11 replies to this topic

[lwnamr]

Hello. This problem has troubled me for almost one month. Whenever I want to use google search it stops working, showing the following message:" Problem loading page-The connection has timed out The server at www.google.ro is taking too long to respond. etc". In the beginning it started by working, but after 3-4 serches it crashed. Now it doesn't work at all and it's annoying because i have to use yahoo search or bing. I tried to use it on different browsers like Mozilla(my default browser), Chrome, IE, but it was the same. I scanned my computer with Malwarebytes and at first it found abut 18 threats which i got rid of. I did the DDS scan as i saw you adviced before on the forum and i attached the results.

please help me because school projects are getting near and i have to use google a lot...
thank you in advance!

Attached Files

•  dds.txt   13.02K   16 downloads
•  attach.txt   8.2K   15 downloads

[Maniac]

Hello lwnamr and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please uninstal the following applications:

BitLord 1.1
FreeRIP Toolbar v6.3


Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.


Step 3

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• Report FF Proxy Settings
  
• Reset FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Devices
  
• List Users, Partitions and Memory size.
  
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Step 4

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Step 5

Please download AdwCleaner from here and save it on your Desktop.

• Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  
• Now click on the Search tab.
  
• Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.


In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• MiniToolBox log
  
• Farbar Service Scanner log
  
• AdwCleaner log

[lwnamr]

I wish to thank you for taking interest in my problem, i really hope you will help me solve this. OK, i did the steps you prompted me to. Here are the demanded logs:

Step 2

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.08.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Administrator :: ASUS-KLU [administrator]

08.10.2012 14:55:19
mbam-log-2012-10-08 (14-55-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201287
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Step 3

MiniToolBox by Farbar Version: 23-07-2012
Ran by Administrator (administrator) on 08-10-2012 at 15:03:04
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC = Local Area Connection

(Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : ASUS-KLU

Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . :

Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . .

. . . . . : No DNS Suffix Search List. . . . . . : clauEthernet adapter Local

Area Connection: Connection-specific DNS Suffix . : clau Description .

. . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-24-8C-6E-1C-E0 Dhcp Enabled. . . . . .

. . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . .

. . . . . . . . . : 192.168.2.100 Subnet Mask . . . . . . . . . . . :

255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP

Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . :

192.168.2.1 Lease Obtained. . . . . . . . . . : 8 octombrie 2012 10:05:03

Lease Expires . . . . . . . . . . : 19 ianuarie 2038 06:14:07Server:
Address: 192.168.2.1

Name: google.com
Addresses: 87.125.87.103, 87.125.87.103, 87.125.87.103, 87.125.87.103
87.125.87.103, 87.125.87.103, 87.125.87.103, 87.125.87.103, 87.125.87.103
87.125.87.103, 87.125.87.103, 87.125.87.103, 87.125.87.103, 87.125.87.103
87.125.87.103, 87.125.87.103

Pinging google.com [87.125.87.103] with 32 bytes of data:Request timed out.Request

timed out.Ping statistics for 87.125.87.103: Packets: Sent = 2, Received = 0, Lost

= 2 (100% loss),Server:
Address: 192.168.2.1

Name: yahoo.com
Addresses: 98.139.183.24, 72.30.38.140, 98.138.253.109

Pinging yahoo.com [72.30.38.140] with 32 bytes of data:Reply from 72.30.38.140:

bytes=32 time=939ms TTL=42Reply from 72.30.38.140: bytes=32 time=1140ms TTL=42Ping

statistics for 72.30.38.140: Packets: Sent = 2, Received = 2, Lost = 0 (0%

loss),Approximate round trip times in milli-seconds: Minimum = 939ms, Maximum =

1140ms, Average = 1039msServer:
Address: 192.168.2.1

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Request timed

out.Request timed out.Ping statistics for 208.43.87.2: Packets: Sent = 2, Received

= 0, Lost = 2 (100% loss),Pinging 127.0.0.1 with 32 bytes of data:Reply from

127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms

TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0

(0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum =

0ms, Average =

0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 8c 6e 1c e0

...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC - Packet Scheduler

Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 20
192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 20
224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 20
255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\wshbth.dll [108032] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/06/2012 05:01:30 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module

dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (10/06/2012 04:56:32 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2180, faulting

module unknown, version 0.0.0.0, fault address 0x029629f0.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/03/2012 10:06:50 PM) (Source: ESENT) (User: )
Description: svchost (1200) An attempt to open the file

"C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read

/ write access failed with system error 32 (0x00000020): "The process cannot access

the file because it is being used by another process. ". The open file operation

will fail with error -1032 (0xfffffbf8).

Error: (10/03/2012 10:01:17 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (09/17/2012 00:50:18 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (09/12/2012 02:47:11 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (09/09/2012 04:00:00 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (09/06/2012 11:44:07 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (07/27/2012 04:35:55 PM) (Source: Application Error) (User: )
Description: Faulting application winamp.exe, version 5.5.1.1763, faulting module

gen_bestlyrics.dll, version 0.0.0.0, fault address 0x000068d1.
Processing media-specific event for [winamp.exe!ws!]

Error: (07/18/2012 10:32:23 AM) (Source: SecurityCenter) (User: )
Description: The Windows Security Center Service was unable to establish event

queries with WMI to monitor third party AntiVirus and Firewall.


System errors:
=============

Microsoft Office Sessions:
=========================
Error: (10/06/2012 05:01:30 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.21800001295d

Error: (10/06/2012 04:56:32 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2180unknown0.0.0.0029629f0

Error: (10/03/2012 10:06:50 PM) (Source: ESENT)(User: )
Description:

svchost1200C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-

1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is

being used by another process.

Error: (10/03/2012 10:01:17 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (09/17/2012 00:50:18 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (09/12/2012 02:47:11 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (09/09/2012 04:00:00 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (09/06/2012 11:44:07 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (07/27/2012 04:35:55 PM) (Source: Application Error)(User: )
Description: winamp.exe5.5.1.1763gen_bestlyrics.dll0.0.0.0000068d1

Error: (07/18/2012 10:32:23 AM) (Source: SecurityCenter)(User: )
Description:


=========================== Installed Programs ============================

ABBYY FineReader 7.0 Professional Edition (Version: 7.00.543.3645)
ABC Amber Nokia Converter
Adobe Bridge 1.0 (Version: 001.000.000)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 11 ActiveX (Version: 11.4.402.278)
Adobe Flash Player 11 Plugin (Version: 11.4.402.265)
Adobe Help Center 1.0 (Version: 001.000.000)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Reader 8.1.4 (Version: 8.1.4)
Adobe Stock Photos 1.0 (Version: 001.000.000)
AP Tuner 3.08
ATI - Software Uninstall Utility (Version: 6.14.10.1022)
ATI AVIVO Codecs (Version: 10.0.0.40103)
ATI Catalyst Control Center (Version: 2.009.0203.2227)
ATI Display Driver (Version: 8.582-090203a-075908C-ATI)
ATI HYDRAVISION (Version: 3.25.0006)
ATI Problem Report Wizard (Version: 8.10)
Avira AntiVir Personal - Free Antivirus (Version: 10.2.0.707)
AVS DVD Player version 2.2
Bing Maps 3D (Version: 4.0.903.16005)
BS.Player FREE (Version: 2.43.1008)
Canon Camera Access Library (Version: 8.5.0.2)
Canon Camera Support Core Library (Version: 7.3.1.6)
Canon G.726 WMP-Decoder (Version: 1.1.0.4)
Canon MOV Decoder (Version: 1.7.0.6)
Canon MovieEdit Task for ZoomBrowser EX (Version: 2.6.0.4)
Canon RAW Image Task for ZoomBrowser EX (Version: 0.9.3.9)
Canon Utilities CameraWindow DC (Version: 7.1.0.7)
Canon Utilities CameraWindow DC 8 (Version: 8.3.0.6)
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX (Version: 5.4.5.17)
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX (Version: 6.4.2.16)
Canon Utilities CameraWindow Launcher (Version: 7.5.0.2)
Canon Utilities EOS Utility (Version: 1.1.0.8)
Canon Utilities Movie Uploader for YouTube (Version: 1.1.0.4)
Canon Utilities MyCamera (Version: 7.4.0.2)
Canon Utilities MyCamera DC (Version: 7.0.1.8)
Canon Utilities PhotoStitch (Version: 3.1.21.45)
Canon Utilities RemoteCapture Task for ZoomBrowser EX (Version: 1.7.1.9)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.1.0.8)
Caseta de cautare rapida Google (Version: 1.2.1151.245)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0203.2228.40314)
Catalyst Control Center Graphics Full Existing (Version: 2009.0203.2228.40314)
Catalyst Control Center Graphics Full New (Version: 2009.0203.2228.40314)
Catalyst Control Center Graphics Light (Version: 2009.0203.2228.40314)
Catalyst Control Center Graphics Previews Common (Version: 2009.0203.2228.40314)
Catalyst Control Center HydraVision Full (Version: 2009.0203.2228.40314)
Catalyst Control Center Localization All (Version: 2009.0203.2228.40314)
ccc-core-preinstall (Version: 2009.0203.2228.40314)
ccc-core-static (Version: 2009.0203.2228.40314)
ccc-utility (Version: 2009.0203.2228.40314)
CCC Help Chinese Standard (Version: 2009.0203.2227.40314)
CCC Help Chinese Traditional (Version: 2009.0203.2227.40314)
CCC Help Czech (Version: 2009.0203.2227.40314)
CCC Help Danish (Version: 2009.0203.2227.40314)
CCC Help Dutch (Version: 2009.0203.2227.40314)
CCC Help English (Version: 2009.0203.2227.40314)
CCC Help Finnish (Version: 2009.0203.2227.40314)
CCC Help French (Version: 2009.0203.2227.40314)
CCC Help German (Version: 2009.0203.2227.40314)
CCC Help Greek (Version: 2009.0203.2227.40314)
CCC Help Hungarian (Version: 2009.0203.2227.40314)
CCC Help Italian (Version: 2009.0203.2227.40314)
CCC Help Japanese (Version: 2009.0203.2227.40314)
CCC Help Korean (Version: 2009.0203.2227.40314)
CCC Help Norwegian (Version: 2009.0203.2227.40314)
CCC Help Polish (Version: 2009.0203.2227.40314)
CCC Help Portuguese (Version: 2009.0203.2227.40314)
CCC Help Russian (Version: 2009.0203.2227.40314)
CCC Help Spanish (Version: 2009.0203.2227.40314)
CCC Help Swedish (Version: 2009.0203.2227.40314)
CCC Help Thai (Version: 2009.0203.2227.40314)
CCC Help Turkish (Version: 2009.0203.2227.40314)
Compatibility Pack for the 2007 Office system (Version: 12.0.6021.5000)
Components Setup (Version: 1.00.0000)
CorelDRAW Graphics Suite 12 (Version: 12.0.0.458)
Data Pilot 1.03
Digital Guitar Tuner 2.3
Diner Dash: Flo on the Go (remove only) (Version: 3.3.5.17)
Diner Dash: Flo on the Go (Version: 3.3.5.17)
EViews 5
Facebook Plug-In
ffdshow [rev 3154] [2009-12-09] (Version: 1.0)
FreeRIP v3.61 (Version: 3.61)
Geography Quiz 1.0
Google Chrome (Version: 22.0.1229.79)
Google Earth (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3230.2052)
Google Update Helper (Version: 1.3.21.123)
Google Updater (Version: 2.4.2432.1652)
Guitar Pro 5.2
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HyperMediaCenter (Version: 3.0)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 20 (Version: 6.0.200)
Java™ 6 Update 32 (Version: 6.0.320)
KWorld TV Tuner Card Utilities (Version: 3.0.0.1)
Lexmark Skin: Helix
Lexmark Skin: Kids
Lexmark Skin: Machine1
Lexmark Skin: PotatoSkin
Lexmark X1100 Series
Malwarebytes Anti-Malware version 1.65.0.1400 (Version: 1.65.0.1400)
MCE Software Encoder 1.1 (Version: 1.1.0.1509)
mGames (Version: 1.6.82c)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 (Version: 2.0.50727)
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 (Version: 3.0.04506.30)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office Professional Edition 2003 (Version: 11.0.5614.0)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Silverlight (Version: 3.0.50106.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Tools Express Edition (Version: 9.2.3042.00)
Microsoft SQL Server Native Client (Version: 9.00.3042.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.3042.00)
Microsoft SQL Server VSS Writer (Version: 9.00.3042.00)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version:

9.0.30729.4148)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mozilla Firefox 15.0.1 (x86 en-US) (Version: 15.0.1)
Mozilla Maintenance Service (Version: 15.0.1)
MP3 Splitter version 3.0
MSXML 6.0 Parser (Version: 6.10.1129.0)
Nero 6
Nokia Connectivity Cable Driver (Version: 6.80.5.1)
Nokia PC Connectivity Solution (Version: 6.11.10.0)
Nokia PC Suite (Version: 6.80.21)
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00 (Version: 4.1.00.13261)
OpenOffice.org 3.2 (Version: 3.2.9502)
Owl and Mouse Make a Town
PhotoScape
Platform (Version: 1.27)
PowerISO (Version: 4.8)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.17.0000)
Rosetta Stone Version 3 (Version: 3.4.7.0)
Scientific WorkPlace 2.5
Scientific WorkPlace 4.0
Sid Meier's Civilization 4 (Version: 1.00.0000)
Sid Meier's Civilization 4 (Version: 1.09)
Skins (Version: 2009.0203.2228.40314)
Skype Toolbars (Version: 5.3.7555)
Skype™ 5.3 (Version: 5.3.120)
SonicStage 3.0 (Version: 3.0)
Sony Picture Utility (Version: 2.0.03.13170)
Sony USB Driver (Version: 2.00)
The Sims Medieval (Version: 1.0.0)
The Sims™ 3 (Version: 1.0.631)
The Weather Channel Desktop 6
Themen aktuell 1
Trojan Remover 6.8.5 (Version: 6.8.5)
TV Tuner Card Teletext (Version: 1.6.0.5)
VIA Platform Device Manager (Version: 1.27)
Video Media Player 2.5.78 (Version: 2.5.78)
VLC media player 0.9.9 (Version: 0.9.9)
WebFldrs XP (Version: 9.50.7523)
Winamp (Version: 5.51 )
Winamp Lyrics (Explorer Version) v1.22
Windows Communication Foundation (Version: 3.0.04506.30)
Windows Driver Package - Nokia Modem (04/06/2006 6.8.0.17) (Version: 04/06/2006

6.8.0.17)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Media Format 11 runtime
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Workflow Foundation (Version: 3.0.4203.2)
WinRAR archiver
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall (Version: 1.2)
Yahoo! Messenger
YTD Video Downloader 3.9.2
Zeus

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 23%
Total physical RAM: 3327.04 MB
Available physical RAM: 2558.55 MB
Total Pagefile: 5211.23 MB
Available Pagefile: 4439.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.36 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:60 GB) (Free:25.02 GB) NTFS
2 Drive d: () (Fixed) (Total:200.01 GB) (Free:1.89 GB) NTFS
3 Drive e: () (Fixed) (Total:200.01 GB) (Free:5.24 GB) NTFS
4 Drive f: () (Fixed) (Total:238.61 GB) (Free:42.54 GB) NTFS

========================= Users: ========================================

User accounts for \\ASUS-KLU

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini071812-01.dmp
C:\WINDOWS\Minidump\Mini071812-02.dmp
C:\WINDOWS\Minidump\Mini071812-03.dmp

**** End of log ****

Step 4

Farbar Service Scanner Version: 07-10-2012
Ran by Administrator (administrator) on 08-10-2012 at 15:05:57
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Google.com is offline
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Yahoo.com is offline


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 18:00] - [2004-08-04 18:00] - 0162816 ____A (Microsoft Corporation)

0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-04 18:00] - [2004-08-04 18:00] - 0359040 ____A (Microsoft Corporation)

9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 18:00] - [2004-08-04 18:00] - 0074752 ____A (Microsoft Corporation)

64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0045568 ____A (Microsoft Corporation)

7379DE06FD196E396A00AA97B990C00D

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0331264 ____A (Microsoft Corporation)

36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0198144 ____A (Microsoft Corporation)

DAB9E6C7105D2EF49876FE92C524F565

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-07-20 19:00] - [2004-08-04 18:00] - 0144896 ____A (Microsoft Corporation)

F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2009-07-20 19:01] - [2004-08-04 18:00] - 0170496 ____A (Microsoft Corporation)

92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2009-07-20 19:01] - [2004-08-04 18:00] - 0073472 ____A (Microsoft Corporation)

E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0081408 ____A (Microsoft Corporation)

4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-07-20 19:00] - [2004-08-04 18:00] - 0144896 ____A (Microsoft Corporation)

F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2009-07-20 19:02] - [2004-08-04 18:00] - 0006656 ____A (Microsoft Corporation)

13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2009-07-20 19:01] - [2004-08-04 18:00] - 0382464 ____A (Microsoft Corporation)

2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0243200 ____A (Microsoft Corporation)

ACD36A2DD7D1E9D8A060AA651DC07E63

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0060416 ____A (Microsoft Corporation)

10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2004-08-04 18:00] - [2004-08-04 18:00] - 0014336 ____A (Microsoft Corporation)

8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-04 18:00] - [2004-08-04 18:00] - 0395776 ____A (Microsoft Corporation)

5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe
[2004-08-04 18:00] - [2004-08-04 18:00] - 0108032 ____A (Microsoft Corporation)

C6CE6EEC82F187615D1002BB3BB50ED4


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) RFCOMM(8) Tcpip(4)
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

Step 5

# AdwCleaner v2.004 - Logfile created 10/08/2012 at 15:06:50
# Updated 06/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : Administrator - ASUS-KLU
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml
Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\All Users\Application Data\Premium
Folder Found : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Found : C:\Program Files\Common Files\spigot

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\FunWebProducts
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416D-A838-AB665251703A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\facemoods
Key Found : HKU\S-1-5-21-1202660629-1770027372-839522115-500\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416D-A838-AB665251703A}

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.2180

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://start.facemoods.com/?a=bf1&s={searchTerms}&f=4

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hiet002u.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v22.0.1229.79

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2460 octets] - [08/10/2012 15:06:50]

########## EOF - C:\AdwCleaner[R1].txt - [2520 octets] ##########

Have a nice day!

[Maniac]

Step 1

• Please re-run AdwCleaner
  
• Click on Delete button.
  
• Confirm each time with OK.
  
• Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


Step 2

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


In your next reply, post the following log files:

• AdwCleaner log
  
• ComboFix log

[lwnamr]

Hello, Maniac. I tried the steps that you suggested to me. The AdwCleaner opperation was a success, i will post its log below. However i couldn't make ComboFix log work. I closed all antivirus programs and ran Combofix. I saw that it was working really slow and I left it working all night while i was sleeping. When i woke up after completing 50 stages a window showed letting me know that the system is infected and i clicked ok. The blue window showed this message: " System file is infected!! Attempting to restore: C:\WINDOWS\system32\Services.exe". After letting it work for about 3 hrs, nothing was happening and i assumed it was doing nothing. I rebooted the PC and got this blue window with BIOS SETUP UTILITY. I immediately went to exit and the PC got rebooted automatically as soon as i exited. Now when i open Mozilla and try to open google it works, but as soon as i try to search something i get this error no mather what i try to find: "
404. That’s an error.
The requested URL /ncrsorry/?continue=http://www.google.ro/search%3Fhl%3Den%26site%3D%26source%3Dhp%26q%3Danything%26oq%3Danything%26gs_l%3Dhp.3..0l10.1356.2387.0.2513.8.6.0.2.2.0.95.483.6.6.0.les%253B..0.0...1c.1.TnTlW5FKjMQ%26bav%3Don.2,or.r_gc.r_pw.%26biw%3D1671%26bih%3D899%26ech%3D1%26psi%3DxuxzUKtew7O0BsuMgMgJ.1349774545186.3%26emsg%3DNCSR%26noj%3D1%26ei%3DxuxzUKtew7O0BsuMgMgJ was not found on this server. That’s all we know.
"
Also in C:\ there is now a folder called ComboFix which is the same to My Computer in layout and folder components.
I made pictures to the blue screen if they are of any use to you, just let me know.

AdwCleaner log:

# AdwCleaner v2.004 - Logfile created 10/08/2012 at 23:52:23
# Updated 06/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : Administrator - ASUS-KLU
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\FunWebProducts
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416D-A838-AB665251703A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\facemoods

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.2180

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://start.facemoods.com/?a=bf1&s={searchTerms}&f=4 --> hxxp://www.google.com

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hiet002u.default\prefs.js

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hiet002u.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v22.0.1229.79

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2589 octets] - [08/10/2012 15:06:50]
AdwCleaner[S1].txt - [2511 octets] - [08/10/2012 23:52:23]

########## EOF - C:\AdwCleaner[S1].txt - [2571 octets] ##########

[Maniac]

Please re-run ComboFix in Safe mode with Networking.
http://www.microsoft...t_failsafe.mspx

[lwnamr]

it took a day to run ComboFix, but i hope it was worth it. Currently i think Combofix ruined my internet connection because I'm on a laptop now, i will have to call the internet provider to give me the ip address and so on tomorrow. here is the log:

ComboFix 12-10-08.03 - Administrator 09.10.2012 14:28:34.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2924 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\9F22B9.dat
c:\documents and settings\Administrator\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Administrator\My Documents\~yt116.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
c:\windows\system32\CddbCdda.dll
c:\windows\system32\Drivers\afd.sys
c:\windows\system32\msconfig.exe
c:\windows\system32\regsvr32.exe
c:\windows\system32\SET37.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET43.tmp
c:\windows\system32\winlogon.bak
.
c:\windows\system32\drivers\afd.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-09-09 to 2012-10-09 )))))))))))))))))))))))))))))))
.
.
2012-10-03 18:48 . 2012-10-03 18:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-10-03 18:48 . 2012-10-03 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-03 18:48 . 2012-09-07 14:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-03 18:45 . 2012-10-03 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2012-10-03 18:45 . 2012-06-15 13:39 169744 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-10-03 18:45 . 2012-06-15 13:35 185616 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-10-03 18:45 . 2012-06-15 13:33 605968 ----a-w- c:\windows\system32\ztv7z.dll
2012-10-03 18:45 . 2005-08-25 22:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-10-03 18:45 . 2012-06-15 13:33 77072 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-10-03 18:45 . 2003-02-02 17:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-10-03 18:45 . 2002-03-05 22:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-10-03 18:45 . 2012-10-03 18:45 -------- d-----w- c:\program files\Trojan Remover
2012-10-03 18:45 . 2012-10-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2012-09-19 09:24 . 2012-10-07 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\YTD Video Downloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 10:18 . 2012-04-06 08:31 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 10:18 . 2011-05-17 16:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 10:41 . 2012-09-08 10:41 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-07-20 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
[-] 2004-11-28 14:36 . AB3D62010AF342203FFA60C2D94DBC68 . 8704 . . [1] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 1409024]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-10-07 33538048]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
"FineReader7NewsReaderPro"="c:\program files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-09-11 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2012-09-14 1247504]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-10-30 344064]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Center Agent]
2007-08-22 19:44 1518592 -c--a-w- c:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2011-06-08 07:45 822456 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-09-23 11:47 122368 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 07:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-19 15:35 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-12-20 15:16 37376 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Programele\\strong dc\\StrongDC.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [20.07.2009 22:01 136360]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [20.07.2009 23:00 674048]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [20.07.2009 21:31 876288]
S2 gupdate1ca20e2ab2ee85a;Google Update Service (gupdate1ca20e2ab2ee85a);c:\program files\Google\Update\GoogleUpdate.exe [19.08.2009 18:35 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [06.04.2012 11:31 250808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19.08.2009 18:35 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [10.06.2012 12:33 114144]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 10:18]
.
2012-10-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-19 16:51]
.
2012-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 15:35]
.
2012-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 15:35]
.
2012-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1770027372-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-04 18:40]
.
2012-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1770027372-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-07-04 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hiet002u.default\
FF - prefs.js: browser.startup.homepage - www.google.ro
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DW7 - c:\program files\The Weather Channel\The Weather Channel App\TWCApp.exe
MSConfigStartUp-ChristmasTree - c:\docume~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.859\Christmas.exe
AddRemove-Data Pilot_is1 - f:\data pilot\unins000.exe
AddRemove-Scientific WorkPlace 2.5DeinstallKey - f:\DeIsL1.isu
AddRemove-Video Media Player 2.5.78 - c:\program files\iajefhajnmepmfcmdccojclpadmhpjad\Video Media Player\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-09 23:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1202660629-1770027372-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3648)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_rum.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\Avira\AntiVir Desktop\shlext.dll
c:\program files\PowerISO\PWRISOSH.DLL
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll
c:\progra~1\TROJAN~1\Trshlex.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\windows\system32\rundll32.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
.
**************************************************************************
.
Completion time: 2012-10-09 23:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-09 20:14
.
Pre-Run: 26.699.436.032 bytes free
Post-Run: 28.888.363.008 bytes free
.
- - End Of File - - DBE62B13BFBDBFACBEF1E8BA2445AA82

[Maniac]

This is because there is no afd.sys in c:\windows\system32\drivers .

Do you have Windows XP CD?

[lwnamr]

I acquired a Windows XP cd from a friend...i must format C:\, right?i was afraid of that...will the internet connections have to be reconfigured?

[Maniac]

No, no I just want to perform this scan:
http://www.bleepingc...topic43051.html

Then manually delete ComboFix, download a new fresh copy and re-run ComboFix. Post the log file in your next reply.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!