Jump to content

Recommended Posts

I recently got some kind of virus on my system that has made most of my file and document hidden, it started to redirect my internet pages during searches, and an internet explorer script error message keeps appearing. I have run malwarebytes and it did find some problems but the virus is still on my system.

Link to post
Share on other sites

Hello and :welcome:

Your files are still there, they are hidden. Run unhide.exe to make them visible.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

OTH_Main.gif

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    [*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

Link to post
Share on other sites

OTL logfile created on: 4/10/2011 3:07:18 PM - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lizzie\Downloads

Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 222.54 Gb Total Space | 66.60 Gb Free Space | 29.93% Space Free | Partition Type: NTFS

Drive D: | 10.34 Gb Total Space | 1.77 Gb Free Space | 17.09% Space Free | Partition Type: NTFS

Computer Name: LIZS-PC | User Name: Lizzie | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Lizzie\Downloads\OTH.scr (OldTimer Tools)

PRC - C:\Users\Lizzie\Downloads\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\SMINST\BLService.exe ()

========== Modules (SafeList) ==========

MOD - C:\Users\Lizzie\Downloads\OTL.exe (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (RelevantKnowledge) -- File not found

SRV - (Recovery Service for Windows) -- C:\Program Files\SMINST\BLService.exe ()

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)

DRV - (IntcHdmiAddService) Intel® -- C:\Windows\System32\drivers\IntcHdmi.sys (Intel® Corporation)

DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )

DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)

DRV - (TIEHDUSB) -- C:\Windows\System32\drivers\tiehdusb.sys (Texas Instruments Incorporated)

DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)

DRV - (NETw3v32) Intel® -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2247187

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Mario Forever Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2247187&SearchSource=3&q={searchTerms}"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://www.hulu.com/"

FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94

FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94

FF - prefs.js..extensions.enabledItems: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}:4.0

FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.1

FF - prefs.js..extensions.enabledItems: textlinks@playsushi.com:1.0.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{6E19037A-12E3-4295-8915-ED48BC341614}: C:\Program Files\RelevantKnowledge

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/04/07 19:32:21 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/04/07 19:32:22 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox 3.1 Beta 3\components [2011/04/09 17:09:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.1 Beta 3\plugins [2011/04/09 17:09:06 | 000,000,000 | ---D | M]

[2009/05/18 16:28:56 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Extensions

[2009/05/18 16:28:56 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

[2011/04/10 14:59:28 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\extensions

[2011/04/07 16:43:29 | 000,000,000 | -H-D | M] (HootBar) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}

[2011/04/07 16:43:29 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/07/18 14:22:47 | 000,000,000 | -H-D | M] (Advantage extension) -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\extensions\{f6bf92e0-b190-11dd-ad8b-0800200c9a67}

[2009/04/27 16:09:10 | 000,000,888 | -H-- | M] () -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\searchplugins\conduit.xml

[2009/06/17 12:55:28 | 000,007,982 | -H-- | M] () -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\searchplugins\oneriot-social-web-search.xml

[2009/05/12 17:35:17 | 000,001,741 | -H-- | M] () -- C:\Users\Lizzie\AppData\Roaming\Mozilla\Firefox\Profiles\s57u0m3l.default\searchplugins\search-the-web.xml

File not found (No name found) --

[2009/05/07 15:06:06 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\EXTENSIONS\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

[2009/10/11 15:54:45 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\EXTENSIONS\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

[2009/12/05 11:05:30 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 3\EXTENSIONS\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

() (No name found) -- C:\USERS\LIZZIE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S57U0M3L.DEFAULT\EXTENSIONS\{A0D7CCB3-214D-498B-B4AA-0E8FDA9A7BF7}.XPI

() (No name found) -- C:\USERS\LIZZIE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S57U0M3L.DEFAULT\EXTENSIONS\PERSONAS@CHRISTOPHER.BEARD.XPI

[2009/04/06 17:41:26 | 000,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [updateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe ()

O4 - HKCU..\Run: [speech Recognition] C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation)

O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)

O4 - Startup: C:\Users\Lizzie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/webgames/popcaploader_v10.cab (PopCapLoader Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Lizzie\Pictures\Panic!\003.jpg

O24 - Desktop BackupWallPaper: C:\Users\Lizzie\Pictures\Panic!\003.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{91e796fd-a584-11df-9a9d-001f16710a9a}\Shell\AutoRun\command - "" = F:\LinksysConnectPC.exe

O33 - MountPoints2\{f49ebca5-1500-11de-a00d-001f16710a9a}\Shell\AutoRun\command - "" = F:\LinksysConnectPC.exe

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/07 19:33:00 | 000,000,000 | -H-D | C] -- C:\Users\Lizzie\AppData\Local\DDMSettings

[2011/04/07 19:32:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DivX Plus

[2011/04/07 19:32:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared

[2010/08/25 19:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/10 14:59:14 | 000,000,284 | -H-- | M] () -- C:\ProgramData\hpqp.ini

[2011/04/10 14:59:07 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/04/10 14:59:07 | 000,000,214 | ---- | M] () -- C:\Windows\tasks\PAV.job

[2011/04/10 14:59:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 14:59:05 | 000,003,344 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 14:58:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/04/10 14:58:52 | 3149,078,528 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/09 19:19:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/04/09 16:12:25 | 000,007,728 | ---- | M] () -- C:\Users\Lizzie\AppData\Local\d3d9caps.dat

[2011/04/09 15:45:49 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~42786568r

[2011/04/09 15:45:49 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~42786568

[2011/04/09 15:45:47 | 000,000,581 | -H-- | M] () -- C:\Users\Lizzie\Desktop\Windows Restore.lnk

[2011/04/09 15:45:42 | 000,000,336 | -H-- | M] () -- C:\ProgramData\42786568

[2011/04/09 15:45:40 | 000,475,136 | -H-- | M] () -- C:\ProgramData\42786568.exe

[2011/04/07 20:02:22 | 000,036,352 | -H-- | M] () -- C:\Users\Lizzie\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/04/07 18:16:45 | 000,000,911 | -H-- | M] () -- C:\Users\Lizzie\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/04/07 18:16:45 | 000,000,887 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

[2011/04/07 18:01:59 | 000,002,265 | -H-- | M] () -- C:\Users\Lizzie\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk

[2011/04/05 19:20:21 | 000,002,241 | -H-- | M] () -- C:\Users\Lizzie\Desktop\Apple Safari.lnk

[2011/04/02 11:24:02 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011/04/02 11:24:02 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011/03/24 22:43:03 | 000,000,000 | -H-- | M] () -- C:\Users\Lizzie\AppData\Roaming\AVSDVDPlayer.m3u

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/09 16:11:57 | 3149,078,528 | -HS- | C] () -- C:\hiberfil.sys

[2011/04/09 15:45:49 | 000,000,136 | -H-- | C] () -- C:\ProgramData\~42786568r

[2011/04/09 15:45:48 | 000,000,104 | -H-- | C] () -- C:\ProgramData\~42786568

[2011/04/09 15:45:47 | 000,000,581 | -H-- | C] () -- C:\Users\Lizzie\Desktop\Windows Restore.lnk

[2011/04/09 15:45:42 | 000,000,336 | -H-- | C] () -- C:\ProgramData\42786568

[2011/04/09 15:45:40 | 000,475,136 | -H-- | C] () -- C:\ProgramData\42786568.exe

[2011/04/07 18:16:45 | 000,000,899 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk

[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin

[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin

[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin

[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config

[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll

[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll

[2009/12/11 19:36:10 | 000,000,008 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\DofusAppId0_2

[2009/12/11 19:33:58 | 000,000,173 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\D2Info0

[2009/12/11 19:33:58 | 000,000,008 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\DofusAppId0_1

[2009/12/09 19:47:18 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI

[2009/10/05 21:15:21 | 000,000,000 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\wklnhst.dat

[2009/07/14 20:37:22 | 000,000,063 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\AVSMediaPlayer.m3u

[2009/06/16 00:33:59 | 000,007,728 | ---- | C] () -- C:\Users\Lizzie\AppData\Local\d3d9caps.dat

[2009/05/05 22:30:00 | 000,012,717 | R--- | C] () -- C:\Windows\hpwscr14.dat

[2009/05/05 22:27:06 | 000,179,602 | ---- | C] () -- C:\Windows\hpwins14.dat

[2009/04/07 22:34:51 | 000,000,000 | -H-- | C] () -- C:\Users\Lizzie\AppData\Roaming\AVSDVDPlayer.m3u

[2009/04/07 21:46:28 | 000,524,288 | ---- | C] () -- C:\Windows\System32\xvidcore.dll

[2009/04/07 21:46:28 | 000,139,264 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll

[2009/04/04 22:17:32 | 000,245,760 | ---- | C] () -- C:\Windows\System32\ImxEx.dll

[2009/03/28 00:07:28 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat

[2009/03/25 18:08:43 | 000,036,352 | -H-- | C] () -- C:\Users\Lizzie\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/03/13 00:29:55 | 000,000,284 | -H-- | C] () -- C:\ProgramData\hpqp.ini

[2008/10/23 01:43:24 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2008/10/23 01:43:24 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2008/07/06 16:29:46 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll

[2008/07/06 16:14:06 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin

[2008/06/29 10:52:14 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll

[2008/06/09 15:02:30 | 000,001,108 | R--- | C] () -- C:\Windows\hpwmdl14.dat

[2006/11/02 08:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006/11/02 08:44:53 | 000,344,360 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006/11/02 06:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006/11/02 06:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

[2006/03/09 05:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/11/17 21:46:02 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Alawar

[2009/12/11 19:34:02 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\app

[2011/01/31 22:36:06 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2009/12/11 20:04:35 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Dofus 2

[2009/12/11 19:36:10 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Dofus-2.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

[2009/12/11 19:33:58 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Dofus.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

[2009/06/26 03:07:05 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\GetRightToGo

[2009/03/19 18:00:26 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\iWin

[2011/03/08 19:42:16 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\muvee Technologies

[2009/11/19 19:31:01 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\MysteryStudio

[2009/05/07 17:18:04 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\OpenOffice.org

[2009/03/31 15:34:48 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\PlayFirst

[2009/11/17 21:56:40 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Playrix Entertainment

[2009/12/11 19:34:02 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Reg.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

[2009/11/02 20:31:30 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Spacejock Software

[2009/03/28 14:41:17 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\SPORE Creature Creator

[2009/07/25 20:46:47 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Tific

[2009/12/03 20:18:37 | 000,000,000 | -H-D | M] -- C:\Users\Lizzie\AppData\Roaming\Youdagames

[2011/04/10 14:59:07 | 000,000,214 | ---- | M] () -- C:\Windows\Tasks\PAV.job

[2011/04/10 00:23:47 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_PVX2VCGKMVF9V8N4TKBRVDNGCMXLJ4M28WDP36MLTJ5KJ4VPXHAT

@Alternate Data Stream - 337 bytes -> C:\ProgramData\Temp:B8CAAE22

@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:3B4DA230

@Alternate Data Stream - 138 bytes -> C:\ProgramData\Temp:32A82570

@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:0E22C5DB

@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:CB0FEE2B

@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:4A2862FF

@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:5335CE76

< End of report >

Link to post
Share on other sites

Hi again, please run the following. If this doesn't work, just let me know and we'll continue with a manual fix. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

No problem, can you try this instead?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Sorry i haven't replied in a while. I tried to run the tdsskiller, but it wont open. I have even changed the extension but all it does when i click Run as Administrator is have a box pop up that says "A program needs your permission to continue", i click continue and wait but nothing happens.

Link to post
Share on other sites

No problem, there is a new infection out, which blocks TDSSkiller. Luckily we can do it manually as well. :)

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    volsnap.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 18:55 on 17/04/2011 by Lizard1231

Administrator - Elevation successful

========== filefind ==========

Searching for "volsnap.sys"

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys --a---- 226280 bytes [01:45 18/09/2009] [06:32 11/04/2009] 147281C01FCB1DF9252DE2A10D5E7093

C:\Windows\System32\drivers\volsnap.sys --a---- 227896 bytes [02:32 21/01/2008] [02:32 21/01/2008] D8B4A53DD2769F226B3EB374374987C9

C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys --a---- 208488 bytes [10:25 02/11/2006] [09:51 02/11/2006] 11EF6C1CAEF76B685233450A126125D6

C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys --a---- 227896 bytes [02:32 21/01/2008] [02:32 21/01/2008] D8B4A53DD2769F226B3EB374374987C9

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys --a---- 227896 bytes [02:32 21/01/2008] [02:32 21/01/2008] D8B4A53DD2769F226B3EB374374987C9

-= EOF =-

Link to post
Share on other sites

Hi again,

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Link to post
Share on other sites

Hi, new member here.

I have been following this thread for a bit; it appears my wife's computer is affected by the same symptoms.

I, too, had to make the hidden files reappear.

Running combofix yields a windowed blue screen, and there's an error message which says that volsnap.sys is compromised by a rootkit and prompts to fix it. I simply escape at that point without hitting OK. I noticed that running combofix also runs about 3 or 4 iexplore.exe processes which I kill with a process manager.

Same with lizzie, when attempting to run TDSSkiller it fails to run, even after renaming filename and extension.

Ran GMER and came up with a log, would it be okay for me to post it in this thread, too?

Link to post
Share on other sites

Hi again,

Please right click on the combofix download link below and select "save link/target as...". Save the file as random.exe to your desktop and run it like that.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

  • 3 weeks later...
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.