Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Explorer.exe does not startup, black screen on login

3K views 12 replies 2 participants last post by  CatByte 
#1 ·
Greetings TSG

I have come across a problem that is remarkably like this problem, where when I log in, all I get is a black screen. When I try to activate "explorer.exe", I get the message: "Operation did not complete successfully because the file contains a virus".

However, I had a feeling I had a virus a few days before, where I download Avast! Free Antivirus and ran a Quick Scan. I remember that c://WINDOWS/explorer.exe, C://Program Files/Internet Explorer/iexplorer.exe and wininit.exe were all infected with a Bamital-AF trojan. Winstart.bat was also infected, but was offline. (If this isn't enough information, I'll try to use the raw logs when requested :) )

I am currently using said computer in Safe Mode, which seems to work fine, with explorer.exe running smoothly.

Thank you,
Ryan :)
 
#2 ·
More Information: :)
I also had a RECYCLER virus when I plugged in hardware, that infected files and created a folder named autorun,inf (if that helps anyone).
I've gone off Safe Mode with Networking as well. Instead, I'm running programs by shortcuts I placed in the Recycle Bin.
Thanks for listening
Ryan :)
 
#3 ·
Hi

Please run the following scans - they will run in safe mode: (with networking)

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.


NEXT


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

NEXT

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
 
#4 ·
Hi CatByte, thanks for helping me :)

MBR LOGS
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5735
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 123):
0x82042000 \SystemRoot\system32\ntkrnlpa.exe
0x8200F000 \SystemRoot\system32\hal.dll
0x80408000 \SystemRoot\system32\kdcom.dll
0x80410000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80470000 \SystemRoot\system32\PSHED.dll
0x80481000 \SystemRoot\system32\BOOTVID.dll
0x80489000 \SystemRoot\system32\CLFS.SYS
0x804CA000 \SystemRoot\system32\CI.dll
0x80604000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80680000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068D000 \SystemRoot\System32\Drivers\spmr.sys
0x8078E000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x80797000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x805AA000 \SystemRoot\system32\drivers\acpi.sys
0x807BD000 \SystemRoot\system32\drivers\msisadrv.sys
0x807C5000 \SystemRoot\system32\drivers\pci.sys
0x807EC000 \SystemRoot\System32\drivers\partmgr.sys
0x807FB000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x805F0000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x82601000 \SystemRoot\system32\drivers\volmgr.sys
0x82610000 \SystemRoot\System32\drivers\volmgrx.sys
0x8265A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8266A000 \SystemRoot\System32\Drivers\UBHelper.sys
0x82672000 \SystemRoot\system32\drivers\atapi.sys
0x8267A000 \SystemRoot\system32\drivers\ataport.SYS
0x82698000 \SystemRoot\system32\drivers\msahci.sys
0x826A2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x826B0000 \SystemRoot\system32\drivers\fltmgr.sys
0x826E2000 \SystemRoot\system32\drivers\fileinfo.sys
0x826F2000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x826FB000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82700000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8A20D000 \SystemRoot\system32\drivers\ndis.sys
0x8A318000 \SystemRoot\system32\drivers\msrpc.sys
0x8A343000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A406000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A515000 \SystemRoot\system32\drivers\volsnap.sys
0x8A556000 \SystemRoot\System32\Drivers\mup.sys
0x8A565000 \SystemRoot\System32\drivers\ecache.sys
0x8A58C000 \SystemRoot\system32\drivers\disk.sys
0x8A59D000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A5BE000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A5D4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A5DF000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8A5E8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A37D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8A3BB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8A3CA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x82771000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8DC0C000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8DF93000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8DFA6000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8DFB0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8DFBB000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8DFEB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DFED000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A3DC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8DFF8000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8DC00000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x827BD000 \SystemRoot\System32\Drivers\ae9hzdwh.SYS
0x8E209000 \SystemRoot\System32\Drivers\a5yplmdb.SYS
0x8E241000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8E24A000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E278000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E2B9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E2C4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E2DB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E2E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E309000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E32C000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E341000 \SystemRoot\system32\DRIVERS\hamachi.sys
0x8E346000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E356000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E358000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E382000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E38C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8E399000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8E3CD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8E3DE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8E3E7000 \SystemRoot\System32\Drivers\Null.SYS
0x8E3EE000 \SystemRoot\System32\Drivers\Beep.SYS
0x8A5F3000 \SystemRoot\System32\drivers\vga.sys
0x8E401000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E422000 \SystemRoot\System32\drivers\watchdog.sys
0x8E42F000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E437000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E442000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E450000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8E459000 \SystemRoot\System32\drivers\tcpip.sys
0x8E542000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8E55D000 \SystemRoot\System32\Drivers\Mpfp.sys
0x8E584000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8E59A000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x8E5B6000 \SystemRoot\system32\DRIVERS\smb.sys
0x8E608000 \SystemRoot\system32\drivers\afd.sys
0x8E650000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8E655000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E687000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8E690000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E6A6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E6BD000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8E6CB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8E707000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E711000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E728000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8E73B000 \SystemRoot\System32\Drivers\fastfat.SYS
0x95620000 \SystemRoot\System32\win32k.sys
0x8E770000 \SystemRoot\System32\drivers\Dxapi.sys
0x95830000 \SystemRoot\System32\drivers\dxg.sys
0x95860000 \SystemRoot\System32\TSDDD.dll
0x958E0000 \SystemRoot\System32\framebuf.dll
0x958F0000 \SystemRoot\System32\ATMFD.DLL
0x8E77A000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8E7A4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8E7AE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8E7C7000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8E7DC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x98E00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x98E39000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x98E51000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77470000 \Windows\System32\ntdll.dll
0x10000000 \Program Files\Alcohol Soft\Alcohol 120\alcoholx.dll

Processes (total 30):
0 System Idle Process
4 System
368 C:\Windows\System32\smss.exe
456 csrss.exe
492 csrss.exe
500 C:\Windows\System32\wininit.exe
528 C:\Windows\System32\winlogon.exe
580 C:\Windows\System32\services.exe
592 C:\Windows\System32\lsass.exe
600 C:\Windows\System32\lsm.exe
740 C:\Windows\System32\svchost.exe
796 C:\Windows\System32\svchost.exe
844 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1028 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1232 C:\Windows\System32\svchost.exe
1384 C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
1408 C:\Program Files\McAfee\MPF\MpfSrv.exe
1432 C:\Windows\System32\svchost.exe
1576 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
668 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
1936 C:\Windows\explorer.exe
1360 C:\Program Files\Windows Media Player\wmpnscfg.exe
1504 C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
1492 C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
1956 WmiPrvSE.exe
2184 C:\Users\Ryan\Contacts\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000003b`71b00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD5000BEVT-22ZAT0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: DA67949D8E80AE4B877B861155C27C0550D2F7A3

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
 
#5 ·
DDS.txt

DDS (Ver_10-10-31.01) - NTFSx86 NETWORK
Run by Ryan at 16:40:08.90 on 01/11/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3000.2386 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Users\Ryan\Contacts\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.speedbit.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=1208&m=aspire_5735
uSearch Page =
uSearch Bar =
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=1208&m=aspire_5735
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vp32&d=1208&m=aspire_5735
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHelperStub: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - Adobe PDF Link Helper
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\users\ryan\program files\dna\btdna.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [{DB322A1E-0302-82F5-657A-3685BEA647C9}] c:\users\ryan\appdata\roaming\ockyip\orno.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\ryan\appdata\local\google\update\GoogleUpdate.exe" /c
uRunOnce: [Application Restart #0] c:\windows\ehome\ehtray.exe
uRunOnce: [Application Restart #1] c:\program files\windows defender\MSASCui.exe -Hide
uRunOnce: [Application Restart #2] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Application Restart #3] c:\program files\windows media player\wmpnscfg.exe
uRunOnce: [Application Restart #4] c:\program files\microsoft office\office12\WINWORD.EXE /restore
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: xolehmlp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: ShellObj Class: {f552dde6-2090-4bf4-b924-6141e87789a5} - c:\progra~1\greatis\regrun~1\RRShell.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\9fq4h5ub.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BT3&o=14987&locale=en_UK&apn_uid=921B3E30-2861-4BEA-A120-11F0498AE4E4&apn_ptnrs=J6&apn_sauid=7B263103-C276-4799-9314-6A87FB55A4DB&apn_dtid=&q=
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ryan\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\ryan\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\ryan\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\9fq4h5ub.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-12-11 3658752]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-27 165584]
S1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-4-30 201288]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-4-30 61424]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-27 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-27 50768]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-27 40384]
S2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-4-30 81504]
S2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-28 47640]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-29 93320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-30 359248]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-30 144704]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-4-30 122368]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-27 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-27 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\microsoft.net\framework\v4.0.20506\mscorsvw.exe [2009-5-6 104272]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-28 30192]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-2-14 15944]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-30 695624]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-4-30 79304]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-4-30 35240]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2008-4-30 33800]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2008-4-30 40488]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-10-1 24416]

=============== File Associations ===============

scrfile="%1" /S

=============== Created Last 30 ================

2010-10-31 13:21:01 -------- d-----w- C:\dcb96b898d875a5967fdd641cd
2010-10-31 12:52:13 335360 --sha-w- c:\progra~2\{3448528211}2010.10.31.12.52.13.sdl
2010-10-30 08:53:39 335360 --sha-w- c:\progra~2\{3448528211}2010.10.30.9.53.39.sdl
2010-10-29 10:56:50 -------- d-----w- c:\progra~2\SafeReturner
2010-10-29 10:55:26 -------- d-----w- c:\users\ryan\appdata\roaming\SafeReturner
2010-10-29 10:55:18 -------- d-----w- c:\program files\Safe Returner
2010-10-29 09:17:32 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{96501cac-8eca-4217-bab5-3ffafa5b1f4c}\mpengine.dll
2010-10-27 16:57:21 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-10-27 16:55:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-27 16:54:58 -------- d-----w- c:\progra~2\Alwil Software
2010-10-27 16:26:20 -------- d-----w- c:\program files\temp
2010-10-27 16:25:35 335360 --sha-w- c:\progra~2\{968218125}2010.10.27.17.25.35.sdl
2010-10-27 08:43:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 08:43:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 13:33:13 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-10-26 13:29:57 -------- d-----w- c:\windows\system32\x64
2010-10-24 13:14:44 -------- d-----w- c:\program files\MP3 Cutter
2010-10-24 10:51:42 -------- d-----w- c:\windows\system32\EventProviders
2010-10-24 10:44:45 -------- d-----w- c:\users\ryan\appdata\roaming\Ockyip
2010-10-24 10:44:45 -------- d-----w- c:\users\ryan\appdata\roaming\Aghadu
2010-10-24 10:41:35 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-23 19:26:27 335360 --sha-w- c:\progra~2\{968218125}2010.10.23.20.26.27.sdl
2010-10-23 12:19:08 -------- d-----w- c:\progra~2\lifobin
2010-10-22 18:33:56 -------- d-----w- c:\progra~2\bujusap
2010-10-22 18:31:58 -------- d-----w- c:\program files\windows
2010-10-21 21:29:26 -------- d-----w- c:\program files\tmp
2010-10-21 19:54:42 -------- d-----r- c:\program files\Skype
2010-10-21 19:23:49 -------- d-----w- c:\progra~2\lerufep
2010-10-21 16:17:07 -------- d-----w- c:\progra~2\velumig
2010-10-20 18:24:37 93184 ----a-w- c:\windows\system32\xolehmlp.dll
2010-10-19 20:43:48 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-19 20:43:48 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-19 20:42:01 -------- d-----w- c:\program files\iPod
2010-10-19 20:41:59 -------- d-----w- c:\program files\iTunes
2010-10-19 20:41:59 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-19 20:22:52 -------- d-----w- c:\program files\Bonjour
2010-10-18 06:48:02 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-10-13 21:45:08 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-13 21:45:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-13 21:43:52 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-13 21:43:51 101888 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-13 21:43:50 303616 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-13 21:43:50 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-13 21:43:47 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-13 21:42:46 274432 ----a-w- c:\windows\system32\schannel.dll
2010-10-13 21:42:39 1315840 ----a-w- c:\windows\system32\ole32.dll
2010-10-13 21:42:38 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-13 21:42:31 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-13 21:42:26 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-10-13 21:42:26 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-10-13 21:42:20 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-10-13 21:42:15 866816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-13 21:40:15 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-10-05 18:47:04 74624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-10-05 18:47:03 -------- d-----w- c:\program files\Prevx
2010-10-05 18:46:49 -------- d-----w- c:\progra~2\PrevxCSI

==================== Find3M ====================

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-01 20:28:37 2 --shatr- c:\windows\winstart.bat
2010-09-08 17:26:59 833024 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 15:53:07 389632 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:28:29 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-26 16:01:35 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:01:33 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:01:32 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:01:32 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-25 18:46:02 8198680 ----a-w- c:\windows\system32\TVWSetup.exe
2010-08-25 18:45:48 948760 ----a-w- c:\windows\system32\igxpun.exe
2010-08-25 18:45:44 136216 ----a-w- c:\windows\system32\igfxtray.exe
2010-08-25 18:45:42 266776 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-08-25 18:45:40 170520 ----a-w- c:\windows\system32\igfxpers.exe
2010-08-25 18:45:38 179224 ----a-w- c:\windows\system32\igfxext.exe
2010-08-25 18:45:36 171032 ----a-w- c:\windows\system32\hkcmd.exe
2010-08-25 18:45:32 3156504 ----a-w- c:\windows\system32\GfxUI.exe
2010-08-25 18:39:46 81920 ----a-w- c:\windows\system32\igfxCoIn_v2202.dll
2010-08-25 18:31:30 4967424 ----a-w- c:\windows\system32\igdumd32.dll
2010-08-25 18:30:02 439308 ----a-w- c:\windows\system32\igcompkrng500.bin
2010-08-25 18:30:00 982240 ----a-w- c:\windows\system32\igkrng500.bin
2010-08-25 18:30:00 92356 ----a-w- c:\windows\system32\igfcg500m.bin
2010-08-25 18:28:22 571904 ----a-w- c:\windows\system32\igdumdx32.dll
2010-08-25 18:23:14 4411904 ----a-w- c:\windows\system32\igd10umd32.dll
2010-08-25 18:09:34 11040256 ----a-w- c:\windows\system32\ig4icd32.dll
2010-08-25 18:00:00 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-08-25 18:00:00 194560 ----a-w- c:\windows\system32\igfxpph.dll
2010-08-25 17:59:58 261632 ----a-w- c:\windows\system32\igfxTMM.dll
2010-08-25 17:59:58 115200 ----a-w- c:\windows\system32\igfxcpl.cpl
2010-08-25 17:59:42 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-08-25 17:59:24 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-08-25 17:59:16 94720 ----a-w- c:\windows\system32\hccutils.dll
2010-08-25 17:59:10 120320 ----a-w- c:\windows\system32\gfxSrvc.dll
2010-08-25 17:59:08 4096 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2010-08-25 17:59:06 85504 ----a-w- c:\windows\system32\igfxrenu.lrc
2010-08-25 17:59:06 828928 ----a-w- c:\windows\system32\igfxress.dll
2010-08-25 17:59:06 228864 ----a-w- c:\windows\system32\igfxdev.dll
2010-08-25 17:52:00 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-08-25 17:52:00 208896 ----a-w- c:\windows\system32\iglhsip32.dll
2010-08-25 17:52:00 143360 ----a-w- c:\windows\system32\iglhcp32.dll
2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 18:32:00 55992 --sha-w- c:\windows\system32\gakizuf.dll
2010-07-23 12:19:05 55480 --sha-w- c:\windows\system32\galemok.dll
2010-07-21 19:23:47 55992 --sha-w- c:\windows\system32\vapivik.dll

============= FINISH: 16:41:47.90 ===============
 
#9 ·
Try this scan instead if you can't get GMER to run:

Scan With RootKitUnHooker

  • Please Download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
 
#11 ·
Hi

Please do the following;

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
 
#13 ·
Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
http://forums.techguy.org/7670112-post12.html

Collect::
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ygka.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aparc.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cierte.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qalobu.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yzun.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qeyq.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wiqi.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\byytlo.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xuzeot.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eqih.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\vupo.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ykbyv.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ofyxfi.exe
c:\users\EMERGENCY ACCOUNT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diindu.exe
c:\windows\system32\xolehmlp.dll
c:\windows\System32\gakizuf.dll
c:\windows\System32\galemok.dll
c:\windows\System32\vapivik.dll
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\byytlo.exe 
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cierte.exe 
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eqih.exe 
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ofyxfi.exe 
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qeyq.exe
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vupo.exe
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygka.exe 

Folder::
c:\users\Ryan\AppData\Roaming\Aghadu
c:\users\Ryan\AppData\Roaming\Ockyip
c:\programdata\lifobin
c:\programdata\bujusap
c:\program files\windows
c:\programdata\lerufep
c:\programdata\velumig
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top