landen

Neep help please with an infected machine please.

20 posts in this topic

Hi. I've watched other threads here for the past few days and I don't know what else to do than ask for help. This machine was infected (I believe 9/19 late through early 9/20). Malwarebytes started picking it up when I bought and installed it that night (just had virus software, but the settings we'ren't correct).

I'm sure you will find more, but right now MAB's down to the hourly c:/ProgramData/update/SEUPD.EXE attempt.

The original (whatever it was):

- accessed the host file and added 2 IP addresses (this is one - 212.117.179.25)

- added a lot of lines to the registry under the name lvbsufhfngruf (not there now)

- added this to User and Machine under RUN: msrcqxbg.dll (with an argument letter, but I can't find it)

- added files and directories to the [%User%]/local/Appdata/Temp/ dir GDI32.exe

- among other things I'm sure you've seen before so I won't rattle on.

There's a lot of startup program disabled in Windows security (I think MAB did throughout the past couple days). If you need them, please let me know.

I tried to run the dds.scr script, but I only recieved one text file which looks crazy, but I'm attaching it.

I really appreciate your help. I can't believe of all machines this happened to this one, but I should have paid better attention to it's security.

Thank you So much for your help. I am getting so far behind it's crazy.

Landen

mbam_Upload_Files.zip

Share this post


Link to post
Share on other sites

Welcome to the forum.

Can you post that log from MBAM, the zip doesn't work for me.

Also post a HJT log of the system:

You can download the HJT installer HERE:

Doubleclick HJTInstall.exe to install it. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.

Copy and paste it into your post.

MrC

Share this post


Link to post
Share on other sites

I'm SO glad I got you to help me Mr. Charlie. I've been going through the threads and your threads seemed to lead to outcomes (not to say I read all threads or anything else). I just hoped I would be assigned to you. Thank you so much for your help! Landen

The last part (Protection-Log-2010-09-30.txt) of this post shows the crazy characters and the quarentine file I get from MALB.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:43:47 AM, on 9/30/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18943)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Users\Administrator\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe

C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\Users\Administrator\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wsoctv.com/interactive-radar/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [LELA] "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files (x86)\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [VetStart] "C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" -r

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\RunOnce: [CleanSetup] cmd /C rmdir /S /Q "C:\Users\Administrator\AppData\Local\Temp\nro.tmp\"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Mquxe] C:\Windows\system.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files (x86)\Digital Line Detect\DLG.exe

O4 - Global Startup: Directrec Configuration Tool.lnk = C:\Program Files (x86)\Olympus\DeviceDetector\DirectrecConfig.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files (x86)\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files (x86)\Olympus\DeviceDetector\DM1Service.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files (x86)\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe

O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 64-bit 64-bit (mi-raysat_3dsMax2009_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\SysWOW64\drivers\pclepci.sys

O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: mental ray Satellite 3.7.1 for Maya 2009 (64 bit) (RaySat2009Server) - Unknown owner - C:\Program Files\Autodesk\mrsat3.7.1-maya2009\bin\raysat2009server.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 14137 bytes

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4722

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18943

9/30/2010 9:50:35 AM

mbam-log-2010-09-30 (09-50-35).txt

Scan type: Flash scan

Objects scanned: 120520

Time elapsed: 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Protection-Log-2010-09-30.txt:

03:00:10 Administrator MESSAGE Scheduled update executed successfully

03:00:11 Administrator MESSAGE IP Protection stopped

03:00:14 Administrator MESSAGE Database updated successfully

03:00:15 Administrator MESSAGE IP Protection started successfully

07:00:09 Administrator MESSAGE Scheduled update executed successfully

07:00:09 Administrator MESSAGE IP Protection stopped

07:00:13 Administrator MESSAGE Database updated successfully

07:00:13 Administrator MESSAGE IP Protection started successfully

09:27:50 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE ????????????????

?????????????????????????????

?????????????????????????????

Share this post


Link to post
Share on other sites

Please do this:

Download OTL and scan.txt to your desktop.

  • Double click on the OTL icon to run it.
  • Make sure all other windows are closed.
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying Click Ok to load a custom scan from a file or Cancel to cancel
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Quick Scan button.
  • Do not change any settings unless otherwise told to do so.
  • The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please attach them as .txt files.

MrC

Share this post


Link to post
Share on other sites

Yes. 64-bit Vista Ult. SP1. I don't know the name of the virus or malware that hit me, but when it started, I disconnected from the Internet and did research from an old laptop. The HiJackThis log below is from the time before I got back on the Internet (I think to purchase MALB) and tried to clean it up myself. I didn't know at the time malware software wasn't in CA's Suite.

If I try to go to the Security Center in the Control Panel, the system now says "The Security Center Service Can't be started". Defender is up though. I recieved an Administrator warning about access to the registry as well (which never happened before) and then I used an app that ran as the system which enabled access again. Below is a HiJack log from the 24th with all the entries from "Lvbsufhfngruf" in it. I just did what I usually do and tried to figure out what happened. I haven't had a virus/malware/trojan before.

There are other things like trying to turn back on CA Real Time Security, it says ok and reboots, but it doesn't turn it on. My system randomly builds huge temp_1* and temp_2 directories almost a Gig in size (sporatically) in the appdata/local/temp dir (just over and over like it is trying to fill my disk).

The main thing I "see" now is the c:/ProgramData/Updata/Seupd.exe attempt I thought MALB was stopping. I can't remember if the file existed, but it's not in there now. I also removed the temp .exe's added by this Lvbsufhfngruf registry values.

This is the old log (if it helps). Thanks Mr. Charlie. Landen

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:52:38 AM, on 9/24/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18943)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files (x86)\Olympus\DeviceDetector\DM1Service.exe

C:\Program Files (x86)\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\SysWOW64\java.exe

C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe

C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe

C:\Windows\SysWOW64\PSIService.exe

c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe

C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files (x86)\MagicDisc\MagicDisc.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files (x86)\CA\CA Internet Security Suite\ccprovsp.exe

C:\Users\Administrator\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe

C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe

C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe

C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Program Files (x86)\Common Files\Adobe\dynamiclink\CS5\dynamiclinkmanager.exe

C:\Program Files (x86)\Common Files\Adobe\dynamiclink\CS5\dynamiclinkmanager.exe

C:\Program Files\Adobe\Adobe After Effects CS5\Support Files\32\Adobe QT32 Server.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Users\Administrator\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wsoctv.com/interactive-radar/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O1 - Hosts: ::1 localhost

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1203.0\msneshellx.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [LELA] "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files (x86)\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [uVS12 Preload] "C:\Program Files (x86)\Corel\Corel VideoStudio 12\uvPL.exe"

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"

O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [LvbsufhfngdP] C:\Users\Administrator\AppData\Local\Temp\y1ks1.exe

O4 - HKLM\..\Run: [Lvbsufhfngl/] C:\Users\Administrator\AppData\Local\Temp\gdi32.exe

O4 - HKLM\..\Run: [Lvbsufhfngruf] C:\Users\Administrator\AppData\Local\Temp\wininst.exe

O4 - HKLM\..\Run: [Lvbsufhfngupf] C:\Users\Administrator\AppData\Local\Temp\sysedit.exe

O4 - HKLM\..\Run: [VetStart] "C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" -r

O4 - HKLM\..\Run: [Lvbsufhfngosf] C:\Users\Administrator\AppData\Local\Temp\taskmgr.exe

O4 - HKLM\..\Run: [Lvbsufhfngnb] C:\Users\Administrator\AppData\Local\Temp\cmd.exe

O4 - HKLM\..\Run: [Lvbsufhfngph] C:\Users\Administrator\AppData\Local\Temp\setup.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ynwnwf] RUNDLL32.EXE C:\Users\ADMINI~1\AppData\Local\Temp\msrcqxbq.dll,w

O4 - HKCU\..\Run: [Mquxe] C:\Windows\system.exe

O4 - HKCU\..\Run: [LvbsufhfngdP] C:\Users\Administrator\AppData\Local\Temp\y1ks1.exe

O4 - HKCU\..\Run: [Lvbsufhfngrrc] C:\Users\Administrator\AppData\Local\Temp\winamp.exe

O4 - HKCU\..\Run: [Lvbsufhfngre] C:\Users\Administrator\AppData\Local\Temp\win.exe

O4 - HKCU\..\Run: [Lvbsufhfngne] C:\Users\Administrator\AppData\Local\Temp\mdm.exe

O4 - HKCU\..\Run: [Lvbsufhfngl/] C:\Users\Administrator\AppData\Local\Temp\gdi32.exe

O4 - HKCU\..\Run: [Lvbsufhfngruf] C:\Users\Administrator\AppData\Local\Temp\wininst.exe

O4 - HKCU\..\Run: [Lvbsufhfngupf] C:\Users\Administrator\AppData\Local\Temp\sysedit.exe

O4 - HKCU\..\Run: [Lvbsufhfngosf] C:\Users\Administrator\AppData\Local\Temp\taskmgr.exe

O4 - HKCU\..\Run: [Lvbsufhfngnb] C:\Users\Administrator\AppData\Local\Temp\cmd.exe

O4 - HKCU\..\Run: [Lvbsufhfngph] C:\Users\Administrator\AppData\Local\Temp\setup.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files (x86)\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files (x86)\Digital Line Detect\DLG.exe

O4 - Global Startup: Directrec Configuration Tool.lnk = C:\Program Files (x86)\Olympus\DeviceDetector\DirectrecConfig.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files (x86)\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files (x86)\Olympus\DeviceDetector\DM1Service.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files (x86)\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe

O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 64-bit 64-bit (mi-raysat_3dsMax2009_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\SysWOW64\drivers\pclepci.sys

O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe

O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\SysWOW64\PSIService.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: mental ray Satellite 3.7.1 for Maya 2009 (64 bit) (RaySat2009Server) - Unknown owner - C:\Program Files\Autodesk\mrsat3.7.1-maya2009\bin\raysat2009server.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files (x86)\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 19900 bytes

Share this post


Link to post
Share on other sites

OK, run the OTL scan as outlined in this post:

http://forums.malwarebytes.org/index.php?s...st&p=320862

Just read this standard warning given...it's possible it will apply to your system.

But please check with your financial institutions for any suspicious activity if you use this computer for such purposes.

One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

MrC

Share this post


Link to post
Share on other sites

OK. Here they are Mr. Charlie. At some point during the scan the check box for "Skip Microsoft Files" checkmark appeared in the box. It wasn't checked when the scan started. I may be paranoid, but just wanted to let you know. Thanks - Landen.

OTL.Txt

Extras.Txt

Share this post


Link to post
Share on other sites

OK, don't worry about that.

It takes some time to look these over so I'll get back to you later, MrC

Share this post


Link to post
Share on other sites

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe File not found
    O4 - HKLM..\Run: [] File not found
    O4 - HKCU..\Run: [AdobeBridge] File not found
    O4 - HKCU..\Run: [LvLXPiejlk+] File not found
    O4 - HKCU..\Run: [Mquxe] C:\Windows\system.exe File not found
    O4 - HKLM..\RunOnce: [CleanSetup] File not found
    O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
    O20:64bit: - Winlogon\Notify\DfLogon: DllName - Reg Error: Key error. - File not found
    O33 - MountPoints2\{301df3ff-96db-11dd-872a-001ec950e8dd}\Shell - "" = AutoRun
    O33 - MountPoints2\{301df3ff-96db-11dd-872a-001ec950e8dd}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\Shell - "" = AutoRun
    O33 - MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\Shell\AutoRun\command - "" = N:\SETUP.EXE -- File not found
    O33 - MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\Shell\configure\command - "" = N:\SETUP.EXE -- File not found
    O33 - MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\Shell\install\command - "" = N:\SETUP.EXE -- File not found
    O33 - MountPoints2\P\Shell\AutoRun\command - "" = P:\setup.exe -- File not found
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:C46995DA
    @Alternate Data Stream - 1281 bytes -> C:\Program Files\Common Files\System:ag9bgjmstAcVDV82Wci1u1FSbEIqx
    @Alternate Data Stream - 1204 bytes -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies:28uNiZ6OH2mqif2jzRDLHAvCjY
    @Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:C8B8CEBD
    @Alternate Data Stream - 1085 bytes -> C:\ProgramData\Microsoft:csZT9PpRV7Q0ZP3nmeoAYv
    @Alternate Data Stream - 1051 bytes -> C:\ProgramData\Microsoft:oMn8XL918BxoDoqhpGjq9WD6
    Drivers32:64bit: VIDC.XVID - File not found

    :Files
    C:\Users\Administrator\Desktop\bbju8gxj.exe
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Share this post


Link to post
Share on other sites

OK Mr Charlie. It did require a reboot, but when it came back up the txt came up with it. I checked the MovedFiles dir and this was the latest (only?) one. Thanks again! -Landen

All processes killed

========== OTL ==========

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LogMeIn GUI deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\LvLXPiejlk+ deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Mquxe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\CleanSetup deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\grooveLocalGWS\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88FED34C-F0CA-4636-A375-3CB6248B04CD}\ not found.

File {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.

File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.

File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{828030A1-22C1-4009-854F-8E305202313F}\ not found.

File {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\pure-go\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4746C79A-2042-4332-8650-48966E44ABA8}\ deleted successfully.

File {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C514A3-1EFB-4856-9F99-10D7BE1653C0}\ not found.

File {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DfLogon\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{301df3ff-96db-11dd-872a-001ec950e8dd}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{301df3ff-96db-11dd-872a-001ec950e8dd}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{301df3ff-96db-11dd-872a-001ec950e8dd}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{301df3ff-96db-11dd-872a-001ec950e8dd}\ not found.

File L:\LaunchU3.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

File N:\SETUP.EXE not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

File N:\SETUP.EXE not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d69c3691-298c-11de-96a9-001ec950e8dd}\ not found.

File N:\SETUP.EXE not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\P\ deleted successfully.

File P:\setup.exe not found.

ADS C:\ProgramData\TEMP:C46995DA deleted successfully.

ADS C:\Program Files\Common Files\System:ag9bgjmstAcVDV82Wci1u1FSbEIqx deleted successfully.

ADS C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies:28uNiZ6OH2mqif2jzRDLHAvCjY deleted successfully.

ADS C:\ProgramData\TEMP:C8B8CEBD deleted successfully.

ADS C:\ProgramData\Microsoft:csZT9PpRV7Q0ZP3nmeoAYv deleted successfully.

ADS C:\ProgramData\Microsoft:oMn8XL918BxoDoqhpGjq9WD6 deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\Drivers32 VIDC.XVID not found.

========== FILES ==========

C:\Users\Administrator\Desktop\bbju8gxj.exe moved successfully.

========== COMMANDS ==========

File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 28619908 bytes

->Temporary Internet Files folder emptied: 12666218 bytes

->Java cache emptied: 45861578 bytes

->Google Chrome cache emptied: 251110188 bytes

->Flash cache emptied: 62423 bytes

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56504 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Experience

->Temp folder emptied: 1436583 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: Mcx1

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 2340073 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 22016 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 88741294 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 18332394 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 429.00 mb

OTL by OldTimer - Version 3.2.14.1 log created on 09302010_160603

Files\Folders moved on Reboot...

File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

C:\Users\Administrator\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\embeded[1].txt scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\globe32[1].png scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\template.rab[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__ICSAgent64.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LMIinit.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LMIinit.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LMIprinter.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LMIprinter.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LogMeIn.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__LogMeIn.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__raabout.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__racodec.ax[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__ramaint.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x64__ra_reboot.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIGuardian.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIGuardianDll.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMImirr.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMImirr2.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIprinternt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIprinterui.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIprocnt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LMIRfsClientNP.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__LogMeInToolkit.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__raabout.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__rahook.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__rainst.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__rntfywnd.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQAQZ93M\x86__rntfywnd.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\SurveyScriptsNS[1].js scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\white_gradient[1].png scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMIGuardian.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMIGuardian.exe[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMImirr.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMImirr.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMIprinterui.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LMIprinterui.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LogMeInSystray.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__LogMeInSystray.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__racodec.ax[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__rahook.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__rntfywnd.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x64__rntfywnd.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIGuardianDll.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIGuardianEvt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMImirr2.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIport.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIprinterui.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIprinteruint.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LMIRfsClientNP.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__LogMeIn.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__openssl.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__racodec.ax[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__rainst.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__ramaint.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__zip.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UCTAYNB5\x86__zip.exe[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\main[1].css scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\raupdate.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\RequiredFieldsNS[1].js scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMIGuardianDll.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMIGuardianDll.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMImirr2.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMImirr2.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMIproc.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LMIproc.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__LogMeInToolkit.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__openssl.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__rahook.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__rainst.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__zip.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x64__zip.exe[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIGuardianEvt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIinit.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIport.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIprinter.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIprinteruint.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LMIproc.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LogMeIn.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__LogMeInSystray.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__raabout.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__rahook.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__ramaint.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JU3LXV\x86__ra_reboot.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\raupdate.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\template.rab[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\View[1].aspx scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\white_gradient[1].png scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIGuardianEvt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIGuardianEvt.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIport.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIport.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIRfsClientNP.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__LMIRfsClientNP.dll[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__openssl.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__raabout.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__rainst.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x64__ramaint.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__ICSAgent32.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIGuardian.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIinit.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMImirr.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIprinter.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIprinternt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIproc.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LMIprocnt.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__LogMeInSystray.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__openssl.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__racodec.ax[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__rahook9x.dll[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__ra_sc.exe[1].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P6OKTF57\x86__ra_sc.exe[2].cab scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.

File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

OK, the problem with 64bit systems is that a lot of tools don't run on them.

So here's what I would like you to do.............. run this online scan:

This scan can take several hours so be prepare!

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

MrC

Share this post


Link to post
Share on other sites

Hi Mr. Charlie. I have an update, but I can't send the Dr. Web log yet. I wanted to log in Safe Mode first and run my CA Internet virus software and MALB from the command line before I brought the machine completely back up and connect it back to the Internet. I had to do a hard reboot to get the machine to recycle. It stalled forever and then came up with a real (or fake) "Login Process has Failed to create the security options - Failure Security Options" dialog which seemed odd to come up when trying to shut down.

The Dr. Web software found 2 things. Towards the beginning it found a virus in the Lynksys update which was waiting for me to install. It moved it. Then, I think it found the llittle grean monster on my ReadyBoost RAM USB stick (K:\Uncrypt.exe identified as Backdoor.Siggen.3208). It couldn't cure it and there's 2 USB sticks in the machine along with other storage locations and I didn't have the drive letters memorized. I knew which one the ReadyBoost files were on, but I didn't know/remember what drive letter it was assigned to. I had to pull the stick out and get it to try to rescan K: and when Dr. Web said the drive didn't exist, I knew which one I was dealing with. I put it back in and it allowed me to delete it (which I didn't see the option for when it first came up or I would have done that - I thought I was stuck and didn't want to get out of that safe mode created by the software until that thing was history). Anyway, I double checked that the file did not exist (including hidden) so when the scans are finished, I'll bring it up normally and send the logs over. Maybe it wasn't spotted because I concentrated so much on c:? One things clear - you know and I don't, so I'll send everything over in a bit. Thanks again -Landen.

BTW: If you were puzzled by the LogMeIn leftovers on my machine, that was the first software I took off when this thing hit me. The other thing is the machine was purchased off the floor of Best Buy and they didn't restore it like they were supposed to. I waited on the Geeks there long enough for them to do it, but didn't know until I got back from my trip. When I got home, it still had/has a Best Buy group policy associated with it. I spent hours on the phone with them just trying to get them to restore the machine like they were supposed to, but the Best Buy I purchased it from was 3 hours away (I stopped on the way home and they had 1 left of the model I wanted). They would not let me/pay for me to take it to the local Best Buy to have them do a fresh install. If you saw the remnants of a Best Buy Group Policy, that's why. Thanks again.

Share this post


Link to post
Share on other sites

Hey there Mr. Charlie. I'm unable to find the Dr. Watson log file. I did a search for it on c:. Is it suppose to be on the desktop? Also, I got the Seupd.exe Malware warning again during the other scans last night. Thanks -Landen.

Share this post


Link to post
Share on other sites

You mean DrWeb?

"When the scan has finished, in the menu, click File and choose Save report list Save the report to your desktop. The report will be called DrWeb.csv Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum. Please post the Dr.Web.txt report in your next reply"

MrC

Share this post


Link to post
Share on other sites

Yes. Dr Web. It finished in the middle of the night (which is probably half the problem because I was asleep and got up to check it). I saved the log when the scan completed (although I remember how weak the GUI was about selecting a location for it - I think the option was "log" and then press "Save"). I did another save after I pressed delete siggen or K:/Uncrypt.exe (within the same Dr. Web session assuming an append or new log) because I wanted you to see that part two in case it didn't delete it as hoped. Then I just brought the machine back up in Safe Mode and ran the virus scan and MALB from the command prompt. MALB and CA Internet had a fit with Dr Web still being on my machine so I got back up and let CA remove the Dr Web .exe (which I assumed was OK at the time, but I guess it wasn't). The CA command prompt scan also found the quarantined Dr. Web files and deleted them and now the Dr Web directory doesn't exist (per the CA log I'm sending). Dr. Web is in my Recycle Bin, but the log/logs are not. I'll put the machine on-line long enough to post so you can see what CA did and MALB did. The machine wasn't fully back up to check for the log (which I should have done, but I wasn't getting on-line either until the new scans finished so it didn't matter). Could the second pressing of save overwrite the original scan log within the same session? It doesn't explain why the logs aren't on the desktop or why the folder Dr. Web was in are gone. That must have been me trying to do this in the middle of the night. Logs on their way. - Landen

Share this post


Link to post
Share on other sites

These are the logs. Jumping back to my laptop. Thanks -Landen

CA File (after full bootup) - original earlier scan of K: was ok. Removed and reformatted Ready Boost but not using it.

Started scanning at 10/2/2010 12:10:38 AM. Engine Ver: 36.1.0. Sig Ver:7888. Sig Date: 10/1/2010. ArcLib Ver: 8.2.6.3.

C:\pagefile.sys - Could not open the file.

C:\Boot\BCD - Could not open the file.

C:\Boot\BCD.LOG - Could not open the file.

C:\Documents and Settings\Administrator\NTUSER.DAT - Could not open the file.

C:\Documents and Settings\Administrator\ntuser.dat.LOG1 - Could not open the file.

C:\Documents and Settings\Administrator\ntuser.dat.LOG2 - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db.shadow - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - Could not open the file.

C:\Documents and Settings\Administrator\AppData\Local\Microsoft\Windows Defender\FileTracker\{C0386F7C-707F-4351-B67A-C8E5C64ED251} - Could not open the file.

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\uncrypt.exe - Win32/Keylogger.U trojan. Deleted.

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\uncrypt0.exe - Win32/Keylogger.U trojan. Deleted.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\CardSpace\CardSpaceSP2.db - Could not open the file.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\CardSpace\CardSpaceSP2.db.shadow - Could not open the file.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat - Could not open the file.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat.LOG1 - Could not open the file.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat.LOG2 - Could not open the file.

C:\Documents and Settings\Administrator\Local Settings\Microsoft\Windows Defender\FileTracker\{C0386F7C-707F-4351-B67A-C8E5C64ED251} - Could not open the file.

C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\30dd8ca769f99ffea408887f400ed1b4_8025f66c-7168-4ae5-984b-9a1e5aac2b38 - Could not open the file.

C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - Could not open the file.

C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\MSStmp.log - Could not open the file.

C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - Could not open the file.

C:\Documents and Settings\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - Could not open the file.

C:\Program Files (x86)\TurboTax\Home & Business 2006\32bit\IDADOFx1.EXE - may be infected with Win32/ASuspect.HHPLN unknown type. Quarantined.

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\30dd8ca769f99ffea408887f400ed1b4_8025f66c-7168-4ae5-984b-9a1e5aac2b38 - Could not open the file.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log - Could not open the file.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log - Could not open the file.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb - Could not open the file.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - Could not open the file.

C:\System Volume Information\{38088~1 - Could not open the file.

C:\System Volume Information\{41DE0~1 - Could not open the file.

C:\System Volume Information\{41DE0~2 - Could not open the file.

C:\System Volume Information\{41DE0~3 - Could not open the file.

C:\System Volume Information\{CDFB9~1 - Could not open the file.

C:\Users\Administrator\NTUSER.DAT - Could not open the file.

C:\Users\Administrator\ntuser.dat.LOG1 - Could not open the file.

C:\Users\Administrator\ntuser.dat.LOG2 - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\CardSpace\CardSpaceSP2.db.shadow - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - Could not open the file.

C:\Users\Administrator\AppData\Local\Microsoft\Windows Defender\FileTracker\{C0386F7C-707F-4351-B67A-C8E5C64ED251} - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\CardSpace\CardSpaceSP2.db - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\CardSpace\CardSpaceSP2.db.shadow - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat.LOG1 - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\Windows\UsrClass.dat.LOG2 - Could not open the file.

C:\Users\Administrator\Local Settings\Microsoft\Windows Defender\FileTracker\{C0386F7C-707F-4351-B67A-C8E5C64ED251} - Could not open the file.

C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\30dd8ca769f99ffea408887f400ed1b4_8025f66c-7168-4ae5-984b-9a1e5aac2b38 - Could not open the file.

C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - Could not open the file.

C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSStmp.log - Could not open the file.

C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - Could not open the file.

C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - Could not open the file.

C:\Windows\bthservsdp.dat - Could not open the file.

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - Could not open the file.

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 - Could not open the file.

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 - Could not open the file.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - Could not open the file.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - Could not open the file.

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - Could not open the file.

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - Could not open the file.

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 - Could not open the file.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun-2D-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock - Could not open the file.

J:\0160f69a53357925e170\install.exe - Could not open the file.

Files Scanned: 2263215

Files Infected: 3

Files Cleaned \ Deleted: 2

Files Quarantined: 1

Memory Infections: 0

Memory Infections Cleaned: 0

Boot Infections: 0

Boot Infections Cleaned: 0

Top infections found during scan (Limited to 10).

Win32/Keylogger.U

Win32/ASuspect.HHPLN

Files not Cleaned\Deleted\Quarantined (Limit 100): 0

Finished scanning at 10/2/2010 7:16:15 AM.

MALB Protection-log-2010-10-02

00:00:03 Administrator MESSAGE Protection started successfully

00:00:07 Administrator MESSAGE IP Protection started successfully

00:02:57 Administrator MESSAGE IP Protection stopped

00:03:00 Administrator MESSAGE Database updated successfully

00:03:00 Administrator MESSAGE IP Protection started successfully

00:10:06 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent QUARANTINE

00:10:07 Administrator ERROR Quarantine failed: UtilityReadFile failed with error code 2

01:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

01:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

02:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

02:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

03:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

03:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

04:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

04:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

05:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

05:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

06:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

06:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

07:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

07:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

08:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

08:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

09:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

09:08:22 Administrator MESSAGE Protection started successfully

09:08:26 Administrator MESSAGE IP Protection started successfully

09:12:05 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent QUARANTINE

09:12:06 Administrator ERROR Quarantine failed: UtilityReadFile failed with error code 2

09:59:59 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

10:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

11:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

11:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

12:00:00 Administrator ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

12:10:00 Administrator DETECTION C:\ProgramData\UPDATE\SEUPD.EXE Trojan.Agent DENY

Regular MALB log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4733

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18943

10/2/2010 5:58:22 AM

mbam-log-2010-10-02 (05-58-22).txt

Scan type: Full scan (C:\|D:\|K:\|)

Objects scanned: 743279

Time elapsed: 5 hour(s), 50 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

What brand is this computer?

Did the PC come with a Windows 7 disk or restore disk, or does it have a restore partition on the drive?

There's a good restore point that has been created when we first ran OTL, in case it's needed...just to let you know.

MrC

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.