Jump to content

Windows Command Processor (trojan)-Win32/Kryptik.AHES trojan


Recommended Posts

Hello,

My computer is infected with a virus thats continually attempting to get me to approve a program called "Windows Command Processor". Everytime I close it, the popup reappears before I can move my mouse.

I've looked around on the internet and I found a thread where the user had the same virus. I followed Elise's (I think that was the lady resolving the thread) instructions and it removed the virus/popus, however when I restarted the computer it came back.

I would gladly appreciate help in removing this virus, and thanks in advance.

Pat.

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi, thanks for helping me. Here is the MBAM log. I had to run it in safe-mode because I couldn't open it on a normal startup:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.23.06

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Patrick Fong :: PATRICKFONG-PC [administrator]

Protection: Disabled

24/06/2012 11:45:33 AM

mbam-log-2012-06-24 (11-45-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 218634

Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I shall post the DDS log once its complete.

Thanks

Link to post
Share on other sites

Here's the DDS log.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_02

Run by Patrick Fong at 12:27:40 on 2012-06-24

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.1147 [GMT 10:00]

.

AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\CNAC3RPK.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\hp\support\hpsysdrv.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe

C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Windows\ehome\ehsched.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\System32\mobsync.exe

C:\hp\kbd\kbd.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\consent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conime.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

uRun: [TchAhayq] c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\hp\kbd\KbdStub.EXE

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe

mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe

mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""

mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

StartupFolder: c:\users\patrick fong\desktop\programs\startup\tchahayq.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CNAC3LAK.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{72545EE3-403B-4C48-9050-5A07AFB87826} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{73907729-99B0-4873-B55B-564556193DCD} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{9DED64DF-2F82-4938-A509-17F82B9D095E} : DhcpNameServer = 192.168.0.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll

.

============= SERVICES / DRIVERS ===============

.

R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2011-6-26 12800]

R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-6-11 68368]

R2 BackupService;BackupService;c:\users\patrick fong\appdata\roaming\hp simplesave application\uUACTokenSvc.exe [2010-10-11 83512]

R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2011-6-26 53248]

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-4 208896]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-14 21504]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-21 654408]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-4-4 2666880]

R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2007-6-22 2831232]

R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2012-3-4 1439744]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-21 22344]

R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-8-3 105576]

S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-6-11 200632]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2011-6-26 126976]

S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-12 167936]

S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2012-3-4 960992]

S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2011-6-26 849248]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-06-22 13:05:24 -------- dc----w- C:\$RECYCLE.BIN

2012-06-22 13:02:36 -------- d-----w- c:\users\patrick fong\appdata\local\temp

2012-06-22 12:52:01 -------- dc----w- C:\ComboFix

2012-06-22 11:55:10 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 11:54:22 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 03:16:52 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 03:16:52 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 02:06:32 98816 ----a-w- c:\windows\sed.exe

2012-06-21 02:06:32 518144 ----a-w- c:\windows\SWREG.exe

2012-06-21 02:06:32 256000 ----a-w- c:\windows\PEV.exe

2012-06-21 02:06:32 208896 ----a-w- c:\windows\MBR.exe

2012-06-21 00:15:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-21 00:15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-20 13:13:21 -------- d-----w- c:\users\patrick fong\appdata\local\lvpnwwpd

2012-06-16 05:32:38 -------- d-----w- c:\programdata\Tarma Installer

2012-06-16 05:31:51 -------- d-----w- c:\program files\1ClickDownload

2012-06-13 11:39:57 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 11:39:57 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 11:39:57 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 11:39:34 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 11:39:32 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-11 12:45:19 -------- d-----w- c:\users\patrick fong\appdata\local\Trend Micro

2012-06-11 12:37:15 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2012-06-11 12:25:52 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2012-06-11 12:25:52 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-06-11 12:25:51 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2012-06-11 12:19:14 56 ----a-w- c:\windows\system32\SupportTool.exe.bat

2012-06-11 12:14:57 -------- d-----w- c:\programdata\Trend Micro

2012-06-11 12:05:01 -------- d-----w- c:\program files\Trend Micro

2012-06-09 05:05:20 -------- d--h--w- c:\programdata\Common Files

2012-06-08 13:08:14 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fb267cab-edfb-4dfe-9356-7f650b410c37}\mpengine.dll

.

==================== Find3M ====================

.

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

============= FINISH: 12:28:54.75 ===============

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member madara only. If you are a casual viewer, do NOT try this on your system!

If you are not madara and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1

Your logs showed some peer-to-peer filesharing apps: uTorrent. I do not recommend the use of P-2-P programs since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

See also http://forums.malwar...showtopic=97700

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Un-install uTorrent AND any other peer-to-peer fileshare and confirm having done so.

Step 2

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 3

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 4

You will want to print out or copy these instructions to Notepad for Safe offline reference!

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

For help reference, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

2. Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=111547

Suspect::[4]
c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe

DDS::
uRun: [TchAhayq] c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe

File::
c:\users\patrick fong\desktop\programs\startup\tchahayq.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any (all) open browsers.

4:

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When CF finishes running, it pops out with the CF log and this message box:

autosubmit.png

Clicking OK will begin the auto-upload of the zipped file.

CF_UploadSuccessful.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Re-enable your antivirus when all done.

Link to post
Share on other sites

ComboFix 12-06-25.02 - Patrick Fong 25/06/2012 20:33:45.6.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.1017 [GMT 10:00]

Running from: c:\users\Patrick Fong\Downloads\ComboFix.exe

Command switches used :: c:\users\Patrick Fong\Downloads\CFScript.txt

AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Patrick Fong\AppData\Local\amfmkrxk.log

c:\users\Patrick Fong\AppData\Local\hsivcopd.log

c:\users\Patrick Fong\AppData\Local\jlypkcri.log

c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe

c:\users\Patrick Fong\AppData\Local\narfqwth.log

c:\users\Patrick Fong\AppData\Local\udkriyde.log

c:\users\Patrick Fong\AppData\Local\vtofbvlp.log

c:\users\Patrick Fong\AppData\Local\wqexycde.log

c:\users\Patrick Fong\Desktop\Internet Explorer.lnk

.

.

((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))

.

.

2012-06-25 10:41 . 2012-06-25 10:44 -------- d-----w- c:\users\Patrick Fong\AppData\Local\temp

2012-06-25 10:41 . 2012-06-25 10:41 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp

2012-06-25 10:41 . 2012-06-25 10:41 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-25 10:07 . 2012-06-25 10:08 -------- d-----w- c:\program files\ERUNT

2012-06-22 11:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-22 11:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-22 11:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-22 11:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 11:54 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-22 11:54 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-22 11:54 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 03:16 . 2012-06-02 05:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 03:16 . 2012-06-02 05:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 00:15 . 2012-06-21 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-21 00:15 . 2012-04-04 05:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-20 13:13 . 2012-06-25 10:40 -------- d-----w- c:\users\Patrick Fong\AppData\Local\lvpnwwpd

2012-06-16 05:32 . 2012-06-16 05:32 -------- d-----w- c:\programdata\Tarma Installer

2012-06-16 05:31 . 2012-06-20 14:09 -------- d-----w- c:\program files\1ClickDownload

2012-06-13 11:39 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 11:39 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 11:39 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 11:39 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 11:39 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-11 12:45 . 2012-06-11 12:45 -------- d-----w- c:\users\Patrick Fong\AppData\Local\Trend Micro

2012-06-11 12:37 . 2012-06-11 12:08 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2012-06-11 12:25 . 2012-06-11 12:08 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2012-06-11 12:25 . 2012-06-11 12:08 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-06-11 12:25 . 2012-06-11 12:08 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2012-06-11 12:19 . 2012-06-11 12:19 56 ----a-w- c:\windows\system32\SupportTool.exe.bat

2012-06-11 12:14 . 2012-06-12 12:37 -------- d-----w- c:\programdata\Trend Micro

2012-06-11 12:05 . 2012-06-11 12:17 -------- d-----w- c:\program files\Trend Micro

2012-06-09 05:05 . 2012-06-09 05:05 -------- d--h--w- c:\programdata\Common Files

2012-06-08 13:08 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB267CAB-EDFB-4DFE-9356-7F650B410C37}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-03 08:16 . 2012-05-11 11:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16 . 2012-05-11 11:44 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-30 12:39 . 2012-05-11 11:46 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"TchAhayq"="c:\users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]

"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-09-11 176128]

"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2010-05-21 1024000]

"WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2010-04-20 122880]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 1304792]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

.

c:\users\Patrick Fong\Desktop\Programs\Startup\

tchahayq.exe [2012-6-20 92216]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Canon LBP5200 Status Window.lnk - c:\windows\System32\spool\drivers\w32x86\3\CNAC3LAK.EXE [2004-9-24 50848]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-16 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-16 692224]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]

NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2012-3-4 4545024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk

backup=c:\windows\pss\Canon LBP5200 Status Window.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]

2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

S3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-01-26 2831232]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(12068)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvvsvc.exe

c:\windows\system32\CNAC3RPK.EXE

c:\program files\Intel\IntelDH\CCU\AlertService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe

c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\WUDFHost.exe

c:\windows\system32\conime.exe

c:\windows\ehome\ehsched.exe

c:\windows\ehome\ehRecvr.exe

c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Windows Media Player\wmplayer.exe

c:\windows\servicing\TrustedInstaller.exe

c:\program files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

.

Completion time: 2012-06-25 21:05:57 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-25 11:05

ComboFix2.txt 2012-06-22 13:12

ComboFix3.txt 2012-06-21 12:52

ComboFix4.txt 2012-06-21 05:03

ComboFix5.txt 2012-06-25 10:32

.

Pre-Run: 87,545,868,288 bytes free

Post-Run: 87,235,600,384 bytes free

.

- - End Of File - - 6F585ABF4D38106A754C0E8ED4AC8E1B

Link to post
Share on other sites

Hello,

I need to know, so that we are both in sync: This Combofix run was the 5th one for this system. Did you do the prior runs yourself? or did you get help elsewhere? If the latter, where?

Please do not run nor get tools on your own. It is important that we are both in-sync as to the state of your system. Only run the tools I guide you to.

  1. Close any/all open internet browsers. Save any open documents you have open & close programs you started.
  2. Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
    On Windows 7, press Windows-key, then start typing in text box
Malwarebytes[code] then select/click [b]Malwarebytes Anti-Malware Chameleon[/b]
Once the Help file opens, click on a [b]Chameleon[/b] button (starting with #1)
If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
You should see a black Command-prompt-window that remains open and says [b]MBAM-chameleon ver. 1.6[/b] at the top
Press any key to continue as it says in the window {space-bar will do}
If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
Have infinite patience during this process
Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
Once the update completes and it says your database is updated, click on [b]OK[/b] button so that process can continue :excl:
Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
Once the scan is complete, click on [b]Show Results[/b] and remove any threats that are found by clicking [b]Remove Selected[/b]
If prompted to restart your computer to complete the removal process, click [b]Yes[/b] :excl:
If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
After your computer restarts, open [b]Malwarebytes Anti-Malware[/b] and perform one last Quick scan to verify that there are no remaining threats

Copy and Paste contents of last MBAM scan log.

[color=blue]Step 2[/color]

Download [b]OTL[/b] by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Please close any of your open windows/programs and exit; saving any open work you have.

I'd like to have you do a special run of OTL to generate some searches & a new log-report.

  • Please double-click [b]OTL.exe[/b] otlDesktopIcon.png to run it. ([b]Note:[/b] If you are running on Vista or Windows 7, right-click on the file and choose [b]Run As Administrator[/b]).
  • [b]Copy all the lines in between the **** stars lines **** below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):
    *****************************************************************
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %ALLUSERSPROFILE%\Application Data\*.dll /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %APPDATA%\*.dll /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    themeui.dll
    beep.sys
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT
    *****************************************************************
  • Return to [color=blue]OTL[/color]. Right click in the [b]"Custom Scans/Fixes"[/b] window (under the aqua-blue bar) and choose [b]Paste[/b].
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on [b]Run Scan[/b].
  • The scan won't take long.
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of just OTL.txt

[color=blue]Security Check[/color]

Download [b]Security Check[/b] by screen317 and save it to your Desktop: [b][u]here[/u][/b] or [b][u]here[/u][/b]

  • Run [b]Security Check[/b]
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called [b]checkup.txt[/b]; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gif [b]If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.[/b]

Reports I need:

[b]C:\Qoobox\ComboFix-quarantined-files.txt

MBAM scan log

OTL.txt

Checkup.txt[/b]

and

tell me, [b]How is your system now[/b] :excl:

Link to post
Share on other sites

Hi,

Yes, I did the other Combofix runs myself. Prior to seeking your help, I had searched through various forums and found that Combofix had helped others in getting rid of the virus.

I'm having a few issues with the first step; I ran MBAM chameleon but MBAM did not automatically open nor could I run it from the Start menu. I also tried safemode but MBAM wouldn't run there either. Previously, I could access the MBAM forums in safemode but today I can't even do that (I couldn't access MBAM forums in normal mode when the virus first showed up). Should I continue with the rest of your instructions and leave the MBAM part out?

Regards,

Pat

Link to post
Share on other sites

If Normal mode of Windows is not usable, restart into Safe Mode With Networking (tap F8 when pc is restarting >> then pick Safe Mode with Networking).

Try MBAM one more time. If no go, proceed forth to Step 2. It is important to keep moving and address these issues in a timely manner.

Link to post
Share on other sites

The Combofix-quarantined-files log.

2012-06-25 10:55:14 . 2012-06-25 10:55:14 922 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-uTorrent.reg.dat

2012-06-25 10:49:43 . 2012-06-25 10:49:43 151 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-uTorrent.reg.dat

2012-06-25 10:33:24 . 2012-06-25 10:33:24 0 -c--a-w- C:\Qoobox\Quarantine\catchme.txt

2012-06-23 13:24:20 . 2012-06-23 13:24:22 4,048 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\amfmkrxk.log.vir

2012-06-23 03:18:49 . 2012-06-25 09:12:39 2,813 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\hsivcopd.log.vir

2012-06-23 03:18:49 . 2012-06-25 09:12:39 135,565 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\jlypkcri.log.vir

2012-06-23 03:18:39 . 2012-06-23 03:18:39 3,315 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\narfqwth.log.vir

2012-06-23 03:18:27 . 2012-06-25 10:31:08 1,061,146 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\wqexycde.log.vir

2012-06-23 03:16:39 . 2012-06-25 10:31:34 24 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\udkriyde.log.vir

2012-06-23 03:16:02 . 2012-06-23 03:16:24 415,424 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\vtofbvlp.log.vir

2012-06-22 13:22:03 . 2012-06-20 13:13:08 92,216 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe.vir

2012-06-21 02:29:44 . 2012-06-21 02:29:44 896 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-iTunesHelper.reg.dat

2012-06-21 02:29:34 . 2012-06-21 02:29:34 154 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-jswtrayutil.reg.dat

2012-06-21 02:29:32 . 2012-06-21 02:29:32 157 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-TchAhayq.reg.dat

2012-06-21 02:29:32 . 2012-06-21 02:29:32 138 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat

2012-06-21 02:29:32 . 2012-06-21 02:29:32 158 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Skype.reg.dat

2012-06-21 02:29:32 . 2012-06-21 02:29:32 600 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat

2012-06-21 02:29:31 . 2012-06-21 02:29:31 171 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03}.reg.dat

2012-06-21 02:29:29 . 2012-06-21 02:29:29 118 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03}.reg.dat

2012-06-21 02:18:59 . 2012-06-25 10:39:27 9,252 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2012-06-21 01:56:06 . 2012-06-25 10:41:26 1,214 -c--a-w- C:\Qoobox\Quarantine\catchme.log

2010-03-27 22:41:47 . 2010-03-27 22:45:53 1,057 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Roaming\vso_ts_preview.xml.vir

2010-03-27 22:40:37 . 2010-03-27 22:46:08 87,608 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\AppData\Roaming\inst.exe.vir

2008-01-10 08:57:00 . 2008-01-10 08:57:00 3,717,664 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\SET608E.tmp.vir

2007-12-26 07:58:44 . 2008-11-16 03:43:35 375 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\hosts.ics.vir

2007-12-26 01:42:03 . 2009-10-15 00:38:08 945 ----a-w- C:\Qoobox\Quarantine\C\Users\Patrick Fong\Desktop\Internet Explorer.lnk.vir

2007-11-06 22:03:18 . 2007-11-06 22:03:18 562,688 -c--a-w- C:\Qoobox\Quarantine\C\Install.exe.vir

The checkup log.

Results of screen317's Security Check version 0.99.42

Windows Vista Service Pack 2 x86 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Trend Micro Titanium Maximum Security 2012

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.61.0.1400

Java 6 Update 21

Java 6 Update 2

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Reader 8 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2 % Defragment your hard drive soon!

````````````````````End of Log``````````````````````

Link to post
Share on other sites

OTL logfile created on: 26/06/2012 9:28:45 PM - Run 1

OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\Patrick Fong\Desktop

Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.65% Memory free

4.23 Gb Paging File | 3.96 Gb Available in Paging File | 93.63% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 289.41 Gb Total Space | 81.01 Gb Free Space | 27.99% Space Free | Partition Type: NTFS

Drive D: | 8.68 Gb Total Space | 1.01 Gb Free Space | 11.64% Space Free | Partition Type: NTFS

Drive G: | 994.70 Mb Total Space | 988.77 Mb Free Space | 99.40% Space Free | Partition Type: FAT

Computer Name: PATRICKFONG-PC | User Name: Patrick Fong | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/26 21:22:24 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe

PRC - [2009/04/11 16:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/09 18:44:20 | 000,166,912 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe -- (Amsp)

SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/12/15 03:01:00 | 004,041,064 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)

SRV - [2010/07/09 16:09:52 | 000,248,936 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)

SRV - [2010/07/01 09:38:26 | 000,083,512 | ---- | M] (ArcSoft, Inc.) [Auto | Stopped] -- C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe -- (BackupService)

SRV - [2010/04/21 09:56:32 | 000,126,976 | ---- | M] (Wireless Service) [Auto | Stopped] -- C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe -- (D_Link_DWA-125)

SRV - [2010/03/22 19:05:40 | 000,960,992 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe -- (jswpsapi)

SRV - [2010/03/03 09:45:46 | 000,053,248 | ---- | M] () [Auto | Stopped] -- C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe -- (D_Link_DWA-125_WPS)

SRV - [2008/01/19 17:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/07/20 00:42:30 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)

SRV - [2007/07/20 00:40:48 | 000,137,752 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2007/07/20 00:38:54 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)

SRV - [2006/09/12 09:02:44 | 000,544,256 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel®

SRV - [2006/09/12 09:01:04 | 000,167,936 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel®

SRV - [2006/09/12 08:56:32 | 000,075,264 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe -- (ISSM) Intel®

SRV - [2006/09/12 08:56:20 | 000,188,416 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel®

SRV - [2006/09/04 03:32:28 | 000,208,896 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)

SRV - [2006/09/01 16:47:56 | 000,026,624 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel® Viiv

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva359.sys -- (XDva359)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva348.sys -- (XDva348)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleNT.sys -- (EagleNT)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)

DRV - [2012/06/26 12:26:12 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2012/06/11 22:08:01 | 000,205,072 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm)

DRV - [2012/06/11 22:08:01 | 000,092,432 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)

DRV - [2012/06/11 22:08:01 | 000,081,168 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon)

DRV - [2012/06/11 22:08:01 | 000,068,368 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr)

DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010/10/10 18:48:00 | 001,439,744 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athur.sys -- (athur)

DRV - [2010/07/10 08:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2010/06/22 08:07:37 | 000,105,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)

DRV - [2010/04/29 21:27:36 | 000,849,248 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Dnetr28u.sys -- (netr28u)

DRV - [2009/03/06 18:09:52 | 000,012,800 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\anodlwf.sys -- (anodlwf)

DRV - [2008/05/14 09:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2007/08/31 12:54:04 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)

DRV - [2007/07/20 00:39:50 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)

DRV - [2007/07/20 00:37:56 | 002,109,592 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap)

DRV - [2007/07/19 10:44:00 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)

DRV - [2007/07/19 10:39:14 | 001,278,104 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)

DRV - [2007/07/19 10:39:14 | 000,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lv302af.sys -- (pepifilter)

DRV - [2007/07/18 17:42:42 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)

DRV - [2007/04/13 23:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®

DRV - [2007/04/11 14:33:06 | 000,079,376 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE)

DRV - [2007/04/11 14:32:38 | 000,063,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou)

DRV - [2007/04/11 14:32:30 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd)

DRV - [2007/01/26 12:42:50 | 002,831,232 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\3xHybrid.sys -- (3xHybrid)

DRV - [2005/12/13 03:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

IE - HKLM\..\SearchScopes,DefaultScope = {B6007434-B024-448E-90EE-DCC80B96FCA1}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes\{B6007434-B024-448E-90EE-DCC80B96FCA1}: "URL" = http://au.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=19950&mntrId=2444d38500000000000034080495ff42

IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADBS

IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={6DD99196-5726-4F73-9746-4C484A642043}&mid=e2257c0ae7f347d0bf19d152ba04ab3d-5c66ab25a8106ac3ef96210770a6d797e78d98b4〈=en&ds=gm011&pr=sa&d=2012-06-09 15:06:09&v=11.1.1.7&sap=dsp&q={searchTerms}

IE - HKCU\..\SearchScopes\{B6007434-B024-448E-90EE-DCC80B96FCA1}: "URL" = http://au.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"

FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="

FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF - HKLM\Software\MozillaPlugins\@TrendMicro.com/FFExtension: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/10/13 01:40:31 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\firefoxextension [2012/06/12 22:33:14 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2012/06/11 22:23:49 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/06/12 22:33:49 | 000,000,000 | ---D | M]

[2012/06/16 15:32:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions

[2007/10/13 01:42:13 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2012/03/11 19:07:53 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}

[2011/07/13 00:52:21 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Patrick Fong\AppData\Roaming\Mozilla\Firefox\Profiles\2h6v8mw9.default\extensions\ffxtlbr@babylon.com

File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\DIVX@PARTNERS.MOZILLA.COM

File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\TALKBACK@MOZILLA.ORG

O1 HOSTS File: ([2012/06/25 20:43:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)

O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)

O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

O4 - HKLM..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (Intel® Corporation)

O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [D-Link D-Link DWA-125] C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe (D-Link Corp.)

O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()

O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.)

O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()

O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)

O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)

O4 - HKLM..\Run: [WZCSLDR2] C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe (Wireless Service)

O4 - HKCU..\Run: [TchAhayq] C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe File not found

O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{72545EE3-403B-4C48-9050-5A07AFB87826}: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73907729-99B0-4873-B55B-564556193DCD}: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9DED64DF-2F82-4938-A509-17F82B9D095E}: DhcpNameServer = 192.168.0.1

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll (Trend Micro Inc.)

O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)

O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)

O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) - C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe File not found

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/06/22 05:49:22 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP5200 Status Window.lnk - - File not found

MsConfig - StartUpReg: AdobeAAMUpdater-1.0 - hkey= - key= - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

MsConfig - State: "startup" - 2

MsConfig - State: "services" - 0

SafeBootMin: Base - Driver Group

SafeBootMin: Boot Bus Extender - Driver Group

SafeBootMin: Boot file system - Driver Group

SafeBootMin: File system - Driver Group

SafeBootMin: Filter - Driver Group

SafeBootMin: HelpSvc - Service

SafeBootMin: NTDS - File not found

SafeBootMin: PCI Configuration - Driver Group

SafeBootMin: PNP Filter - Driver Group

SafeBootMin: Primary disk - Driver Group

SafeBootMin: sacsvr - Service

SafeBootMin: SCSI Class - Driver Group

SafeBootMin: System Bus Extender - Driver Group

SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: Base - Driver Group

SafeBootNet: Boot Bus Extender - Driver Group

SafeBootNet: Boot file system - Driver Group

SafeBootNet: File system - Driver Group

SafeBootNet: Filter - Driver Group

SafeBootNet: HelpSvc - Service

SafeBootNet: Messenger - Service

SafeBootNet: NDIS Wrapper - Driver Group

SafeBootNet: NetBIOSGroup - Driver Group

SafeBootNet: NetDDEGroup - Driver Group

SafeBootNet: Network - Driver Group

SafeBootNet: NetworkProvider - Driver Group

SafeBootNet: NTDS - File not found

SafeBootNet: PCI Configuration - Driver Group

SafeBootNet: PNP Filter - Driver Group

SafeBootNet: PNP_TDI - Driver Group

SafeBootNet: Primary disk - Driver Group

SafeBootNet: rdsessmgr - Service

SafeBootNet: sacsvr - Service

SafeBootNet: SCSI Class - Driver Group

SafeBootNet: Streams Drivers - Driver Group

SafeBootNet: System Bus Extender - Driver Group

SafeBootNet: TDI - Driver Group

SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SafeBootNet: WudfPf - Driver

SafeBootNet: WudfUsbccidDriver - Driver

SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net

SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient

SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService

SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans

SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers

SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

Link to post
Share on other sites

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -

ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0

ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4

ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4

ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack

ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework

ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -

ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx

ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help

ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6

ActiveX: {55ADC5F7-A848-4AE4-B8C2-E94FFCCB0DF7} -

ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools

ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements

ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player

ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access

ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders

ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7

ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings

ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding

ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts

ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1

ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player

ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help

ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface

ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP

ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig

ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.divxa32 - C:\Windows\System32\msaud32_divx.acm (Microsoft Corporation)

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)

Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)

Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.dvsd - C:\Windows\System32\pdvcodec.dll (Matsushita Electric Industrial Co., Ltd.)

Drivers32: VIDC.FPS1 - C:\Windows\System32\frapsvid.dll (Beepa P/L)

Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)

Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()

CREATERESTOREPOINT

Unable to start System Restore Service. Error code 1084

========== Files/Folders - Created Within 30 Days ==========

[2012/06/26 21:24:06 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe

[2012/06/26 12:09:11 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2012/06/25 20:43:56 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN

[2012/06/25 20:41:19 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\temp

[2012/06/25 20:31:46 | 000,000,000 | ---D | C] -- C:\ComboFix

[2012/06/25 20:07:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2012/06/25 20:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2012/06/22 21:55:11 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll

[2012/06/22 21:55:10 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll

[2012/06/22 21:54:22 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll

[2012/06/22 21:54:22 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll

[2012/06/22 21:54:22 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll

[2012/06/21 13:16:52 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll

[2012/06/21 13:16:52 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe

[2012/06/21 12:06:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/06/21 12:06:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/06/21 12:06:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/06/21 11:55:30 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/06/21 11:55:16 | 000,000,000 | R--D | C] -- C:\Users\Patrick Fong\Desktop\Programs\Administrative Tools

[2012/06/21 11:55:02 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2012/06/21 10:15:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/06/21 10:15:20 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2012/06/21 10:15:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/06/20 23:13:21 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\lvpnwwpd

[2012/06/16 15:32:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer

[2012/06/16 15:31:51 | 000,000,000 | ---D | C] -- C:\Program Files\1ClickDownload

[2012/06/14 05:51:05 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

[2012/06/14 05:51:04 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll

[2012/06/14 05:51:04 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe

[2012/06/14 05:51:02 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll

[2012/06/14 05:51:02 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll

[2012/06/14 05:51:02 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll

[2012/06/14 05:51:01 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl

[2012/06/13 21:39:32 | 002,045,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2012/06/11 22:45:19 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\AppData\Local\Trend Micro

[2012/06/11 22:44:49 | 000,000,000 | ---D | C] -- C:\Users\Patrick Fong\Desktop\Programs\Trend Micro Titanium Maximum Security 2012

[2012/06/11 22:37:15 | 000,092,432 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys

[2012/06/11 22:25:52 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys

[2012/06/11 22:25:52 | 000,068,368 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys

[2012/06/11 22:25:51 | 000,081,168 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys

[2012/06/11 22:14:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Trend Micro

[2012/06/11 22:07:45 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\--AGENT

[2012/06/11 22:05:06 | 066,901,312 | ---- | C] (Trend Micro Inc.) -- C:\Users\Public\Desktop\Trend_Micro.exe

[2012/06/11 22:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2012/06/09 15:05:20 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files

[2010/03/28 08:40:37 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.sys

Link to post
Share on other sites

========== Files - Modified Within 30 Days ==========

[2012/06/26 21:22:52 | 000,881,475 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\SecurityCheck.exe

[2012/06/26 21:22:24 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Patrick Fong\Desktop\OTL.exe

[2012/06/26 21:10:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/06/26 21:09:05 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/06/26 21:09:05 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/06/26 20:35:00 | 000,025,600 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/06/26 20:01:29 | 000,176,597 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2012/06/26 20:01:29 | 000,176,597 | ---- | M] () -- C:\ProgramData\nvModes.001

[2012/06/26 12:26:12 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2012/06/26 12:03:34 | 000,000,111 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Roaming\mbam.context.scan

[2012/06/26 07:35:39 | 000,000,007 | ---- | M] () -- C:\Windows\System32\ANIWZCSUSERNAME

[2012/06/25 20:43:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2012/06/25 20:07:47 | 000,000,735 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\NTREGOPT.lnk

[2012/06/25 20:07:47 | 000,000,716 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\ERUNT.lnk

[2012/06/25 19:59:35 | 000,513,320 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\erunt.zip.x350e0w.partial

[2012/06/24 11:48:08 | 000,000,680 | ---- | M] () -- C:\Users\Patrick Fong\AppData\Local\d3d9caps.dat

[2012/06/23 23:24:29 | 000,001,055 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP5200 Status Window.lnk

[2012/06/23 15:47:57 | 000,620,172 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/06/23 15:47:57 | 000,112,020 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/06/21 10:17:03 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/06/14 10:36:24 | 000,435,512 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2012/06/11 22:45:16 | 000,001,149 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Trend Micro Titanium Maximum Security 2012.lnk

[2012/06/11 22:19:14 | 000,000,056 | ---- | M] () -- C:\Windows\System32\SupportTool.exe.bat

[2012/06/11 22:19:01 | 000,000,410 | RHS- | M] () -- C:\ProgramData\ntuser.pol

[2012/06/11 22:08:01 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys

[2012/06/11 22:08:01 | 000,092,432 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys

[2012/06/11 22:08:01 | 000,081,168 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys

[2012/06/11 22:08:01 | 000,068,368 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys

[2012/06/11 22:07:42 | 066,901,312 | ---- | M] (Trend Micro Inc.) -- C:\Users\Public\Desktop\Trend_Micro.exe

[2012/06/09 15:06:53 | 000,001,016 | ---- | M] () -- C:\Users\Patrick Fong\Application Data\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk

[2012/06/09 15:06:53 | 000,000,992 | ---- | M] () -- C:\Users\Public\Desktop\GOM Player.lnk

[2012/06/03 08:19:33 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll

[2012/06/03 08:19:32 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups.dll

[2012/06/03 08:19:23 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll

[2012/06/03 08:12:32 | 002,422,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll

[2012/06/03 08:12:13 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll

[2012/06/02 15:19:42 | 000,171,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll

[2012/06/02 15:12:20 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe

[2012/06/02 10:33:46 | 000,000,412 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Downloads - Shortcut.lnk

[2012/05/30 21:59:47 | 000,002,627 | ---- | M] () -- C:\Users\Patrick Fong\Desktop\Microsoft Office Word 2007.lnk

========== Files Created - No Company Name ==========

[2012/06/26 21:24:06 | 000,881,475 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\SecurityCheck.exe

[2012/06/26 11:40:21 | 000,000,111 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\mbam.context.scan

[2012/06/25 20:07:47 | 000,000,735 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\NTREGOPT.lnk

[2012/06/25 20:07:47 | 000,000,716 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\ERUNT.lnk

[2012/06/25 19:59:36 | 000,513,320 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\erunt.zip.x350e0w.partial

[2012/06/24 11:48:03 | 000,000,680 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Local\d3d9caps.dat

[2012/06/24 11:47:42 | 000,025,600 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/06/21 12:06:32 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/06/21 12:06:32 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/06/21 12:06:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/06/21 12:06:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/06/21 12:06:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/06/21 10:17:03 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/06/11 22:44:49 | 000,001,149 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\Trend Micro Titanium Maximum Security 2012.lnk

[2012/06/11 22:19:14 | 000,000,056 | ---- | C] () -- C:\Windows\System32\SupportTool.exe.bat

[2012/06/11 22:19:01 | 000,000,410 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2012/06/02 10:33:46 | 000,000,412 | ---- | C] () -- C:\Users\Patrick Fong\Desktop\Downloads - Shortcut.lnk

[2012/03/06 18:33:03 | 000,000,813 | ---- | C] () -- C:\Windows\Brpfx04a.ini

[2012/03/06 18:33:03 | 000,000,094 | ---- | C] () -- C:\Windows\brpcfx.ini

[2012/03/06 18:33:03 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf06a.dat

[2012/03/06 18:26:42 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini

[2012/03/06 18:26:40 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat

[2012/03/06 18:26:39 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll

[2011/06/26 13:07:47 | 000,003,284 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\ANIWZCS{9DED64DF-2F82-4938-A509-17F82B9D095E}

[2011/06/26 12:57:45 | 000,012,800 | ---- | C] () -- C:\Windows\System32\drivers\anodlwf.sys

[2011/06/26 12:57:44 | 000,013,931 | ---- | C] () -- C:\Windows\System32\RaCoInst.dat

[2010/12/13 20:38:02 | 001,048,576 | -HS- | C] () -- C:\Users\Patrick Fong\ehthumbs_vista.db

[2010/11/04 20:36:54 | 000,065,536 | ---- | C] () -- C:\Windows\IFinst27.exe

[2010/07/09 09:53:51 | 000,176,597 | ---- | C] () -- C:\ProgramData\nvModes.001

[2010/07/09 09:53:50 | 000,176,597 | ---- | C] () -- C:\ProgramData\nvModes.dat

[2010/03/28 08:40:37 | 000,007,887 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.cat

[2010/03/28 08:40:37 | 000,001,144 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\pcouffin.inf

[2009/01/28 15:50:22 | 000,000,000 | ---- | C] () -- C:\Users\Patrick Fong\initdebug.nfo

[2008/11/10 15:32:51 | 000,005,061 | ---- | C] () -- C:\ProgramData\xqkcebzs.dik

[2008/07/29 20:11:47 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

[2007/12/26 18:00:28 | 000,017,908 | ---- | C] () -- C:\Users\Patrick Fong\AppData\Roaming\UserTile.png

========== Custom Scans ==========

< %ALLUSERSPROFILE%\Application Data\*. >

[2010/08/26 16:19:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Adobe

[2010/06/06 16:28:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Apple

[2010/06/06 16:08:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Apple Computer

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Application Data

[2007/12/27 12:37:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Arcade Lab

[2010/01/16 12:43:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\ArcSoft

[2011/07/14 00:57:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\AVS4YOU

[2011/07/13 00:51:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Babylon

[2012/03/06 18:24:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Brother

[2012/06/09 15:05:20 | 000,000,000 | -H-D | M] -- C:\ProgramData\Application Data\Common Files

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Desktop

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Documents

[2010/03/28 08:57:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Downloaded Installations

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Favorites

[2008/09/25 21:21:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Google

[2007/06/22 06:09:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Hewlett-Packard

[2007/06/22 05:42:27 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\HP

[2010/10/11 14:33:37 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\HPSS

[2007/06/22 05:22:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Intel

[2007/10/25 16:09:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Logishrd

[2008/11/16 12:59:49 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Logitech

[2008/12/26 15:17:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Malwarebytes

[2009/04/05 12:01:20 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Messenger Plus!

[2010/10/23 12:09:47 | 000,000,000 | --SD | M] -- C:\ProgramData\Application Data\Microsoft

[2012/06/14 06:16:45 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Microsoft Help

[2007/10/13 01:40:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Mozilla

[2007/06/22 05:49:10 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\muvee Technologies

[2012/06/11 21:55:01 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Norton

[2009/06/30 09:50:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NortonInstaller

[2012/06/26 20:01:16 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NVIDIA

[2010/08/03 11:55:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\NVIDIA Corporation

[2009/02/27 22:19:44 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Office Genuine Advantage

[2009/04/10 20:38:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PC Suite

[2007/06/22 05:55:22 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PC-Doctor

[2009/06/30 09:51:46 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\PCSettings

[2010/03/07 10:35:52 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Real

[2010/08/22 11:22:15 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\regid.1986-12.com.adobe

[2007/10/09 20:37:25 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Roxio

[2011/06/24 01:39:11 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Skype

[2007/10/09 20:31:20 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Sonic

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Start Menu

[2010/07/31 12:12:33 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Sun

[2009/07/01 16:35:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Symantec

[2012/06/16 15:32:38 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Tarma Installer

[2009/11/08 11:02:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\TEMP

[2006/11/02 23:00:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data\Templates

[2012/06/26 11:50:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Trend Micro

[2007/12/27 12:37:47 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\Trymedia

[2009/02/08 11:30:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\WindowsSearch

[2008/09/28 10:14:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\WLInstaller

[2010/11/05 21:56:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\xOcean

[2008/10/07 09:51:41 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[2010/06/06 16:08:53 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2009/08/21 22:25:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

Link to post
Share on other sites

Hi,

When I start up the computer now, the "Windows Command Processor" popup does not appear. However, I still cannot access antivirus websites (such as Norton, Malwarebytes) nor the Microsoft website. Does that mean that the virus is still present?

I also can't run MBAM. I can run Trend Micro but nothing shows up in the scans. I'll wait for further instructions, thanks.

Link to post
Share on other sites

When you get back to this topic, be sure to click on the Follow this Topic icon at upper-left side.

*** Revised reply ***

These steps are for madara only. If you are a casual viewer, do NOT try this on your system!

If you are not madara and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to your any other system!

You will want to print out or copy these instructions to Notepad for Safe offline reference!

Do not do any websurfing on this system. Only go to this forum and the sites I guide you to for tools or online scans.

Please follow my guidance

eusa_hand.gif If you are a casual viewer, do NOT try this on your system!

If you are not the originating-member-poster and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gifDo NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

Advise me if your Vista is in Normal mode or in Safe Mode with Networking?

I need for you to always tell me that, until we make some further headway.

Do as much as you can of the following:

Step 1

Close any of your open programs while you run these tools.

Step 2

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 3

Select and copy the following bolded lines to your clipboard:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v TchAhayq /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v _avp32.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v ashLogV.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v beagle.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v jedi.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v msa.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v ntvdm.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v rav7.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v spoler.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v vir-help.exe /f
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /v wupdt.exe /f

Click on the Start button, then type into Search box

CMD.EXE

.

Right click on CMD.EXE and then select Run as administrator.

In the UAC prompt, verify that the program’s name is Windows Command Processor (aka dos box {in a black window}) and then click Yes

Right click on the Command Prompt window’s black area, then select Paste

Press Enter, you should see a message stating "The operation completed successfully".

If you see a message stating ERROR: Access is denied, please make sure you used Run as Administrator.

Close the Command Prompt window.

Step 4

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Make sure items listed for Proxy server are UN-checked . Apply changes & OK

6. Close/exit Internet explorer.

Step 5

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop

Step 6

also, make a fresh run of DDS and copy and Paste only the DDS.txt log (and do not forget the prior reports/logs from above).

Step 7

Give me some detail on how/what shows when you try to start MBAM. some decent detail.

Did you only just recently install Trend Micro security near June 11 ?

What antivirus was installed before?

Has this pc ever been without antivirus ? :excl:

Link to post
Share on other sites

Unfortunately, I'm at work at the moment but will start on the above steps as soon as I get home.

Meanwhile, here are the answers to your questions.

#1: Yes, I did recently install Trend Micro, but I don't remember if it was around June 11. I had a few issues installing in the beginning so I installed the software a couple of days before entering the product key. One of the issues was that it told me to uninstall MBAM before I could proceed. I installed Trend on 3 computers in total; 2 told me to uninstall MBAM first.

#2: Norton 360 was installed prior to Trend.

#3: For about 2-3 days the computer had no antivirus protection; that was the period between Norton 360 expiring and Trend being installed/activated.

#4: Nothing shows up when I try to start MBAM. I right-click on MBAM and run as administrator. A few times there's a popup asking for permission to run MBAM, but when I click yes, nothing runs. Now there's no popup either, and MBAM still won't run. I've checked Task Manager and MBAM doesn't appear in processes either.

PS. When I ran OTL (post #7), two DDS logs popped up during the process. I just closed them when they appeared and I did have to leave the scan overnight so I don't know what happened when I was asleep. Will this affect the new DDS run that I will be doing now?

PPS. I ran the previous tools (post #7) in Safe Mode with Networking. Should I be using Normal Mode or is Safe Mode ok? Also, I can't download the tools in Normal or Safe Mode, they always get stuck at ~97% so I had to transfer the files via USB. Is it safe to use this USB again to download tools or will this be infected too?

I have to say, thank you very much in advance, for your patience and your guidance. I have a feeling I'm giving you a massive headache!

Link to post
Share on other sites

It is much preferred if you have Windows in Normal mode. That way we can "see" all active processes.

It is important you get moving on steps I outlined. The sooner the better.

In meantime, until we make more headway, while the system is "idle", disconnect it from internet.

In Internet Explorer, one time, you need to make sure to empty temporary files. use SHIFT+CTRL+DEL to start the "delete" dialog.

Did you un-install Norton360 using Programs and Features?

On the USB-flash, use a new one if you have. Otherwise, make certain the one you use is clean.

But please, get going on what I outlined.

Link to post
Share on other sites

Hi again,

In step 3, I've copied and pasted the bolded lines into CMD, but only the first one was successful, and all the following ones said there was a syntax error. Is that meant to happen?

I'll proceed to S4 but just a heads up that S3 might have been incomplete. By the way as a side note did I have to Copy/Paste each line individually? I did the lot in one go (not sure if that'll make a difference)

Link to post
Share on other sites

RogueKiller V7.6.1 [06/28/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Patrick Fong [Admin rights]

Mode: Scan -- Date: 06/28/2012 23:11:56

¤¤¤ Bad processes: 2 ¤¤¤

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\system32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 10 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-517934540-472169772-531085458-1001[...]\Run : TchAhayq (C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

[sUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe,,C:\Users\Patrick Fong\AppData\Local\lvpnwwpd\tchahayq.exe) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[64] : NtCreateKey @ 0x829FB140 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D0026AC)

SSDT[65] : NtCreateKeyTransacted @ 0x829A0FB2 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002708)

SSDT[189] : NtOpenKey @ 0x82A14696 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002562)

SSDT[190] : NtOpenKeyTransacted @ 0x829A0F57 -> HOOKED (\??\C:\Users\PATRIC~1\AppData\Local\Temp\bnihhwug.sys @ 0x9D002604)

S_SSDT[572] : Unknown -> HOOKED (Unknown @ 0xA901D1FC)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x9FF8838C)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320820AS ATA Device +++++

--- User ---

[MBR] 517d979d7e41c90176b4180f0e37411e

[bSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296355 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 606935700 | Size: 8887 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_02

Run by Patrick Fong at 23:26:28 on 2012-06-28

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.61.1033.18.2047.875 [GMT 10:00]

.

AV: Trend Micro Titanium Maximum Security 2012 *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\CNAC3RPK.EXE

C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe

C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Users\Patrick Fong\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\conime.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe

C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Windows\system32\taskeng.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Windows\ehome\ehRecvr.exe

C:\hp\kbd\kbd.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Users\Patrick Fong\Desktop\RogueKiller.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=73&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [TchAhayq] c:\users\patrick fong\appdata\local\lvpnwwpd\tchahayq.exe

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [KBD] c:\hp\kbd\KbdStub.EXE

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe

mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe

mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""

mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CNAC3LAK.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{72545EE3-403B-4C48-9050-5A07AFB87826} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{73907729-99B0-4873-B55B-564556193DCD} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{9DED64DF-2F82-4938-A509-17F82B9D095E} : DhcpNameServer = 192.168.0.1

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll

.

============= SERVICES / DRIVERS ===============

.

R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2011-6-26 12800]

R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-6-11 68368]

R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-6-11 200632]

R2 BackupService;BackupService;c:\users\patrick fong\appdata\roaming\hp simplesave application\uUACTokenSvc.exe [2010-10-11 83512]

R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2011-6-26 53248]

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-4 208896]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-14 21504]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2007-6-22 2831232]

R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2012-3-4 1439744]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-21 22344]

R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-8-3 105576]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2011-6-26 126976]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-21 654408]

S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-12 167936]

S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2012-3-4 960992]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-26 40776]

S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2011-6-26 849248]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-06-28 13:09:52 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-06-26 02:09:11 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-06-25 10:43:56 -------- dc----w- C:\$RECYCLE.BIN

2012-06-25 10:41:19 -------- d-----w- c:\users\patrick fong\appdata\local\temp

2012-06-25 10:31:46 -------- dc----w- C:\ComboFix

2012-06-22 11:55:10 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-22 11:54:22 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 03:16:52 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 03:16:52 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 02:06:32 98816 ----a-w- c:\windows\sed.exe

2012-06-21 02:06:32 518144 ----a-w- c:\windows\SWREG.exe

2012-06-21 02:06:32 256000 ----a-w- c:\windows\PEV.exe

2012-06-21 02:06:32 208896 ----a-w- c:\windows\MBR.exe

2012-06-21 00:15:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-21 00:15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-20 13:13:21 -------- d-----w- c:\users\patrick fong\appdata\local\lvpnwwpd

2012-06-16 05:32:38 -------- d-----w- c:\programdata\Tarma Installer

2012-06-16 05:31:51 -------- d-----w- c:\program files\1ClickDownload

2012-06-13 11:39:57 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 11:39:57 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 11:39:57 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 11:39:34 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 11:39:32 2045440 ----a-w- c:\windows\system32\win32k.sys

2012-06-11 12:45:19 -------- d-----w- c:\users\patrick fong\appdata\local\Trend Micro

2012-06-11 12:37:15 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2012-06-11 12:25:52 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2012-06-11 12:25:52 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-06-11 12:25:51 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2012-06-11 12:19:14 56 ----a-w- c:\windows\system32\SupportTool.exe.bat

2012-06-11 12:14:57 -------- d-----w- c:\programdata\Trend Micro

2012-06-11 12:05:01 -------- d-----w- c:\program files\Trend Micro

2012-06-09 05:05:20 -------- d--h--w- c:\programdata\Common Files

2012-06-08 13:08:14 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fb267cab-edfb-4dfe-9356-7f650b410c37}\mpengine.dll

.

==================== Find3M ====================

.

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

.

============= FINISH: 23:35:16.69 ===============

Link to post
Share on other sites

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-Click RogueKiller and select Run as Administrator.
  • Wait until Prescan finishes.
  • On the RogueKiller console, click the Registry tab.
  • Then press the Delete button.
  • When done, logoff & Restart the system.
  • The log will be found as RKreport
    Copy & Paste the contents into next reply.

Link to post
Share on other sites

Just a quick update; when I try to run MBAM (both by double-clicking the icon and by right-clicking/run as admin) I get a brief (2-3sec) loading wheel next to my cursor, but then nothing opens up. Also, MBAM doesn't show up in Windows Task Manager, neither as an application nor a process.

On the other hand, I'm now able to access the Malwarebytes/Microsoft websites on the infected computer (not sure if that's any progress).

I'll await more instructions from you before I do anything else. Thanks once again for your great guidance and patients.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.