1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hidden, un-deletable viruses

Discussion in 'Virus & Other Malware Removal' started by patrink, Mar 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    I have these viruses on my computer in c:/program files (x86)/

    They are hidden executable files in a folder with all numbers (1260932351) which i realized immediately it contained a virus. So i tried deleting it...but it didn't work...it said i needed to have administrator privileges to delete it (yet i am the system administrator and on the administrator account). Then i tried deleting it in admin CMD. it still said access is denied...so i tried to un-hide them using the ATTRIB command and it also said access is denied.

    i run on windows7 and have full administrator privileges.

    any help on how to remove the viruses would be helpful. or at least how to un-hide them because i think i may be able to delete them from there.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
  3. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    DDS (Ver_10-03-17.01) - NTFSX64
    Run by Patrink at 21:28:25.87 on 31/03/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.6143.4106 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k ipripsvc
    C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
    C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\atieclxx.exe
    C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\MHotKey.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    C:\Windows\ChiFuncExt.exe
    C:\Windows\CNYHKey.exe
    C:\Program Files (x86)\Java\jre6\bin\jusched.exe
    C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\ModLedKey.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\iTunes\iTunes.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Notepad++\notepad++.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Patrink\Documents\Downloads\dds.com
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4820&r=1v3611094606p03d5vq05k47124320
    uSearch Page =
    uStart Page = hxxp://www.bigseekpro.com/hypercam/{B08D10EC-F51B-4E1E-9606-93684EE5D641}
    uSearch Bar =
    mStart Page = hxxp://www.bigseekpro.com/hypercam/{B08D10EC-F51B-4E1E-9606-93684EE5D641}
    mLocal Page = c:\windows\syswow64\blank.htm
    uInternet Settings,ProxyServer = 125.163.236.167:8080
    uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
    mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~2\micros~3\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files (x86)\zynga\tbZyng.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
    uRun: [Microsoft Windows] c:\users\patrink\appdata\local\temp\iexplore.exe
    uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [Gateway Photo Frame] "c:\program files (x86)\gateway photo frame\ButtonMonitor.exe" -A
    mRun: [LchDrvKey] LchDrvKey.exe
    mRun: [LedKey] CNYHKey.exe
    mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
    mRun: [ISTray] "c:\program files (x86)\spyware doctor\pctsTray.exe"
    mRun: [BCSSync] "c:\program files (x86)\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [TkBellExe] "c:\program files (x86)\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
    StartupFolder: c:\users\patrink\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &NeoTrace It! - c:\progra~2\neotra~1\NTXcontext.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\micros~3\office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: Se&nd to OneNote - /105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files (x86)\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files (x86)\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {94F0C82D-9259-4E30-91C4-EC17706CFA28} = 207.164.234.193 207.164.234.129
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\common files\microsoft shared\office14\MSOXMLMF.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg64.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB-X64: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
    mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
    mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
    IE-X64: {9885224C-1217-4c5f-83C2-00002E6CEF2B} - c:\progra~2\neotra~1\NTXtoolbar.htm
    Hosts: 192.168.2.1 patrinkserver.game-server.cc
    Hosts: 67.70.153.17 patrinkserver.game-server.cc
    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
    FF - component: c:\users\patrink\appdata\roaming\mozilla\firefox\profiles\a6l87u94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\progra~2\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~2\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files (x86)\download manager\npfpdlm.dll
    FF - plugin: c:\program files (x86)\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files (x86)\google\google updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files (x86)\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\patrink\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\windows\system32\wat\npWatWeb.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2009-12-30 218056]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 202752]
    R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-7-13 27136]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\spyware doctor\pctsAuxs.exe [2009-12-30 359624]
    R2 sdCoreService;PC Tools Security Service;c:\program files (x86)\spyware doctor\pctsSvc.exe [2009-12-30 1141712]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2009-12-11 6228480]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2009-12-11 160256]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y60x64.sys [2009-6-10 281088]
    R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4924336]
    S2 gupdate1ca7177902318ed;Google Update Service (gupdate1ca7177902318ed);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-11-30 133104]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-18 1255736]
    S4 Apache2.2;Apache2.2;c:\program files (x86)\apache software foundation\apache2.2\bin\httpd.exe [2010-3-4 24645]
    S4 DynDNS Updater;DynDNS Updater;c:\program files (x86)\dyndns updater\DynUpSvc.exe [2010-1-20 99704]

    =============== Created Last 30 ================

    2010-03-31 03:22:20 0 d-----w- c:\program files\Bonjour
    2010-03-31 03:22:20 0 d-----w- c:\program files (x86)\Bonjour
    2010-03-28 17:22:06 0 d-----w- c:\windows\pss
    2010-03-28 07:42:50 0 d-----w- c:\program files (x86)\Unlocker
    2010-03-28 05:49:15 296448 ----a-w- c:\windows\system32\drivers\hardlock.sys
    2010-03-28 05:47:26 0 d-----w- c:\program files\Autodesk
    2010-03-28 05:47:26 0 d-----w- c:\program files (x86)\common files\Alias Shared
    2010-03-27 21:50:03 0 d-----w- C:\Nexon
    2010-03-27 21:50:02 0 d-----w- c:\programdata\NexonUS
    2010-03-27 20:29:42 0 d-----w- c:\program files (x86)\Maple story
    2010-03-27 20:23:40 0 d-----w- c:\programdata\PMB Files
    2010-03-27 20:23:18 0 d-----w- c:\program files (x86)\Pando Networks
    2010-03-27 19:19:16 0 d-----w- c:\program files (x86)\XN Resource Editor
    2010-03-27 18:25:18 65536 ------w- c:\windows\system32\Ikeext.etl
    2010-03-27 17:25:31 4710 ----a-w- c:\windows\syswow64\fc.ico
    2010-03-27 17:25:31 2528 ----a-w- c:\windows\FCIC.INI
    2010-03-27 17:25:31 0 d-----w- C:\Tools
    2010-03-27 17:25:31 0 d-----w- C:\Settings
    2010-03-27 17:25:31 0 d-----w- C:\Scripts
    2010-03-27 17:25:31 0 d-----w- C:\Plugins
    2010-03-27 17:25:31 0 d-----w- C:\Modems
    2010-03-27 17:25:31 0 d-----w- C:\Images
    2010-03-27 17:25:26 0 d-----w- c:\program files (x86)\FirstClass
    2010-03-26 21:17:36 0 d-----w- c:\program files (x86)\NeoTracePro
    2010-03-23 00:15:08 0 d-----w- c:\program files\iTunes
    2010-03-23 00:15:08 0 d-----w- c:\program files\iPod
    2010-03-23 00:15:08 0 d-----w- c:\program files (x86)\iTunes
    2010-03-21 21:13:39 0 d-----w- c:\program files (x86)\1260932351
    2010-03-21 03:27:24 0 d-----w- c:\windows\syswow64\Samsung_USB_Drivers
    2010-03-21 03:27:10 766 ----a-w- c:\windows\syswow64\Uninstall.ico
    2010-03-21 03:27:07 0 d-----w- c:\program files (x86)\Samsung
    2010-03-20 08:12:38 369 ----a-w- c:\users\patrink\.jupload.properties
    2010-03-20 04:59:58 0 d-----w- c:\program files (x86)\Apache Software Foundation
    2010-03-20 04:49:54 0 d-----w- c:\programdata\DynDNS
    2010-03-20 04:49:54 0 d-----w- c:\program files (x86)\DynDNS Updater
    2010-03-19 18:47:35 0 d-----w- c:\program files (x86)\common files\Symantec Shared
    2010-03-19 18:32:25 30760 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-03-19 18:32:25 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
    2010-03-19 18:32:25 107368 ----a-w- c:\windows\syswow64\GEARAspi.dll
    2010-03-19 18:32:24 0 d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
    2010-03-19 18:31:21 0 d-----w- c:\programdata\Symantec
    2010-03-19 18:31:21 0 d-----w- c:\program files (x86)\Norton 360 Premier Edition
    2010-03-19 18:31:08 0 d-----w- c:\program files (x86)\NortonInstaller
    2010-03-19 04:19:29 0 ----a-w- c:\users\patrink\Micro
    2010-03-19 04:19:29 0 ----a-w- c:\users\patrink\Copyright
    2010-03-19 04:19:25 0 ----a-w- c:\users\patrink\cls
    2010-03-19 04:19:17 0 ----a-w- c:\users\patrink\Microsoft
    2010-03-19 03:55:54 758018 ----a-w- c:\windows\syswow64\xvidcore.dll
    2010-03-19 03:55:54 180224 ----a-w- c:\windows\syswow64\xvidvfw.dll
    2010-03-19 03:55:54 139264 ----a-w- c:\windows\syswow64\xvid.ax
    2010-03-19 03:55:53 0 d-----w- c:\program files (x86)\iWisoft Flash SWF to Video Converter
    2010-03-18 04:00:18 0 d-----w- c:\windows\syswow64\Wat
    2010-03-18 04:00:18 0 d-----w- c:\windows\system32\Wat
    2010-03-18 00:48:56 0 d-----w- c:\windows\XSxS
    2010-03-18 00:48:56 0 d-----w- c:\program files (x86)\Xenocode
    2010-03-15 18:51:22 0 d-----w- c:\program files (x86)\GlobFX
    2010-03-15 18:02:56 0 d-----w- c:\program files (x86)\common files\xing shared
    2010-03-12 21:23:14 0 d-----w- c:\program files (x86)\Conduit
    2010-03-12 21:23:13 0 d-----w- c:\program files (x86)\Zynga
    2010-03-12 14:49:28 0 d-----w- c:\windows\CheckSur
    2010-03-11 05:23:52 0 d-----w- c:\users\patrink\appdata\roaming\Facebook
    2010-03-11 03:10:25 65536 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TM.blf
    2010-03-11 03:10:25 524288 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TMContainer00000000000000000002.regtrans-ms
    2010-03-11 03:10:25 524288 --sha-w- c:\users\patrink\ntuser.dat{53cd422a-2cba-11df-9096-00251146d965}.TMContainer00000000000000000001.regtrans-ms
    2010-03-11 03:01:21 65536 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TM.blf
    2010-03-11 03:01:21 524288 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TMContainer00000000000000000002.regtrans-ms
    2010-03-11 03:01:21 524288 ----a-w- c:\users\patrink\ntuser.dat{21fbc4e4-2cb9-11df-a256-00251146d965}.TMContainer00000000000000000001.regtrans-ms
    2010-03-11 02:52:50 65536 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TM.blf
    2010-03-11 02:52:50 524288 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TMContainer00000000000000000002.regtrans-ms
    2010-03-11 02:52:50 524288 ----a-w- c:\users\patrink\ntuser.dat{5eaec912-2c87-11df-af79-00251146d965}.TMContainer00000000000000000001.regtrans-ms
    2010-03-07 07:54:30 0 d-----w- c:\users\patrink\appdata\roaming\codeblocks
    2010-03-07 07:54:24 0 d-----w- c:\program files (x86)\CodeBlocks
    2010-03-06 21:34:07 679936 ----a-w- c:\windows\syswow64\D3DX81ab.dll
    2010-03-06 21:34:07 1970176 ----a-w- c:\windows\syswow64\d3dx9.dll
    2010-03-06 21:34:07 0 d-----w- c:\program files (x86)\Cheat Engine
    2010-03-06 20:28:16 0 d-----w- c:\program files (x86)\HyCam2
    2010-03-06 20:04:16 0 d-----w- c:\program files (x86)\MakeYourOwnBrowser
    2010-03-06 01:53:45 0 d-----w- c:\users\patrink\appdata\roaming\Safrad
    2010-03-05 22:34:27 0 d-----r- c:\users\patrink\Virtual Machines
    2010-03-05 05:19:15 0 d-----w- c:\program files (x86)\Windows Virtual PC
    2010-03-05 02:01:12 0 d-----w- c:\program files\Windows XP Mode
    2010-03-05 01:48:16 15872 ----a-w- c:\windows\system32\vpchbuspipe.dll
    2010-03-05 01:48:03 95232 ----a-w- c:\windows\system32\drivers\vpcusb.sys
    2010-03-05 01:48:03 187904 ----a-w- c:\windows\system32\drivers\vpchbus.sys
    2010-03-05 01:48:00 793600 ----a-w- c:\windows\syswow64\vmsal.exe
    2010-03-05 01:48:00 66304 ----a-w- c:\windows\system32\drivers\vpcnfltr.sys
    2010-03-05 01:48:00 562176 ----a-w- c:\windows\system32\VMCPropertyHandler.dll
    2010-03-05 01:48:00 359552 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
    2010-03-05 01:48:00 2262016 ----a-w- c:\windows\system32\VPCWizard.exe
    2010-03-05 01:47:59 936448 ----a-w- c:\windows\system32\vmsal.exe
    2010-03-05 01:47:59 4513792 ----a-w- c:\windows\system32\vpc.exe
    2010-03-05 01:47:59 1369600 ----a-w- c:\windows\system32\VPCSettings.exe
    2010-03-05 01:47:59 1209856 ----a-w- c:\windows\system32\VMWindow.exe
    2010-03-05 00:11:22 41872 ----a-w- c:\windows\syswow64\xfcodec.dll
    2010-03-05 00:11:22 27536 ----a-w- c:\windows\system32\xfcodec64.dll
    2010-03-03 21:24:36 880912 ----a-w- c:\windows\WM8EUTIL.exe
    2010-03-03 21:24:36 0 d-----w- c:\program files (x86)\CD to MP3 Freeware
    2010-03-02 01:37:24 0 d-----w- c:\users\patrink\appdata\roaming\Resource Tuner
    2010-03-02 01:37:16 0 d-----w- c:\program files (x86)\Resource Tuner

    ==================== Find3M ====================

    2010-03-15 18:03:16 185920 ----a-w- c:\windows\syswow64\rmoc3260.dll
    2010-03-15 18:03:01 6656 ----a-w- c:\windows\syswow64\pndx5016.dll
    2010-03-15 18:03:01 5632 ----a-w- c:\windows\syswow64\pndx5032.dll
    2010-03-15 18:02:42 278528 ----a-w- c:\windows\syswow64\pncrt.dll
    2010-03-07 18:16:18 499712 ----a-w- c:\windows\syswow64\msvcp71.dll
    2010-02-24 14:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
    2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
    2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
    2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
    2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
    2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
    2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
    2010-02-12 16:01:24 95520 ----a-w- c:\windows\system32\dnssd.dll
    2010-02-12 16:01:24 119584 ----a-w- c:\windows\system32\dns-sd.exe
    2010-02-12 15:46:14 91424 ----a-w- c:\windows\syswow64\dnssd.dll
    2010-02-12 15:46:14 107808 ----a-w- c:\windows\syswow64\dns-sd.exe
    2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
    2010-01-19 09:05:57 424960 ----a-w- c:\windows\system32\secproc.dll
    2010-01-19 09:05:57 422912 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-19 09:05:57 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-19 09:00:44 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-19 09:00:43 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-19 09:00:37 356352 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-19 09:00:37 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
    2010-01-18 23:29:31 85504 ----a-w- c:\windows\syswow64\secproc_ssp.dll
    2010-01-18 23:29:31 365568 ----a-w- c:\windows\syswow64\secproc_isv.dll
    2010-01-18 23:29:30 369152 ----a-w- c:\windows\syswow64\secproc.dll
    2010-01-18 23:28:33 324608 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
    2010-01-18 23:28:33 277504 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
    2010-01-18 23:28:30 320512 ----a-w- c:\windows\syswow64\RMActivate.exe
    2010-01-18 23:28:30 280064 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
    2010-01-11 20:39:17 0 ----a-w- c:\users\patrink\appdata\roaming\wklnhst.dat
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    1999-04-23 22:22:22 12 --sha-w- c:\windows\system\WININETICMP32.drv
    2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 21:28:56.61 ===============
     

    Attached Files:

  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

    Unzip it to desktop, open it & paste in the contents of the quote box below, press next & it will create an archive (zip/cab file) on desktop

    please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file

    then


    Please download Malwarebytes' Anti-Malware to your desktop
    from HERE or HERE

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.

    It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
    If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot
     
  5. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    that is odd...i opened the .cab file and inside the file it says
    Requests:
    c:\program files (x86)\1260932351\*.*

    Operations:
    - could not add: c:\program files (x86)\1260932351\Patrink1260932351L.exe
    - could not add: c:\program files (x86)\1260932351\Patrink1260932351W.exe



    also the malware scanner did not pick up those files either and they are still on my hard drive

    here is the log :


    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3947

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    02/04/2010 11:27:01 AM
    mbam-log-2010-04-02 (11-27-01).txt

    Scan type: Quick scan
    Objects scanned: 107742
    Time elapsed: 3 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows (Backdoor.IRCBot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\Patrink\Documents\downloads\hfs.exe (Application.ServerHTTP) -> Quarantined and deleted successfully.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    try it again using this as the details to paste in the box

    c:\program files (x86)\1260932351\Patrink1260932351L.exe
    c:\program files (x86)\1260932351\Patrink1260932351W.exe

    you might have to right click the sfp.exe & select run as admin for it to work in 64bit W7
     
  7. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    ran it in administrator 3 times now, and pasted in the details but what i still get is:

    Requests:
    c:\program files (x86)\1260932351\Patrink1260932351L.exe
    c:\program files (x86)\1260932351\Patrink1260932351W.exe

    Operations:
    - could not add: c:\program files (x86)\1260932351\Patrink1260932351L.exe
    - could not add: c:\program files (x86)\1260932351\Patrink1260932351W.exe
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    OK lets see what we can do with this

    I have seen these a bit recently & they mignt be connected with Norton uninstaller however we feel that removal is safer

    Download OTScanIt.exe to your Desktop
    • Close any open browsers.
    • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    • Double-click on OTS.exe to start the program.
    • Now on the toolbar at the top select "Scan all users" then click the Run Scan button
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  9. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    its 228k characters long...and limit is 30000 .........its attached...

    edit:
    under created within 60days i can see it, but how does this help me ?


    1260932351 -> C:\Program Files (x86)\1260932351 -> [2010/03/21 17:13:39 | 000,000,000 | ---D | C]
     

    Attached Files:

    • OTS.Txt
      File size:
      446.5 KB
      Views:
      1
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,452
    First Name:
    Derek
    Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Files/Folders - Created Within 60 Days]
    NY ->  1260932351 -> C:\Program Files (x86)\1260932351
    [Files/Folders - Modified Within 60 Days]
    NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
    NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
    NY ->  71 C:\Users\Patrink\AppData\Local\Temp\*.tmp files -> C:\Users\Patrink\AppData\Local\Temp\*.tmp
    [Empty Temp Folders]
    [Start Explorer]
    [ZipFiles]
    [Reboot]
    

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

    I see you have truecrypt

    is it possible that you have encrypted that folder & that is why it won't delete
     
  11. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    truecrypt was for my USB not anything else. which reminds me to delete 2 or 3 programs i forgot to delete for a wile now.
     
  12. patrink

    patrink Thread Starter

    Joined:
    Mar 30, 2010
    Messages:
    7
    there was an error in the process but the file no longer exists at c:\...\1260932351

    this is the log:

    Files\Folders moved on Reboot...
    File move failed. C:\Users\Patrink\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    EDIT: also before i shut off my computer yesterday i was getting an error saying "could not open file C:\program files (x86)\..... incorrect directory" or something like that, i do not recall at the moment and "could not save file at c:\program files (x86)\....." for 3 programs which i suspected that the viruses were causing it. but now i am able to save/open/..etc anything.


    also, those arent downloads, i save a couple files in c:\program files (x86)\ rather than on my desktop like i used to. i find it saves space and helps with clutter.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913710

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice