hidden, un-deletable viruses

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
I have these viruses on my computer in c:/program files (x86)/

They are hidden executable files in a folder with all numbers (1260932351) which i realized immediately it contained a virus. So i tried deleting it...but it didn't work...it said i needed to have administrator privileges to delete it (yet i am the system administrator and on the administrator account). Then i tried deleting it in admin CMD. it still said access is denied...so i tried to un-hide them using the ATTRIB command and it also said access is denied.

i run on windows7 and have full administrator privileges.

any help on how to remove the viruses would be helpful. or at least how to un-hide them because i think i may be able to delete them from there.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
DDS (Ver_10-03-17.01) - NTFSX64
Run by Patrink at 21:28:25.87 on 31/03/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.6143.4106 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\MHotKey.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Windows\ChiFuncExt.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ModLedKey.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Patrink\Documents\Downloads\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4820&r=1v3611094606p03d5vq05k47124320
uSearch Page =
uStart Page = hxxp://www.bigseekpro.com/hypercam/{B08D10EC-F51B-4E1E-9606-93684EE5D641}
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/hypercam/{B08D10EC-F51B-4E1E-9606-93684EE5D641}
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyServer = 125.163.236.167:8080
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~2\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [Microsoft Windows] c:\users\patrink\appdata\local\temp\iexplore.exe
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Gateway Photo Frame] "c:\program files (x86)\gateway photo frame\ButtonMonitor.exe" -A
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files (x86)\spyware doctor\pctsTray.exe"
mRun: [BCSSync] "c:\program files (x86)\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
mRun: [TkBellExe] "c:\program files (x86)\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
StartupFolder: c:\users\patrink\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &NeoTrace It! - c:\progra~2\neotra~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~2\micros~3\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - /105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files (x86)\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files (x86)\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {94F0C82D-9259-4E30-91C4-EC17706CFA28} = 207.164.234.193 207.164.234.129
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\common files\microsoft shared\office14\MSOXMLMF.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg64.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
IE-X64: {9885224C-1217-4c5f-83C2-00002E6CEF2B} - c:\progra~2\neotra~1\NTXtoolbar.htm
Hosts: 192.168.2.1 patrinkserver.game-server.cc
Hosts: 67.70.153.17 patrinkserver.game-server.cc
================= FIREFOX ===================

FF - ProfilePath - c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\progra~2\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~2\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files (x86)\download manager\npfpdlm.dll
FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files (x86)\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\microsoft\office live\npOLW.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\patrink\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2009-12-30 218056]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 202752]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 27136]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\spyware doctor\pctsAuxs.exe [2009-12-30 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files (x86)\spyware doctor\pctsSvc.exe [2009-12-30 1141712]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2009-12-11 6228480]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2009-12-11 160256]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y60x64.sys [2009-6-10 281088]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4924336]
S2 gupdate1ca7177902318ed;Google Update Service (gupdate1ca7177902318ed);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-18 1255736]
S4 Apache2.2;Apache2.2;c:\program files (x86)\apache software foundation\apache2.2\bin\httpd.exe [2010-3-4 24645]
S4 DynDNS Updater;DynDNS Updater;c:\program files (x86)\dyndns updater\DynUpSvc.exe [2010-1-20 99704]

=============== Created Last 30 ================

2010-03-31 03:22:20 0 d-----w- c:\program files\Bonjour
2010-03-31 03:22:20 0 d-----w- c:\program files (x86)\Bonjour
2010-03-28 17:22:06 0 d-----w- c:\windows\pss
2010-03-28 07:42:50 0 d-----w- c:\program files (x86)\Unlocker
2010-03-28 05:49:15 296448 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-03-28 05:47:26 0 d-----w- c:\program files\Autodesk
2010-03-28 05:47:26 0 d-----w- c:\program files (x86)\common files\Alias Shared
2010-03-27 21:50:03 0 d-----w- C:\Nexon
2010-03-27 21:50:02 0 d-----w- c:\programdata\NexonUS
2010-03-27 20:29:42 0 d-----w- c:\program files (x86)\Maple story
2010-03-27 20:23:40 0 d-----w- c:\programdata\PMB Files
2010-03-27 20:23:18 0 d-----w- c:\program files (x86)\Pando Networks
2010-03-27 19:19:16 0 d-----w- c:\program files (x86)\XN Resource Editor
2010-03-27 18:25:18 65536 ------w- c:\windows\system32\Ikeext.etl
2010-03-27 17:25:31 4710 ----a-w- c:\windows\syswow64\fc.ico
2010-03-27 17:25:31 2528 ----a-w- c:\windows\FCIC.INI
2010-03-27 17:25:31 0 d-----w- C:\Tools
2010-03-27 17:25:31 0 d-----w- C:\Settings
2010-03-27 17:25:31 0 d-----w- C:\Scripts
2010-03-27 17:25:31 0 d-----w- C:\Plugins
2010-03-27 17:25:31 0 d-----w- C:\Modems
2010-03-27 17:25:31 0 d-----w- C:\Images
2010-03-27 17:25:26 0 d-----w- c:\program files (x86)\FirstClass
2010-03-26 21:17:36 0 d-----w- c:\program files (x86)\NeoTracePro
2010-03-23 00:15:08 0 d-----w- c:\program files\iTunes
2010-03-23 00:15:08 0 d-----w- c:\program files\iPod
2010-03-23 00:15:08 0 d-----w- c:\program files (x86)\iTunes
2010-03-21 21:13:39 0 d-----w- c:\program files (x86)\1260932351
2010-03-21 03:27:24 0 d-----w- c:\windows\syswow64\Samsung_USB_Drivers
2010-03-21 03:27:10 766 ----a-w- c:\windows\syswow64\Uninstall.ico
2010-03-21 03:27:07 0 d-----w- c:\program files (x86)\Samsung
2010-03-20 08:12:38 369 ----a-w- c:\users\patrink\.jupload.properties
2010-03-20 04:59:58 0 d-----w- c:\program files (x86)\Apache Software Foundation
2010-03-20 04:49:54 0 d-----w- c:\programdata\DynDNS
2010-03-20 04:49:54 0 d-----w- c:\program files (x86)\DynDNS Updater
2010-03-19 18:47:35 0 d-----w- c:\program files (x86)\common files\Symantec Shared
2010-03-19 18:32:25 30760 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-19 18:32:25 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2010-03-19 18:32:25 107368 ----a-w- c:\windows\syswow64\GEARAspi.dll
2010-03-19 18:32:24 0 d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-03-19 18:31:21 0 d-----w- c:\programdata\Symantec
2010-03-19 18:31:21 0 d-----w- c:\program files (x86)\Norton 360 Premier Edition
2010-03-19 18:31:08 0 d-----w- c:\program files (x86)\NortonInstaller
2010-03-19 04:19:29 0 ----a-w- c:\users\patrink\Micro
2010-03-19 04:19:29 0 ----a-w- c:\users\patrink\Copyright
2010-03-19 04:19:25 0 ----a-w- c:\users\patrink\cls
2010-03-19 04:19:17 0 ----a-w- c:\users\patrink\Microsoft
2010-03-19 03:55:54 758018 ----a-w- c:\windows\syswow64\xvidcore.dll
2010-03-19 03:55:54 180224 ----a-w- c:\windows\syswow64\xvidvfw.dll
2010-03-19 03:55:54 139264 ----a-w- c:\windows\syswow64\xvid.ax
2010-03-19 03:55:53 0 d-----w- c:\program files (x86)\iWisoft Flash SWF to Video Converter
2010-03-18 04:00:18 0 d-----w- c:\windows\syswow64\Wat
2010-03-18 04:00:18 0 d-----w- c:\windows\system32\Wat
2010-03-18 00:48:56 0 d-----w- c:\windows\XSxS
2010-03-18 00:48:56 0 d-----w- c:\program files (x86)\Xenocode
2010-03-15 18:51:22 0 d-----w- c:\program files (x86)\GlobFX
2010-03-15 18:02:56 0 d-----w- c:\program files (x86)\common files\xing shared
2010-03-12 21:23:14 0 d-----w- c:\program files (x86)\Conduit
2010-03-12 21:23:13 0 d-----w- c:\program files (x86)\Zynga
2010-03-12 14:49:28 0 d-----w- c:\windows\CheckSur
2010-03-11 05:23:52 0 d-----w- c:\users\patrink\appdata\roaming\Facebook
2010-03-11 03:10:25 65536 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TM.blf
2010-03-11 03:10:25 524288 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TMContainer00000000000000000002.regtrans-ms
2010-03-11 03:10:25 524288 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TMContainer00000000000000000001.regtrans-ms
2010-03-11 03:01:21 65536 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TM.blf
2010-03-11 03:01:21 524288 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TMContainer00000000000000000002.regtrans-ms
2010-03-11 03:01:21 524288 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TMContainer00000000000000000001.regtrans-ms
2010-03-11 02:52:50 65536 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TM.blf
2010-03-11 02:52:50 524288 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TMContainer00000000000000000002.regtrans-ms
2010-03-11 02:52:50 524288 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TMContainer00000000000000000001.regtrans-ms
2010-03-07 07:54:30 0 d-----w- c:\users\patrink\appdata\roaming\codeblocks
2010-03-07 07:54:24 0 d-----w- c:\program files (x86)\CodeBlocks
2010-03-06 21:34:07 679936 ----a-w- c:\windows\syswow64\D3DX81ab.dll
2010-03-06 21:34:07 1970176 ----a-w- c:\windows\syswow64\d3dx9.dll
2010-03-06 21:34:07 0 d-----w- c:\program files (x86)\Cheat Engine
2010-03-06 20:28:16 0 d-----w- c:\program files (x86)\HyCam2
2010-03-06 20:04:16 0 d-----w- c:\program files (x86)\MakeYourOwnBrowser
2010-03-06 01:53:45 0 d-----w- c:\users\patrink\appdata\roaming\Safrad
2010-03-05 22:34:27 0 d-----r- c:\users\patrink\Virtual Machines
2010-03-05 05:19:15 0 d-----w- c:\program files (x86)\Windows Virtual PC
2010-03-05 02:01:12 0 d-----w- c:\program files\Windows XP Mode
2010-03-05 01:48:16 15872 ----a-w- c:\windows\system32\vpchbuspipe.dll
2010-03-05 01:48:03 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
2010-03-05 01:48:03 187904 ----a-w- c:\windows\system32\drivers\vpchbus.sys
2010-03-05 01:48:00 793600 ----a-w- c:\windows\syswow64\vmsal.exe
2010-03-05 01:48:00 66304 ----a-w- c:\windows\system32\drivers\vpcnfltr.sys
2010-03-05 01:48:00 562176 ----a-w- c:\windows\system32\VMCPropertyHandler.dll
2010-03-05 01:48:00 359552 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2010-03-05 01:48:00 2262016 ----a-w- c:\windows\system32\VPCWizard.exe
2010-03-05 01:47:59 936448 ----a-w- c:\windows\system32\vmsal.exe
2010-03-05 01:47:59 4513792 ----a-w- c:\windows\system32\vpc.exe
2010-03-05 01:47:59 1369600 ----a-w- c:\windows\system32\VPCSettings.exe
2010-03-05 01:47:59 1209856 ----a-w- c:\windows\system32\VMWindow.exe
2010-03-05 00:11:22 41872 ----a-w- c:\windows\syswow64\xfcodec.dll
2010-03-05 00:11:22 27536 ----a-w- c:\windows\system32\xfcodec64.dll
2010-03-03 21:24:36 880912 ----a-w- c:\windows\WM8EUTIL.exe
2010-03-03 21:24:36 0 d-----w- c:\program files (x86)\CD to MP3 Freeware
2010-03-02 01:37:24 0 d-----w- c:\users\patrink\appdata\roaming\Resource Tuner
2010-03-02 01:37:16 0 d-----w- c:\program files (x86)\Resource Tuner

==================== Find3M ====================

2010-03-15 18:03:16 185920 ----a-w- c:\windows\syswow64\rmoc3260.dll
2010-03-15 18:03:01 6656 ----a-w- c:\windows\syswow64\pndx5016.dll
2010-03-15 18:03:01 5632 ----a-w- c:\windows\syswow64\pndx5032.dll
2010-03-15 18:02:42 278528 ----a-w- c:\windows\syswow64\pncrt.dll
2010-03-07 18:16:18 499712 ----a-w- c:\windows\syswow64\msvcp71.dll
2010-02-24 14:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-02-12 16:01:24 95520 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:01:24 119584 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\syswow64\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\syswow64\dns-sd.exe
2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-19 09:05:57 424960 ----a-w- c:\windows\system32\secproc.dll
2010-01-19 09:05:57 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-19 09:00:44 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-19 09:00:43 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-19 09:00:37 356352 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-19 09:00:37 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-11 20:39:17 0 ----a-w- c:\users\patrink\appdata\roaming\wklnhst.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
1999-04-23 22:22:22 12 --sha-w- c:\windows\system\WININETICMP32.drv
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:28:56.61 ===============
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the contents of the quote box below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file


c:\program files (x86)\1260932351\*.*
then


Please download Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
 

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
that is odd...i opened the .cab file and inside the file it says
Requests:
c:\program files (x86)\1260932351\*.*

Operations:
- could not add: c:\program files (x86)\1260932351\Patrink1260932351L.exe
- could not add: c:\program files (x86)\1260932351\Patrink1260932351W.exe



also the malware scanner did not pick up those files either and they are still on my hard drive

here is the log :


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3947

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

02/04/2010 11:27:01 AM
mbam-log-2010-04-02 (11-27-01).txt

Scan type: Quick scan
Objects scanned: 107742
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Patrink\Documents\downloads\hfs.exe (Application.ServerHTTP) -> Quarantined and deleted successfully.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
try it again using this as the details to paste in the box

c:\program files (x86)\1260932351\Patrink1260932351L.exe
c:\program files (x86)\1260932351\Patrink1260932351W.exe

you might have to right click the sfp.exe & select run as admin for it to work in 64bit W7
 

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
ran it in administrator 3 times now, and pasted in the details but what i still get is:

Requests:
c:\program files (x86)\1260932351\Patrink1260932351L.exe
c:\program files (x86)\1260932351\Patrink1260932351W.exe

Operations:
- could not add: c:\program files (x86)\1260932351\Patrink1260932351L.exe
- could not add: c:\program files (x86)\1260932351\Patrink1260932351W.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
OK lets see what we can do with this

I have seen these a bit recently & they mignt be connected with Norton uninstaller however we feel that removal is safer

Download OTScanIt.exe to your Desktop
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Double-click on OTS.exe to start the program.
  • Now on the toolbar at the top select "Scan all users" then click the Run Scan button
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
 

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
its 228k characters long...and limit is 30000 .........its attached...

edit:
under created within 60days i can see it, but how does this help me ?


1260932351 -> C:\Program Files (x86)\1260932351 -> [2010/03/21 17:13:39 | 000,000,000 | ---D | C]
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


Code:
[Kill All Processes]
[Unregister Dlls]
[Files/Folders - Created Within 60 Days]
NY ->  1260932351 -> C:\Program Files (x86)\1260932351
[Files/Folders - Modified Within 60 Days]
NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

I see you have truecrypt

is it possible that you have encrypted that folder & that is why it won't delete
 

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
truecrypt was for my USB not anything else. which reminds me to delete 2 or 3 programs i forgot to delete for a wile now.
 

patrink

Thread Starter
Joined
Mar 30, 2010
Messages
7
there was an error in the process but the file no longer exists at c:\...\1260932351

this is the log:

Files\Folders moved on Reboot...
File move failed. C:\Users\Patrink\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

EDIT: also before i shut off my computer yesterday i was getting an error saying "could not open file C:\program files (x86)\..... incorrect directory" or something like that, i do not recall at the moment and "could not save file at c:\program files (x86)\....." for 3 programs which i suspected that the viruses were causing it. but now i am able to save/open/..etc anything.


also, those arent downloads, i save a couple files in c:\program files (x86)\ rather than on my desktop like i used to. i find it saves space and helps with clutter.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top