Jump to content

Infected with Win.32 ramnit


Recommended Posts

Hi :)

(I'm on a clean PC) It seems like I'm infected with the Win.32 ramnit virus which might be in combination with the PosionIvy virus because I constantly have a firefox.exe process running, sometimes with two instances of the program as well as IEXPLORER.exe constantly running. I found out that I was infected this way by running the CalmWin virus scanner off a USB but the scan will not complete. I also read that this virus attaches to USB drives and infects other systems with the auto run feature that some USB drives have so I'm afraid to use the same USB stick on my clean PC. I've run Norton Anti Virus, Ad Aware, and Spybot S&D and they have found nothing. I cant run the updates for this programs because the virus is messing with my internet connection and my computer seems like its constantly running something. Ive also run an old version of MBAM and it found and removed some back door entries and I ran it a second time and it found nothing. ClamWin was the last thing I ran and it seems like this virus has infected many of my .dll files and .exe files. I have a MBAM log file and I can get a Hijackthis log but how to I safely get these log files off the infected computer if it attacks USB drives as well?

Thanks for your help and sorry for not having the log in my first post.

Link to post
Share on other sites

Hi,

Disable autorun on your clean PC.

After that, download ComboFix from one of these locations:

Link 1

Link 2

* VERY IMPORTANT !!! Rename ComboFix.exe to ComboFix.com

Use your USB flash drive to transfer the file to the infected PC.

* IMPORTANT !!! Move ComboFix.com to the Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.com & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hey,

Thanks for replying. I've followed all of your steps. I just wanted to make sure of something before continuing. When I ran ComboFix on my infected computer it said I need Microsoft Windows Recovery Console but to download it I need an active internet connection. On my infected computer it seems to have trouble connection to the internet. It says "limited or no connectivity" even though its connected to my router. I cant connect to the internet with any program that needs it. The lights on my router are lit up as well as the ones on the back of my PC. Ever since I got the virus I've been having problems with my internet connection on that PC. Can a virus effect settings on my router maybe or just my internet connection with that PC? Anyway it seems like ComboFix can run without installing recovery console but I aborted just in case. Should I run ComboFix without installing Microsoft Windows Recovery Console? Or can that program fit on a usb drive as well?

Thanks

Link to post
Share on other sites

Okay thanks :) By the way these were the messages that were played during the scan:

Combofix has detected the activity of rootkit has to reboot the machine

Registry Error

cannot export RegRuns00: Error opening the file there may be a disk or file system error

Anyway here's the log:

ComboFix 10-08-18.04 - Owner 08/20/2010 20:45:46.1.2 - x86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.com

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\config.dat

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\NeffyManSp

c:\program files\NeffyManSp\libcurl.dll

c:\program files\NeffyManSp\Log\NeffyManSp.20070810.log

c:\program files\NeffyManSp\NeffyManSp.exe

c:\program files\NeffyManSp\Skin\hanbit\pangya\bk_init.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\bk_main.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\bk_msg.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_close.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_close_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_close_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_close_se.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_folder.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_folder_di.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_folder_mo.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_folder_se.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_no.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_no_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_no_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_no_se.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_run.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_run_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_run_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_run_se.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_set.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_set_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_set_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_set_se.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_start.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_start_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_start_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_start_se.JPG

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_stop.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_stop_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_stop_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_stop_se.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_yes.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_yes_di.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_yes_mo.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\btn_yes_se.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\conf.ini

c:\program files\NeffyManSp\Skin\hanbit\pangya\progress_img.jpg

c:\program files\NeffyManSp\Skin\hanbit\pangya\Thumbs.db

c:\program files\NeffyManSp\Skin\hanbit\pangya\ticker.txt

c:\program files\NeffyManSp\uninst.exe

c:\program files\NeffyManSp\Woorizip.dll

c:\program files\NeffyManSp\zlibwapi.dll

c:\windows\abosolas.dll

c:\windows\amuyojoqozi.dll

c:\windows\awoyaqogunewucob.dll

c:\windows\ekobocovo.dll

c:\windows\emavesazuyufom.dll

c:\windows\eradenenor.dll

c:\windows\ewerituc.dll

c:\windows\ExplorerSrv.exe

c:\windows\icoqayofikahasa.dll

c:\windows\ininuzehobiqob.dll

c:\windows\ivatozun.dll

c:\windows\ixafoqipofevinuy.dll

c:\windows\ixijunaz.dll

c:\windows\obemidinigo.dll

c:\windows\oboparoh.dll

c:\windows\ofebanup.dll

c:\windows\opivayadep.dll

c:\windows\oxudimeqaguvi.dll

c:\windows\ozefolif.dll

c:\windows\system32\2665454843.dat

c:\windows\system32\NOTEPADSrv.exe

c:\windows\system32\npkpdb.dll

c:\windows\system32\npZ.ocx

c:\windows\system32\zlibwapi.dll

c:\program files\Microsoft\DesktopLayer.exe . . . . failed to delete

Infected copy of c:\windows\system32\drivers\SI3112r.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))

.

2010-08-21 01:16 . 2010-08-21 01:16 32 ----a-w- c:\windows\system32\2665454843.dat

2010-08-20 00:21 . 2010-08-20 00:21 -------- d--h--w- c:\windows\PIF

2010-08-17 04:57 . 2010-08-17 04:57 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:12 . 2010-01-26 19:01 81920 ----a-w- c:\windows\eSellerateControl350.dll

2010-08-17 04:12 . 2010-01-26 19:01 356352 ----a-w- c:\windows\eSellerateEngine.dll

2010-08-17 04:12 . 2010-08-17 04:40 -------- d-----w- c:\program files\Win 32. Backdoor . Poison Ivy Removal Tool

2010-08-17 04:09 . 2010-08-17 04:09 -------- d-----w- c:\program files\CCleaner

2010-08-17 04:06 . 2010-08-17 04:07 -------- d-----w- C:\ClamWinPortable

2010-08-16 23:06 . 2010-08-16 23:06 -------- d-----w- c:\program files\Symantec

2010-08-16 23:06 . 2010-08-16 23:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-08-16 23:06 . 2010-08-16 23:06 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-08-16 23:05 . 2009-12-03 06:08 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys

2010-08-16 23:05 . 2009-11-26 06:41 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05 . 2009-11-26 06:41 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05 . 2009-11-22 00:43 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys

2010-08-16 23:05 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05 . 2009-12-09 09:06 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\windows\system32\drivers\NAV

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Norton AntiVirus

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Windows Sidebar

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\program files\NortonInstaller

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-16 17:52 . 2009-12-30 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 17:52 . 2009-12-30 18:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 04:55 . 2010-08-16 04:55 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50 . 2010-08-16 04:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46 . 2010-01-27 17:51 767952 ----a-w- c:\windows\BDTSupport.dll

2010-08-16 04:46 . 2010-01-22 12:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-08-16 04:35 . 2010-08-16 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-08-16 04:33 . 2010-08-16 04:33 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31 . 2010-08-16 04:31 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29 . 2010-08-16 04:29 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27 . 2010-08-16 04:27 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25 . 2010-08-16 04:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23 . 2010-08-16 04:23 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22 . 2010-08-16 04:22 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:19 . 2008-08-25 16:36 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys

2010-08-16 04:19 . 2008-06-02 20:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys

2010-08-16 04:19 . 2008-08-25 16:36 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys

2010-08-16 04:19 . 2008-08-25 16:36 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys

2010-08-16 04:19 . 2010-08-16 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2010-08-16 04:19 . 2010-08-16 12:03 -------- d-----w- c:\program files\Spyware Doctor

2010-08-16 04:17 . 2010-08-16 04:17 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16 . 2010-08-16 04:16 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13 . 2010-08-16 04:13 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09 . 2010-08-16 04:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08 . 2010-08-16 04:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50 . 2010-08-16 03:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48 . 2010-08-16 03:48 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46 . 2010-08-16 03:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44 . 2010-08-16 03:44 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42 . 2010-08-16 03:42 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25 . 2010-08-16 03:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20 . 2010-08-16 03:20 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15 . 2010-08-16 03:15 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12 . 2010-08-16 03:12 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09 . 2010-08-16 03:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08 . 2010-08-16 03:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02 . 2010-08-16 03:02 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40 . 2010-08-06 23:41 -------- d-----w- C:\NSS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-21 01:16 . 2009-09-17 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-21 01:16 . 2008-12-25 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-21 00:38 . 2010-06-11 04:09 0 ----a-w- c:\windows\system32\12520850ugz.sys

2010-08-17 19:49 . 2007-04-22 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-08-16 23:10 . 2006-02-18 03:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-16 23:06 . 2010-08-16 23:06 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-08-16 23:06 . 2010-08-16 23:06 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-08-16 04:48 . 2010-06-08 13:59 60213415 --sha-w- c:\windows\system32\1054p.sys

2010-08-16 04:46 . 2010-08-16 04:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-08-16 04:15 . 2005-02-22 12:06 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

2010-08-08 07:08 . 2010-06-06 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-07 01:15 . 2006-10-09 03:52 -------- d-----w- c:\program files\Winamp

2010-08-07 01:05 . 2006-04-04 01:51 -------- d-----w- c:\program files\mobile PhoneTools

2010-08-07 00:40 . 2007-06-05 01:36 -------- d-----w- c:\program files\BitTorrent

2010-08-07 00:39 . 2006-02-25 21:08 -------- d-----w- c:\program files\Quake III Arena

2010-07-30 18:33 . 2006-02-18 04:12 -------- d-----w- c:\program files\Steam

2010-06-29 12:08 . 2010-06-29 12:08 4 ----a-w- c:\documents and settings\LocalService\Application Data\cakzob.dat

2010-06-25 21:25 . 2010-02-16 03:34 256 ----a-w- c:\windows\system32\pool.bin

2010-06-05 12:52 . 2010-06-05 12:52 4 ----a-w- c:\documents and settings\NetworkService\Application Data\dhxiuw.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"Afaria Client File Differencing"="c:\program files\AClient\Bin\XCDiffCache.exe" [2010-08-08 200704]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-3-5 175616]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Afaria Client Generic Scheduler.lnk - c:\program files\AClient\Bin\XCGSTask.exe [2007-4-4 503808]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-4-11 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Persona\\Persona.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/1/2004 5:02 AM 6016]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/26/2009 12:01 AM 64288]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2010 12:35 AM 218592]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 AM 97408]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SymDS.sys [8/16/2010 7:05 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SymEFA.sys [8/16/2010 7:05 PM 172592]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [8/16/2010 7:05 PM 529456]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\cchpx86.sys [8/16/2010 7:05 PM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.sys [8/16/2010 7:05 PM 116272]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/16/2010 7:05 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [8/16/2010 7:05 PM 329592]

R3 Neo_PangYa;VPN Client Device Driver - PangYa;c:\windows\system32\drivers\Neo_0067.sys [12/3/2008 10:20 PM 22000]

S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [8/11/2007 2:16 AM 31104]

S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

uInternet Settings,ProxyOverride = local

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

LSP: %SystemRoot%\system32\PrxerDrv.dll

DPF: {116D8D4C-E19A-46D0-95DC-4EA2663703BE} - hxxp://login.hanbiton.com/cab/Hanbiton_Mb424.cab

DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab

DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://update.nprotect.net/npscan2006/kor/nps.cab

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://acs.yescard.co.kr/XecureObject/xw_install.cab

DPF: {987ECFCE-E607-4D52-B2C5-2EA1F6F303C4} - hxxp://www.pangya.com/PangyaLauncher/PangyaLauncher.cab

DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab

DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab

DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8234.cab

DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab

DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab

DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab

DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053}

DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab

DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} - hxxp://dist.cdnetworks.co.kr/cdndist/streamport/SPort.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - (no file)

HKCU-Run-cggnhrsy - c:\documents and settings\Owner\Local Settings\Application Data\orrdjlbhx\cpvnglutssd.exe

HKLM-Run-WinampAgent - c:\program files\Winamp\Winampa.exe

HKLM-Run-cggnhrsy - c:\documents and settings\Owner\Local Settings\Application Data\orrdjlbhx\cpvnglutssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-20 21:19

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\AAWService.exe

c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe

c:\windows\system32\npkcmsvc.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

c:\progra~1\AClient\Bin\XCSCHE~1.EXE

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2010-08-20 21:41:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-21 01:41

Pre-Run: 34,738,077,696 bytes free

Post-Run: 49,246,969,856 bytes free

- - End Of File - - DDFF3E0BF969C151D096D9AC96A1A6A9

Link to post
Share on other sites

Hi,

Important: You'll have to burn some CD's. Please burn them with your other PC. The burn instructions below are blue. On the infected PC, please DO NOT boot Windows between using the Avira Rescue System and the Dr.Web Live CD.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the Avira AntiVir Rescue System from here: http://www.free-av.com/en/products/12/avir...cue_system.html

  • Run rescue_system-common-en.exe, and insert a blank CD into your CD Writeable drive.
  • Select your CD Writable drive and press the Burn CD button. The burning process should be pretty quick.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Two programs to download

First

ISOBurner this will allow you to burn drweb.iso to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second

  1. Download Dr.Web LiveCD and burn it to a CD using ISO Burner. NOTE: This file is 90Mb in size so it may take some time to download.
  2. When downloaded, double click the file and this will then open ISOBurner to burn the file to a CD.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Insert the Avira AntiVir Rescue System CD into your infected computer, and restart. When a list of options appears, type 1 to boot into the CD.
  • A linux kernel will load, and Avira's Rescue CD will start automatically.
  • If you see everything in German, click on the UK flag near the bottom left to change it to English.
  • Click on the Configuration button.
  • Ensure under Scan Mode that Scan all files is selected.
  • Ensure under Action at malware discovery that Try to repair infected files is selected, as well as Rename files, if the cannot be removed?
  • Click on the Virus Scanner button, and press Start Scanner.
  • Avira AntiVir Rescue CD will now scan your computer. The scan may take a whie.
  • When the scan finishes, insert the Dr.Web LiveCD.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Reboot your system using the Dr.Web Live CD.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here .
  • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
  • Use arrow keys to select to select DrWeb-LiveCD (Default) and press "Enter".
  • The operating system will detect all available disk drives automatically. It will also try to connect to the local network, if available.
  • When the system is loaded, click on the green circle button at the top and let it update.
  • After it is done updating, check the disks or folders you want to scan (which is all of them) and click the "Start" button.
  • Then select what drives (should be all) so we can disinfect all partitions.
  • After the scan is complete, and if the scan found stuff:
    • Click "Select All" and the click "Cure" NOTE: Make double sure to click CURE and NOT Delete!
    • Let Dr.Web delete the files that can't be cured.
    • After that, please reboot your PC.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the
    F8
    key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit
    enter
    .


  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the Licence agreement and click on next
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.


  • Hidden Startup Objects

  • System Memory

  • Disk Boot Sectors.

  • My Computer.

  • Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

Hi,

I've completed all the steps. Just one thing, I wasn't connected to the network so I was not able Dr.Web-Live. Also Dr,Web didn't find anything. However Avira and Kaspersky did. Here are the log results, I saw no detected button or tab so sorry if this is too much information. Ive attached it to this post in a .txt file

kas.txt

Link to post
Share on other sites

Heya ;)

Okay done, here's the log (on the plus side the computer runs faster and seems cleaner so I'm assuming good progress has been made):

ComboFix 10-08-23.01 - Owner 08/23/2010 20:15:23.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.179 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.com

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\Steam\UNWISE.EXE.XXX

c:\windows\system32\2665454843.dat

.

((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))

.

2010-08-22 21:11 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\37407542.sys

2010-08-22 21:11 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3740754.sys

2010-08-22 21:11 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\37407541.sys

2010-08-22 21:06 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\15701312.sys

2010-08-22 21:06 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\15701311.sys

2010-08-22 21:06 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\1570131.sys

2010-08-20 00:21 . 2010-08-20 00:21 -------- d--h--w- c:\windows\PIF

2010-08-17 04:57 . 2010-08-17 04:57 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:12 . 2010-01-26 19:01 81920 ----a-w- c:\windows\eSellerateControl350.dll

2010-08-17 04:12 . 2010-01-26 19:01 356352 ----a-w- c:\windows\eSellerateEngine.dll

2010-08-17 04:12 . 2010-08-17 04:40 -------- d-----w- c:\program files\Win 32. Backdoor . Poison Ivy Removal Tool

2010-08-17 04:09 . 2010-08-17 04:09 -------- d-----w- c:\program files\CCleaner

2010-08-17 04:06 . 2010-08-22 21:42 -------- d-----w- C:\ClamWinPortable

2010-08-16 23:06 . 2010-08-16 23:06 -------- d-----w- c:\program files\Symantec

2010-08-16 23:06 . 2010-08-16 23:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-08-16 23:06 . 2010-08-16 23:06 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-08-16 23:05 . 2009-12-03 06:08 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys

2010-08-16 23:05 . 2009-11-26 06:41 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05 . 2009-11-26 06:41 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05 . 2009-11-22 00:43 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys

2010-08-16 23:05 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05 . 2009-12-09 09:06 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\windows\system32\drivers\NAV

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Norton AntiVirus

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Windows Sidebar

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\program files\NortonInstaller

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-16 17:52 . 2009-12-30 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 17:52 . 2009-12-30 18:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 04:55 . 2010-08-16 04:55 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50 . 2010-08-16 04:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46 . 2010-01-27 17:51 767952 ----a-w- c:\windows\BDTSupport.dll

2010-08-16 04:46 . 2010-01-22 12:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-08-16 04:35 . 2010-08-16 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-08-16 04:33 . 2010-08-16 04:33 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31 . 2010-08-16 04:31 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29 . 2010-08-16 04:29 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27 . 2010-08-16 04:27 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25 . 2010-08-16 04:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23 . 2010-08-16 04:23 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22 . 2010-08-16 04:22 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:19 . 2008-08-25 16:36 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys

2010-08-16 04:19 . 2008-06-02 20:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys

2010-08-16 04:19 . 2008-08-25 16:36 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys

2010-08-16 04:19 . 2008-08-25 16:36 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys

2010-08-16 04:19 . 2010-08-16 04:19 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2010-08-16 04:19 . 2010-08-16 12:03 -------- d-----w- c:\program files\Spyware Doctor

2010-08-16 04:17 . 2010-08-16 04:17 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16 . 2010-08-16 04:16 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13 . 2010-08-16 04:13 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09 . 2010-08-16 04:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08 . 2010-08-16 04:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50 . 2010-08-16 03:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48 . 2010-08-16 03:48 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46 . 2010-08-16 03:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44 . 2010-08-16 03:44 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42 . 2010-08-16 03:42 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25 . 2010-08-16 03:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20 . 2010-08-16 03:20 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15 . 2010-08-16 03:15 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12 . 2010-08-16 03:12 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09 . 2010-08-16 03:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08 . 2010-08-16 03:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02 . 2010-08-16 03:02 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40 . 2010-08-21 01:45 -------- d-----w- C:\NSS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-24 00:22 . 2006-02-18 04:12 -------- d-----w- c:\program files\Steam

2010-08-24 00:02 . 2008-12-25 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-22 16:22 . 2006-10-09 03:52 -------- d-----w- c:\program files\Winamp

2010-08-22 16:20 . 2007-05-27 04:33 -------- d-----w- c:\program files\Starcraft

2010-08-22 16:19 . 2006-02-25 21:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein

2010-08-22 16:18 . 2010-06-18 05:03 -------- d-----w- c:\program files\Realtek AC97

2010-08-22 16:18 . 2006-04-04 01:51 -------- d-----w- c:\program files\mobile PhoneTools

2010-08-22 16:18 . 2009-09-17 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-22 16:18 . 2007-11-15 20:25 -------- d-----w- c:\program files\LG PC Suite 2

2010-08-22 16:17 . 2008-09-13 06:13 -------- d-----w- c:\program files\Proxifier

2010-08-22 16:17 . 2007-04-04 16:48 -------- d-----w- c:\program files\PowerPoint Viewer

2010-08-22 16:01 . 2006-09-08 01:13 -------- d-----w- c:\program files\DVD Decrypter

2010-08-22 15:56 . 2006-03-15 02:12 -------- d-----w- c:\program files\Doom 3

2010-08-22 15:53 . 2006-07-23 05:47 -------- d-----w- c:\program files\Common Files\Ntreev

2010-08-22 15:53 . 2007-06-05 01:36 -------- d-----w- c:\program files\BitTorrent

2010-08-22 15:52 . 2006-02-25 21:08 -------- d-----w- c:\program files\Quake III Arena

2010-08-21 00:38 . 2010-06-11 04:09 0 ----a-w- c:\windows\system32\12520850ugz.sys

2010-08-17 19:49 . 2007-04-22 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-08-16 23:10 . 2006-02-18 03:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-16 23:06 . 2010-08-16 23:06 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-08-16 23:06 . 2010-08-16 23:06 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-08-16 04:48 . 2010-06-08 13:59 60213415 --sha-w- c:\windows\system32\1054p.sys

2010-08-16 04:46 . 2010-08-16 04:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-08-16 04:15 . 2005-02-22 12:06 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

2010-08-08 07:08 . 2010-06-06 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 12:08 . 2010-06-29 12:08 4 ----a-w- c:\documents and settings\LocalService\Application Data\cakzob.dat

2010-06-25 21:25 . 2010-02-16 03:34 256 ----a-w- c:\windows\system32\pool.bin

2010-06-05 12:52 . 2010-06-05 12:52 4 ----a-w- c:\documents and settings\NetworkService\Application Data\dhxiuw.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe.XXX [2006-3-5 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Afaria Client Generic Scheduler.lnk - c:\program files\AClient\Bin\XCGSTask.exe.XXX [2007-4-4 438272]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Persona\\Persona.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

R0 15701312;15701312 Boot Guard Driver;c:\windows\system32\drivers\15701312.sys [8/22/2010 5:06 PM 37392]

R0 37407542;37407542 Boot Guard Driver;c:\windows\system32\drivers\37407542.sys [8/22/2010 5:11 PM 37392]

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/1/2004 5:02 AM 6016]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/26/2009 12:01 AM 64288]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2010 12:35 AM 218592]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 AM 97408]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SymDS.sys [8/16/2010 7:05 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SymEFA.sys [8/16/2010 7:05 PM 172592]

R1 15701311;15701311;c:\windows\system32\drivers\15701311.sys [8/22/2010 5:06 PM 128016]

R1 37407541;37407541;c:\windows\system32\drivers\37407541.sys [8/22/2010 5:11 PM 128016]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [8/16/2010 7:05 PM 529456]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\cchpx86.sys [8/16/2010 7:05 PM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.sys [8/16/2010 7:05 PM 116272]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [8/16/2010 12:46 AM 112592]

R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe [8/16/2010 7:05 PM 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/16/2010 7:05 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSxpx86.sys [8/16/2010 7:05 PM 329592]

R3 Neo_PangYa;VPN Client Device Driver - PangYa;c:\windows\system32\drivers\Neo_0067.sys [12/3/2008 10:20 PM 22000]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]

S2 SPBBCSvcEventlog;Symantec SPBBCSvc SPBBCSvcEventlog;c:\windows\system32\12520850u.exe srv --> c:\windows\system32\12520850u.exe srv [?]

S2 vpnclient;PacketiX VPN Client;"c:\program files\PacketiX VPN Client English\vpnclient.exe" /service --> c:\program files\PacketiX VPN Client English\vpnclient.exe [?]

S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [8/11/2007 2:16 AM 31104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/16/2010 12:19 AM 366840]

S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-24 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-24 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-24 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

2010-08-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:01]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

uInternet Settings,ProxyOverride = local

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

LSP: %SystemRoot%\system32\PrxerDrv.dll

DPF: {116D8D4C-E19A-46D0-95DC-4EA2663703BE} - hxxp://login.hanbiton.com/cab/Hanbiton_Mb424.cab

DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab

DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://update.nprotect.net/npscan2006/kor/nps.cab

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://acs.yescard.co.kr/XecureObject/xw_install.cab

DPF: {987ECFCE-E607-4D52-B2C5-2EA1F6F303C4} - hxxp://www.pangya.com/PangyaLauncher/PangyaLauncher.cab

DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab

DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab

DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8234.cab

DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab

DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab

DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab

DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab

DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} - hxxp://dist.cdnetworks.co.kr/cdndist/streamport/SPort.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Afaria Client File Differencing - c:\program files\AClient\Bin\XCDiffCache.exe

AddRemove-Afaria Client - c:\program files\AClient\Bin\XeUpdate.exe

AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe

AddRemove-InstallShield_{04347DFD-87B6-4E30-B14D-5DF2888AD8F5} - c:\progra~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe

AddRemove-InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe

AddRemove-InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A} - c:\progra~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe

AddRemove-Mabinogi - c:\nexon\Mabinogi\Mabinogi.exe

AddRemove-Return to Castle Wolfenstein - c:\progra~1\RETURN~1\Uninstall\Unwise.exe

AddRemove-Steam - c:\progra~1\Steam\UNWISE.EXE

AddRemove-XecureWeb Control - c:\program files\SoftForum\XecureWeb\xw_setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-23 20:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-08-23 20:37:33

ComboFix-quarantined-files.txt 2010-08-24 00:37

ComboFix2.txt 2010-08-21 01:41

Pre-Run: 43,872,096,256 bytes free

Post-Run: 43,837,501,440 bytes free

- - End Of File - - 2551E9D09A2026149E96223E108AEC56

Link to post
Share on other sites

Hi,

Please go to: VirusTotal

  • virustotal2-SWI.png
  • Click the Browse button and search for the following file: c:\windows\system32\1054p.sys
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    ipconfig /flushdns /c
    c:\documents and settings\LocalService\Application Data\cakzob.dat
    c:\documents and settings\NetworkService\Application Data\dhxiuw.dat
    c:\windows\system32\12520850ugz.sys

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push Finish.

Link to post
Share on other sites

Hey Gammo,

A lot of the next steps need an internet connection but ever since the malware/virus my internet connection of the infected computer has not been working properly. It stopped working properly around the time I started updating various spyware programs through the internet (that could be just coincidence) I've tried using a different ethernet cable, connecting my cable modem directly to the infected PC, trying different ports on the router and connecting my clean PC to the port my infected PC usually uses and none of this works. I've also tried to disable and enable my connection. Could some files have been deleted in regards to my network settings? When I boot up my PC I get errors of programs not being able to run at start up. Could the virus scanner have renamed an infected system connection file? I could try buying a USB network adapter as a temporary solution. I've also read on the internet that you can disable or uninstall the hardware and then upon rebooting windows will reinstall the hardware (I haven't tried that yet, does it need a windows cd? because I just got a recovery cd that came with this computer) Anyway the error is "Limited or no connectivity" when the cable is plugged in. The green and orange light is lit when the computer is off (on the network card) and when it's on only the green light is lit, and the orange light is barely blinking.

Thanks ;)

Link to post
Share on other sites

Hi,

Thanks for the suggestion but id like to leave that as a last resort. The worst thing would be to reformat and still have the connection issue. Id like to determine if its a hardware or software issue first. At least if I find out it's a hardware issue, a new network card is cheap. How do I go about uninstalling my networkcard? I only have that recovery CD but at least I can use my clean PC to download the drivers. Once I get my connection back up and running I'll continue with the next cleaning steps you've listed. Thanks

Link to post
Share on other sites

Hi,

It's probably a software issue.

Hopefully OTL will give us a clue why you're having connection issues. :)

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Under the Custom Scan box paste this in
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5
    %PROGRAMFILES%\Internet Explorer\iexplore.exe /md5
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I would also like to see a list of files quarantined by ComboFix, so please do this:

Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.

Link to post
Share on other sites

Here are the results :) :

OTL logfile created on: 8/25/2010 1:14:04 PM - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 169.00 Mb Available Physical Memory | 33.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 41.05 Gb Free Space | 27.54% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: OWNER

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/25 13:06:00 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

PRC - [2010/02/04 12:01:56 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/01/27 12:01:34 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/01/22 08:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

PRC - [2009/12/09 05:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe

PRC - [2009/08/31 12:25:16 | 000,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2007/08/11 01:49:07 | 000,061,523 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\system32\npkcmsvc.exe

PRC - [2007/04/16 15:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe

PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/08/25 13:06:00 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

MOD - [2004/08/04 08:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

MOD - [2004/08/04 08:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\PacketiX VPN Client English\vpnclient.exe -- (vpnclient)

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\12520850u.exe -- (SPBBCSvcEventlog)

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)

SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)

SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)

SRV - [2010/02/25 13:09:00 | 003,416,060 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)

SRV - [2010/02/04 12:01:56 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2010/01/22 08:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)

SRV - [2009/12/09 05:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe -- (NAV)

SRV - [2007/08/11 01:49:07 | 000,061,523 | ---- | M] (INCA Internet Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\npkcmsvc.exe -- (npkcmsvc)

SRV - [2004/03/31 17:55:00 | 000,172,544 | ---- | M] (INCA Internet Co., Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\npkcsvc.exe -- (npkcsvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva219.sys -- (XDva219)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\scsk4.sys -- (scsk4)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\neokdss.sys -- (neokdss)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - [2010/08/16 19:06:06 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)

DRV - [2009/12/09 05:06:51 | 000,501,888 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\ccHPx86.sys -- (ccHP)

DRV - [2009/12/09 05:00:00 | 001,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20091209.020\NAVEX15.SYS -- (NAVEX15)

DRV - [2009/12/09 05:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2009/12/09 05:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/12/09 05:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20091209.020\NAVENG.SYS -- (NAVENG)

DRV - [2009/12/03 02:08:32 | 000,325,168 | R--- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\SRTSP.SYS -- (SRTSP)

DRV - [2009/12/03 02:08:32 | 000,043,696 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2009/11/26 02:41:48 | 000,172,592 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\SYMEFA.SYS -- (SymEFA)

DRV - [2009/11/26 02:41:22 | 000,116,272 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\Ironx86.SYS -- (SymIRON)

DRV - [2009/11/26 02:40:54 | 000,529,456 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2009/11/21 20:43:48 | 000,362,032 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\SYMTDI.SYS -- (SYMTDI)

DRV - [2009/11/16 20:51:14 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSxpx86.sys -- (IDSxpx86)

DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\37407542.sys -- (37407542)

DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\15701312.sys -- (15701312)

DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1105000.07F\SYMDS.SYS -- (SymDS)

DRV - [2009/09/25 17:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\37407541.sys -- (37407541)

DRV - [2009/09/25 17:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\15701311.sys -- (15701311)

DRV - [2009/09/23 08:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2008/12/03 22:20:50 | 000,022,000 | ---- | M] (SoftEther Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Neo_0067.sys -- (Neo_PangYa)

DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2007/07/11 16:51:48 | 000,019,840 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)

DRV - [2007/07/11 11:45:00 | 000,021,632 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)

DRV - [2007/07/11 11:40:18 | 000,012,416 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)

DRV - [2007/04/13 13:05:34 | 000,031,104 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\npfwflt.sys -- (NPFWFLT)

DRV - [2006/12/12 11:07:44 | 000,025,409 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\npkcrypt.sys -- (npkcrypt)

DRV - [2005/03/22 23:00:57 | 001,034,752 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2004/08/04 08:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)

DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2004/07/21 17:45:25 | 000,009,856 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)

DRV - [2004/06/08 18:13:49 | 000,003,968 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)

DRV - [2004/06/01 05:02:00 | 000,006,016 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atiide.sys -- (atiide)

DRV - [2004/05/12 02:01:18 | 000,097,408 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys -- (SI3112r)

DRV - [2004/03/25 04:04:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)

DRV - [2004/03/25 04:04:00 | 000,098,650 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)

DRV - [2004/03/25 04:04:00 | 000,085,978 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)

DRV - [2004/03/25 04:04:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)

DRV - [2004/03/25 04:04:00 | 000,025,691 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)

DRV - [2004/03/25 04:04:00 | 000,014,235 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)

DRV - [2004/03/25 04:04:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)

DRV - [2004/03/25 04:04:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)

DRV - [2004/03/25 04:04:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)

DRV - [2004/02/27 05:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)

DRV - [2004/02/13 06:21:00 | 000,086,160 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)

DRV - [2004/01/14 22:18:16 | 000,005,621 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)

DRV - [2004/01/14 22:18:04 | 000,023,219 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)

DRV - [2003/10/27 16:59:00 | 000,013,842 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atisgkaf.sys -- (caboagp)

DRV - [2003/10/14 23:28:16 | 000,010,240 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)

DRV - [2003/09/19 04:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)

DRV - [2002/12/17 14:41:36 | 000,042,368 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sys.us.shuttle.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sys.us.shuttle.com

IE - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0

FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\ [2010/08/16 19:06:26 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/16 14:29:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/16 14:29:05 | 000,000,000 | ---D | M]

[2008/10/25 00:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions

[2008/10/25 00:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\extensions

[2010/08/16 19:09:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/23 20:23:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll File not found

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found

O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O3 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll File not found

O3 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\..\Toolbar\WebBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll File not found

O3 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)

O4 - HKLM..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)

O4 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe.XXX (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Afaria Client Generic Scheduler.lnk = C:\Program Files\AClient\Bin\XCGSTask.exe.XXX (iAnywhere Solutions, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-2337399782-1729757903-2279869524-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\PrxerNsp.dll ( )

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\PrxerDrv.dll (Initex Software)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\PrxerDrv.dll (Initex Software)

O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} http://www.albatross18.com/cabs/A18X.ocx (A18X Control)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {116D8D4C-E19A-46D0-95DC-4EA2663703BE} http://login.hanbiton.com/cab/Hanbiton_Mb424.cab (MbAx Control)

O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} http://login.hanbiton.com/cab/NLSnSSO.cab (NlsComm Component Class)

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} https://ansim.suhyup.co.kr/scsk4.cab (SCSK Control)

O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} http://update.nprotect.net/npscan2006/kor/nps.cab (Nps Control)

O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} https://acs.yescard.co.kr/XecureObject/xw_install.cab (XecureWeb 4.0 Client Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)

O16 - DPF: {987ECFCE-E607-4D52-B2C5-2EA1F6F303C4} http://www.pangya.com/PangyaLauncher/PangyaLauncher.cab (WinlessActiveX Control)

O16 - DPF: {99C709C7-4F58-46C1-855B-90213C760395} https://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab (v3d Class)

O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} https://plugin.inicis.com/wallet50/INIwallet50.cab (INIwallet50 Control)

O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} https://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8234.cab (Kdfense8 Control)

O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} https://vbv.lgcard.com/infovine/VineTransfer.cab (VineTransfer Control)

O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)

O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} http://www.tricksteronline.com/control/tricksterActiveX.cab (TricksterActiveX Control)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} https://vbv.lgcard.com/popup/npkcx_lg.cab (NPKCX Control)

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} http://www.tricksteronline.com/control/KALogoutComponent.cab (Logout Class)

O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} Reg Error: Value error. (Reg Error: Key error.)

O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} http://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab (KvpIspCtlD Control)

O16 - DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} http://dist.cdnetworks.co.kr/cdndist/streamport/SPort.cab (NeffyManSpLauncherCtl Class)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2005/02/22 16:18:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/25 13:11:43 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/08/24 19:51:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2010/08/24 19:25:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Threat Expert

[2010/08/22 17:15:44 | 073,891,792 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\setup_9.0.0.722_22.08.2010_19-47.exe

[2010/08/22 17:11:53 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\3740754.sys

[2010/08/22 17:11:53 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\37407541.sys

[2010/08/22 17:11:53 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\37407542.sys

[2010/08/22 17:11:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Virus Removal Tool1

[2010/08/22 17:06:44 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\15701311.sys

[2010/08/22 17:06:44 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\15701312.sys

[2010/08/22 17:06:43 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\1570131.sys

[2010/08/22 17:06:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Virus Removal Tool

[2010/08/19 20:21:00 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2010/08/19 20:12:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/08/19 20:12:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/08/19 20:12:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/08/19 20:12:35 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/08/19 20:12:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/08/19 20:10:56 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/08/17 01:14:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent

[2010/08/17 00:12:18 | 000,356,352 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll

[2010/08/17 00:12:18 | 000,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll

[2010/08/17 00:12:07 | 000,000,000 | ---D | C] -- C:\Program Files\Win 32. Backdoor . Poison Ivy Removal Tool

[2010/08/17 00:09:01 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/08/17 00:06:48 | 000,000,000 | ---D | C] -- C:\ClamWinPortable

[2010/08/16 19:06:06 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2010/08/16 19:06:06 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2010/08/16 19:06:06 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec

[2010/08/16 19:05:37 | 000,362,032 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symtdi.sys

[2010/08/16 19:05:37 | 000,362,032 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\symtdi.sys

[2010/08/16 19:05:37 | 000,340,016 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\symtdiv.sys

[2010/08/16 19:05:37 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymDS.sys

[2010/08/16 19:05:37 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\SymDS.sys

[2010/08/16 19:05:37 | 000,325,168 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\srtsp.sys

[2010/08/16 19:05:37 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymEFA.sys

[2010/08/16 19:05:37 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\SymEFA.sys

[2010/08/16 19:05:37 | 000,116,272 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\Ironx86.sys

[2010/08/16 19:05:37 | 000,116,272 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\Ironx86.sys

[2010/08/16 19:05:37 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys

[2010/08/16 19:05:37 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\srtspx.sys

[2010/08/16 19:05:35 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1105000.07F\cchpx86.sys

[2010/08/16 19:05:35 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\cchpx86.sys

[2010/08/16 19:04:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV

[2010/08/16 19:04:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1105000.07F

[2010/08/16 19:04:49 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar

[2010/08/16 19:04:49 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus

[2010/08/16 19:04:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton

[2010/08/16 19:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller

[2010/08/16 19:03:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller

[2010/08/16 13:52:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes

[2010/08/16 13:52:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/08/16 13:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/08/16 13:52:03 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/08/16 13:52:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/08/16 00:46:41 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll

[2010/08/16 00:46:40 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll

[2010/08/16 00:46:40 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll

[2010/08/16 00:35:58 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys

[2010/08/16 00:35:49 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys

[2010/08/16 00:35:49 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys

[2010/08/16 00:35:36 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys

[2010/08/16 00:35:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools

[2010/08/16 00:35:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools

[2010/08/16 00:28:07 | 036,598,544 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Owner\Desktop\sdsetup 3.exe

[2010/08/16 00:19:38 | 000,040,840 | ---- | C] (PCTools Research Pty Ltd.) -- C:\WINDOWS\System32\drivers\ikfilesec.sys

[2010/08/16 00:19:38 | 000,029,576 | ---- | C] (PCTools Research Pty Ltd.) -- C:\WINDOWS\System32\drivers\kcom.sys

[2010/08/16 00:19:37 | 000,081,288 | ---- | C] (PCTools Research Pty Ltd.) -- C:\WINDOWS\System32\drivers\iksyssec.sys

[2010/08/16 00:19:37 | 000,066,952 | ---- | C] (PCTools Research Pty Ltd.) -- C:\WINDOWS\System32\drivers\iksysflt.sys

[2010/08/16 00:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\PC Tools

[2010/08/16 00:19:18 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor

[2010/08/16 00:16:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\

Link to post
Share on other sites

2010-08-24 00:36:24 . 2010-08-24 00:36:24 498 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-XecureWeb Control.reg.dat

2010-08-24 00:36:24 . 2010-08-24 00:36:24 846 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam.reg.dat

2010-08-24 00:36:23 . 2010-08-24 00:36:23 1,320 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Return to Castle Wolfenstein.reg.dat

2010-08-24 00:36:23 . 2010-08-24 00:36:23 650 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Mabinogi.reg.dat

2010-08-24 00:36:22 . 2010-08-24 00:36:22 2,400 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}.reg.dat

2010-08-24 00:36:22 . 2010-08-24 00:36:22 1,930 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}.reg.dat

2010-08-24 00:36:22 . 2010-08-24 00:36:22 2,366 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-InstallShield_{04347DFD-87B6-4E30-B14D-5DF2888AD8F5}.reg.dat

2010-08-24 00:36:22 . 2010-08-24 00:36:22 908 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-All ATI Software.reg.dat

2010-08-24 00:36:21 . 2010-08-24 00:36:21 622 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Afaria Client.reg.dat

2010-08-24 00:33:48 . 2010-08-24 00:33:49 166 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Afaria Client File Differencing.reg.dat

2010-08-21 01:35:58 . 2010-08-21 01:35:58 190 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-cggnhrsy.reg.dat

2010-08-21 01:35:55 . 2010-08-21 01:35:57 140 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-WinampAgent.reg.dat

2010-08-21 01:35:43 . 2010-08-21 01:35:44 189 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-cggnhrsy.reg.dat

2010-08-21 01:35:41 . 2010-08-21 01:35:42 91 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat

2010-08-21 01:20:51 . 2010-08-21 01:53:02 16 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\dmlconf.dat.vir

2010-08-21 01:20:38 . 2010-08-21 01:20:38 158 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_2665454843_.dat.zip

2010-08-21 01:18:15 . 2010-08-23 02:07:56 47,262 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Microsoft\_DesktopLayer_.exe.zip.XXX

2010-08-21 01:16:45 . 2010-08-21 01:16:45 32 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\2665454843.dat.vir

2010-08-21 01:02:29 . 2010-08-24 00:21:15 12,477 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-08-20 00:12:01 . 2010-08-24 00:12:15 1,095 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-08-07 01:15:00 . 2010-08-07 01:15:00 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\awoyaqogunewucob.dll.vir

2010-08-06 23:14:42 . 2010-08-06 23:14:42 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\obemidinigo.dll.vir

2010-08-06 22:54:50 . 2010-08-06 22:54:51 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\oxudimeqaguvi.dll.vir

2010-08-06 20:52:51 . 2010-08-06 20:52:51 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ekobocovo.dll.vir

2010-08-06 18:50:51 . 2010-08-06 18:50:51 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ofebanup.dll.vir

2010-08-06 16:49:12 . 2010-08-06 16:49:12 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\icoqayofikahasa.dll.vir

2010-08-06 16:18:53 . 2010-08-06 16:18:55 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ixijunaz.dll.vir

2010-08-06 16:02:05 . 2010-08-06 16:02:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\amuyojoqozi.dll.vir

2010-08-06 15:47:01 . 2010-08-06 15:47:01 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ozefolif.dll.vir

2010-08-06 15:20:46 . 2010-08-06 15:20:47 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\opivayadep.dll.vir

2010-08-06 13:36:55 . 2010-08-06 13:36:55 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\oboparoh.dll.vir

2010-08-06 11:35:13 . 2010-08-06 11:35:13 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\eradenenor.dll.vir

2010-08-06 09:33:13 . 2010-08-06 09:33:13 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ivatozun.dll.vir

2010-08-06 07:31:13 . 2010-08-06 07:31:13 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\abosolas.dll.vir

2010-08-06 05:28:31 . 2010-08-06 05:28:31 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ewerituc.dll.vir

2010-08-06 03:26:52 . 2010-08-06 03:26:52 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ixafoqipofevinuy.dll.vir

2010-08-06 01:27:45 . 2010-08-06 01:27:46 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ininuzehobiqob.dll.vir

2010-08-06 01:16:36 . 2010-08-06 01:16:36 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\emavesazuyufom.dll.vir

2010-07-08 13:19:16 . 2010-08-07 02:43:30 16 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\config.dat.vir

2007-08-11 01:20:13 . 2007-08-11 01:20:25 107 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Log\NeffyManSp.20070810.log.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 98,148 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\bk_init.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 99,798 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\bk_main.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 7,062 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\bk_msg.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,006 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_close.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,180 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_close_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,180 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_close_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,245 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_close_se.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 10,114 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_folder.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 10,009 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_folder_di.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 11,697 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_folder_mo.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 14,097 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_folder_se.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 981 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_no.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,144 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_no_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,144 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_no_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,207 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_no_se.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,015 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_run.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,191 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_run_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,191 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_run_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,255 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_run_se.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,017 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_set.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,181 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_set_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,181 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_set_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,261 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_set_se.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,004 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_start.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,182 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_start_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,182 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_start_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,245 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_start_se.JPG.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,038 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_stop.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,217 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_stop_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,217 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_stop_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,281 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_stop_se.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 996 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_yes.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,169 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_yes_di.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,169 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_yes_mo.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,233 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\btn_yes_se.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 1,135 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\conf.ini.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 2,990 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\progress_img.jpg.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 78,336 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\Thumbs.db.vir

2007-08-11 01:19:23 . 2007-08-11 01:19:23 30 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Skin\hanbit\pangya\ticker.txt.vir

2007-08-11 01:19:15 . 2007-08-11 01:19:15 45,470 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\uninst.exe.vir

2007-02-05 02:25:08 . 2007-02-05 02:25:08 550,680 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\NeffyManSp.exe.vir

2006-12-29 14:36:10 . 2006-12-29 14:36:10 704,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\npz.ocx.vir

2006-02-18 04:12:07 . 2010-08-23 01:58:09 153,088 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Steam\UNWISE.EXE.XXX.vir

2005-11-10 00:19:58 . 2005-11-10 00:19:58 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\npkpdb.dll.vir

2005-10-19 09:29:04 . 2010-08-23 02:07:58 61,440 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\Woorizip.dll.vir.XXX

2005-09-06 10:03:14 . 2010-08-23 02:07:55 245,760 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\libcurl.dll.vir.XXX

2005-07-18 21:46:08 . 2005-07-18 21:46:08 74,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zlibwapi.dll.vir

2005-07-18 08:46:08 . 2005-07-18 08:46:08 74,240 ----a-w- C:\Qoobox\Quarantine\C\Program Files\NeffyManSp\zlibwapi.dll.vir

2004-05-12 06:01:18 . 2010-08-23 03:21:18 97,408 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\SI3112r.sys.vir.XXX

Link to post
Share on other sites

Hi,

You can try the instructions below first, but I recommend you to do a reformat and reinstall of the OS. Not only because of the connection problems (which is most likely a software issue), but also because a lot of program files have been deleted.

You AV (Norton) is also missing files. That could cause connection problems. First use the normal method to uninstall Norton. After that, reboot you pc. Then use the Norton Removal Tool. After that, reboot you pc again. Does this fix the connection problem? :)

Link to post
Share on other sites

Hi,

In addition to my previous post, please follow these instructions: :)

I've been asked to let you upload a few files to the forum by one of Malwarebytes' malware hunters.

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@echo off

for %%g in (

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\dmlconf.dat.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\_2665454843_.dat.zip

C:\Qoobox\Quarantine\C\Program Files\Microsoft\_DesktopLayer_.exe.zip.XXX

C:\Qoobox\Quarantine\C\WINDOWS\system32\2665454843.dat.vir

C:\Qoobox\Quarantine\C\WINDOWS\awoyaqogunewucob.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\obemidinigo.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\oxudimeqaguvi.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ekobocovo.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ofebanup.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\icoqayofikahasa.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ixijunaz.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\amuyojoqozi.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ozefolif.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\opivayadep.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\oboparoh.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\eradenenor.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ivatozun.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\abosolas.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ewerituc.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ixafoqipofevinuy.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\ininuzehobiqob.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\emavesazuyufom.dll.vir

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\config.dat.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\npz.ocx.vir

C:\Qoobox\Quarantine\C\Program Files\Steam\UNWISE.EXE.XXX.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\npkpdb.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\zlibwapi.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\SI3112r.sys.vir.XXX

) do zip Files_for_submission %%g

del %0

In Notepad click on the "File" menu > Save As... Under "File name" type grab.bat and Change "Save as type" to All Files, save it to a place you will remember.

Double click on grab.bat. A file, Files_for_submission.zip will be created on your desktop.

Please start a new topic here.

Put a link to this thread in the new topic.

Upload and attach the Files_for_submission.zip file.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

Hey Gammo,

I've uninstalled Norton and I've used the removal tool. I still have the connection error though. I've followed your instructions and I'll create a new topic there. Thanks for all your help so far, I might end up reformatting but I just want to see if I can get my system clean and the internet running again first.

Thanks again :)

Link to post
Share on other sites

Hi,

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\12520850u.exe -- (SPBBCSvcEventlog)
    [2010/06/19 02:28:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fslltggbq
    [2010/06/05 22:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\umqiubqsb
    [2010/06/04 18:07:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\orrdjlbhx
    [2010/08/20 20:38:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\12520850ugz.sys
    [2010/08/16 00:48:53 | 060,213,415 | -HS- | M] () -- C:\WINDOWS\System32\1054p.sys
    [2010/06/29 08:08:32 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\cakzob.dat
    [2010/06/05 08:52:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\dhxiuw.dat
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    :Services

    :Reg

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here (transfer it with your USB flash drive)

  • Double Click mbam-setup.exe to install the application.
  • Make sure you REMOVE the checkmark next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

Download mbam-rules.exe (and transfer it with your USB flash drive). Double-click on to install the database updates manually. Just follow the on-screen instructions.

After that, start Malwrarebytes' Anti-Malware

  • Once the program has loaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Still the same issue with my internet connection :)

Here are the log results :) :

All processes killed

========== OTL ==========

Service SPBBCSvcEventlog stopped successfully!

Service SPBBCSvcEventlog deleted successfully!

File C:\WINDOWS\System32\12520850u.exe not found.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\fslltggbq folder moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\umqiubqsb folder moved successfully.

C:\Documents and Settings\Owner\Local Settings\Application Data\orrdjlbhx folder moved successfully.

C:\WINDOWS\system32\12520850ugz.sys moved successfully.

C:\WINDOWS\system32\1054p.sys moved successfully.

C:\Documents and Settings\LocalService\Application Data\cakzob.dat moved successfully.

C:\Documents and Settings\NetworkService\Application Data\dhxiuw.dat moved successfully.

C:\WINDOWS\SET3.tmp deleted successfully.

C:\WINDOWS\SET4.tmp deleted successfully.

C:\WINDOWS\SET8.tmp deleted successfully.

C:\WINDOWS\System32\CONFIG.TMP deleted successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Flash cache emptied: 1777 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 14203 bytes

->Flash cache emptied: 2488 bytes

User: Owner

->Temp folder emptied: 18957365 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 3359286 bytes

->FireFox cache emptied: 3294235 bytes

->Flash cache emptied: 1525806 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 26.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

->Flash cache emptied: 0 bytes

User: NetworkService

->Flash cache emptied: 0 bytes

User: Owner

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.10.0 log created on 08252010_164111

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4446

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

8/25/2010 5:04:19 PM

mbam-log-2010-08-25 (17-04-19).txt

Scan type: Quick scan

Objects scanned: 125800

Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\15701311.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\12520850u.exe.XXX (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

Please carefully read and follow these steps (very important!).

Make sure, your computer is set to obtain IP address automatically.

1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)

2. Double click Network Connections (Vista/7 users: Network and Sharing Center)

3. Vista/7 users - From the list of tasks on the left, click Manage network connections.

4. For a wired network connection, right-click Local Area Connection, and then select Properties.

For a wireless network connection, right-click Wireless Network Connection, and then select Properties.

5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties

6. Click Obtain an IP Address Automatically

7. Click Obtain DNS server address automatically, and then click OK.

Restart computer.

If that doesn't work...

Turn off computer. Disconnect router and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.

Reconnect everything.

Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

Restart computer.

If that doesn't work...

Go Start>Run (Start search in Vista), type in:

cmd

Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:

ipconfig /flushdns

ipconfig /registerdns

ipconfig /release

ipconfig /renew

net stop "dns client"

net start "dns client"

Restart computer.

If that doesn't work...

Go Start>Run (Start search in Vista), type in:

cmd

Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:

netsh int ip reset reset.log

netsh winsock reset catalog

Restart computer.

If that doesn't work...

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.

  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.

Restart computer.

If that doesn't work...

Download Dial-A-Fix (DAF) (doesn't work in Vista):

http://wiki.lunarsoft.net/wiki/Dial-a-fix#...2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)

Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS

Reinstall Windows Firewall

Repair Permissions

Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.

Link to post
Share on other sites

Hi,

I've done all the steps so far with no success. The step I'm on now is the WinSockFix step. When I click the button to create a registry backup is says:

Warning!

Error saving file

C:\ERDNT\SECURITY !

Continue with the next file?

Yes or No?

And it does that for every file, is that normal? Also every file name has a ! at the end of it.

Link to post
Share on other sites

Hi,

Just skip the backup:

Double click on WinsockXPFix.exe to open.

  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.

Restart computer.

If that doesn't work...

Download Dial-A-Fix (DAF) (doesn't work in Vista):

http://wiki.lunarsoft.net/wiki/Dial-a-fix#...2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)

Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS

Reinstall Windows Firewall

Repair Permissions

Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.