\sessmgr.exe"=

"c:\\Program Files\\ScanSoft\\OmniForm Premium 5.0\\EReg\\NAVBrowser.exe"=

"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=

"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"d:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\Programs\\UltraVnc\\vncviewer.exe"=

"d:\\Programs\\UltraVnc\\winvnc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25687:TCP"= 25687:TCP:Utorrent

"26587:UDP"= 26587:UDP:Utorrent

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2007-08-02 210224]

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]

R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-06-23 56576]

R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]

S3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [2008-08-04 30976]

S3 NCBULK;NetChip USB client driver;c:\windows\system32\drivers\NcBulk.SYS [2007-08-25 53189]

S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [2001-08-17 12032]

.

.

------- Supplementary Scan -------

.

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with &ZipScan - c:\progra~1\ZIPSCA~1\zs_ie.htm

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\6zumk00h.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll

FF - plugin: c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-07 07:18:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1120)

c:\windows\system32\nvLsp.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\windows\system32\rundll32.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

c:\program files\Windows Live\Messenger\usnsvc.exe

.

**************************************************************************

.

Completion time: 2009-02-07 7:20:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-07 12:20:13

ComboFix2.txt 2009-02-06 00:37:30

ComboFix3.txt 2009-02-04 20:44:45

ComboFix4.txt 2009-02-03 22:55:30

Pre-Run: 15,675,080,704 bytes free

Post-Run: 15,666,438,144 bytes free

242 --- E O F --- 2009-01-15 08:01:48

Link to post
Share on other sites

  • Root Admin

Please run MBAM again, check for UPDATES first.

Something doesn't look right.

Folders Infected: 0

Files Infected: 1

But no file is listed

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

That missing file entry was my fault. I'v got a file onhand that someone gave me a while back that I keep around. It does contain a virus. Not really sure why I hang on to it. I removed the entry in the Log file befor I posted it. Sorry about that. Once again thanks for the GREAT SERVICE.

Link to post
Share on other sites

  • Root Admin

Please download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.