programs aren't running properly

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
thank you very much in advance to whomever helps me out. when i boot my pc
i get a missing dll file from the dragon natually speaking software i uninstalled
and a "windows is running low on virtual memory" right at startup. and my programs
aren't working properly. firefox crashes after a few minutes operating, and
some of my programs won't load files properly or at all.. like my comic book
displayer, CDisplay. and my online games won't boot at all, among other problems.

because of that i'm typing my difficulties in my hijack this log, and i'll add the
other logs as soon as possible


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:20:29 AM, on 10/3/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17110)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\SlimDrivers\SlimDrivers.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Franklin\My Documents\Downloads\HijackThis.exe

R3 - URLSearchHook: BitLord Security Bar Toolbar - {8c5878d0-6106-423b-aaa8-144c143dbf44} - C:\Program Files\BitLord_Security_Bar\prxtbBit0.dll
R3 - URLSearchHook: WhiteSmoke US Toolbar - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files\WhiteSmoke_US\prxtbWhi0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: BitLord Security Bar - {8c5878d0-6106-423b-aaa8-144c143dbf44} - C:\Program Files\BitLord_Security_Bar\prxtbBit0.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
O2 - BHO: WhiteSmoke US - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files\WhiteSmoke_US\prxtbWhi0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitLord Security Bar Toolbar - {8c5878d0-6106-423b-aaa8-144c143dbf44} - C:\Program Files\BitLord_Security_Bar\prxtbBit0.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
O3 - Toolbar: WhiteSmoke US Toolbar - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files\WhiteSmoke_US\prxtbWhi0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction
O4 - HKLM\..\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ISUSPM] C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O4 - HKCU\..\Run: [Dragon Systems] RUNDLL32.EXE "C:\Documents and Settings\Franklin\Local Settings\Application Data\Dragon Systems\ugzxhfeh.dll",CoDeviceInstall
O4 - HKCU\..\Run: [SlimDrivers] "C:\Program Files\SlimDrivers\SlimDrivers.exe" -boot
O4 - HKCU\..\Run: [Xvid] C:\Program Files\Xvid\CheckUpdate.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: vToolbarUpdater12.2.6 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe

--
End of file - 11355 bytes

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_35
Run by Franklin at 1:22:00 on 2012-10-03
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.894.218 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\SlimDrivers\SlimDrivers.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2830765
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=le1200
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=le1200
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: BitLord Security Bar Toolbar: {8c5878d0-6106-423b-aaa8-144c143dbf44} - c:\program files\bitlord_security_bar\prxtbBit0.dll
uURLSearchHooks: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - c:\program files\whitesmoke_us\prxtbWhi0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BitLord Security Bar Toolbar: {8c5878d0-6106-423b-aaa8-144c143dbf44} - c:\program files\bitlord_security_bar\prxtbBit0.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\12.2.5.32\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - c:\program files\whitesmoke_us\prxtbWhi0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitLord Security Bar Toolbar: {8c5878d0-6106-423b-aaa8-144c143dbf44} - c:\program files\bitlord_security_bar\prxtbBit0.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\12.2.5.32\AVG Secure Search_toolbar.dll
TB: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - c:\program files\whitesmoke_us\prxtbWhi0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [ISUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [Dragon Systems] RUNDLL32.EXE "c:\documents and settings\franklin\local settings\application data\dragon systems\ugzxhfeh.dll",CoDeviceInstall
uRun: [SlimDrivers] "c:\program files\slimdrivers\SlimDrivers.exe" -boot
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
mRun: [LaunchApp]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HF_G_Jul] "c:\program files\avg secure search\HF_G_Jul.exe" /DoAction
mRun: [ROC_ROC_JULY_P1] "c:\program files\avg secure search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.1.1
TCP: Interfaces\{18503D32-62A5-4B02-8558-053072719154} : DhcpNameServer = 192.168.2.1 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\12.2.6\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\franklin\application data\mozilla\firefox\profiles\gcep061y.default-1349230380593\
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\12.2.6\npsitesafety.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-8-30 27496]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-11 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-11 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-11 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-11 83392]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-2 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-7 676936]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files\common files\avg secure search\vtoolbarupdater\12.2.6\ToolbarUpdater.exe [2012-8-30 722528]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-7 22856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-12 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 250288]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-6-24 1691480]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-18 29744]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-12 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2012-6-24 11232]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-6-25 14416]
S3 XDva391;XDva391;\??\c:\windows\system32\xdva391.sys --> c:\windows\system32\XDva391.sys [?]
S3 XDva397;XDva397;\??\c:\windows\system32\xdva397.sys --> c:\windows\system32\XDva397.sys [?]
.
=============== Created Last 30 ================
.
2012-10-03 05:08:58 -------- d-----w- c:\documents and settings\franklin\Option
2012-10-03 04:01:03 -------- d-----w- c:\documents and settings\franklin\application data\Process Hacker 2
2012-10-03 03:57:44 -------- d-----w- c:\program files\Process Hacker 2
2012-10-03 01:01:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-03 01:01:58 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-02 23:47:25 -------- d-----w- c:\documents and settings\all users\application data\767003CCFBD97CF80085766F7EDAF9F0
2012-10-02 23:46:36 56832 ---ha-w- c:\windows\system32\scimon.dll
2012-09-27 13:09:19 -------- d-----w- c:\program files\common files\DivX Shared
2012-09-27 13:08:33 -------- d-----w- c:\program files\DivX
.
==================== Find3M ====================
.
2012-10-03 05:06:36 11232 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-09-20 23:42:04 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-20 23:42:03 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 17:02:19 27496 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-08-29 00:24:56 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-29 00:24:53 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 22:39:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 1:22:45.43 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-03 02:47:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 ST3160815AS rev.4.AAA
Running: 4h0g0u73.exe; Driver: C:\DOCUME~1\Franklin\LOCALS~1\Temp\uxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT F7AA234C ZwClose
SSDT F7AA2306 ZwCreateKey
SSDT F7AA2356 ZwCreateSection
SSDT F7AA22FC ZwCreateThread
SSDT F7AA230B ZwDeleteKey
SSDT F7AA2315 ZwDeleteValueKey
SSDT F7AA2347 ZwDuplicateObject
SSDT F7AA231A ZwLoadKey
SSDT F7AA22E8 ZwOpenProcess
SSDT F7AA22ED ZwOpenThread
SSDT F7AA236F ZwQueryValueKey
SSDT F7AA2324 ZwReplaceKey
SSDT F7AA2360 ZwRequestWaitReplyPort
SSDT F7AA231F ZwRestoreKey
SSDT F7AA235B ZwSetContextThread
SSDT F7AA2365 ZwSetSecurityObject
SSDT F7AA2310 ZwSetValueKey
SSDT F7AA236A ZwSystemDebugControl
SSDT F7AA22F7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DC4 8050467C 4 Bytes CALL A747F0A3
? C:\DOCUME~1\Franklin\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 
Joined
May 7, 2011
Messages
14,142
Hi, my name is Mark and I will be helping you.

IMPORTANT: Please take the time to read this first.
For the benefit of others that are waiting for help please try to respond as fast as you can and make sure you read all of the instructions I will be giving you to follow. Time spent waiting for replies or having to repeat questions keeps other people waiting in the queue for help.

I am in Spain at GMT+1 hour, I check my emails several times a day so will usually reply to your responses within a few hours or less unless it is night time here. During the evening here I will usually reply within minutes. Please try to do the same for a swift clean up. Some Malware needs to be dealt with quickly or it will multiply and become deeply embedded in your system and more difficult to find and remove, so quick replies will have more than one benefit.

Keep in mind that I cannot see your PC, so please give as much detail as possible if something goes wrong or you receive any error messages.

Malware can be unpredictable and often time consuming to remove, on rare occasions something can go awry and your system may need to have Windows re-installed. Please make sure before we start that you have copies of all your important data saved to an external hard drive or CD/DVD's. Please make sure you disconnect any external hard drives and/or Flash drives during the clean up.

If you have run any scans that found an infection please let me know.

DO NOT run any scans or make any changes that I have not asked you to do as this can cause misleading results and make my job much harder in trying to help you. Please also uninstall any file sharing software i.e. uTorrent, BitTorrent, etc, if you insist on keeping it do not use it until we are finished. Use of file sharing software is one of the easiest ways to get your PC infected.

If I get no reply from you for three days I will mark the thread as Solved and move on to helping someone else. If you know you will be unable to reply for any length of time please let me know in advance.

Please don't abandon the thread as soon as your PC starts to work normally again as there will be other important checks to make to help protect your system from re-infection. It is also important to follow the correct procedure when removing the tools used to ensure all quarantined infections are completely removed and infected Restore Points are safely deleted.

Stick with me and we can quickly clean up your PC, if you cannot dedicate the time then a Reformat and Re-install will be your quickest option.
______________________________________________________________________________

Please post the Attach.txt log created by DDS, it should have saved to your desktop.

Did your problem start immediately after uninstalling the Dragon software?

Please run this scan:

Click on this link to download : ADWCleaner and save it to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and click on this icon on your desktop:


You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post.

 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
# AdwCleaner v2.003 - Logfile created 10/03/2012 at 16:48:48
# Updated 23/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Franklin - FRANK
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Franklin\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Documents and Settings\All Users\Desktop\eBay.lnk
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Frank2\Application Data\Mozilla\Firefox\Profiles\nh5spcjr.default\extensions\staged
Folder Deleted : C:\Documents and Settings\Frank2\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Franklin\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Franklin\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Franklin\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Franklin\Local Settings\Application Data\BitLord_Security_Bar
Folder Deleted : C:\Documents and Settings\Franklin\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Franklin\Local Settings\Application Data\WhiteSmoke_US
Folder Deleted : C:\Documents and Settings\Franklin\My Documents\Save
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\BitLord_Security_Bar
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\WhiteSmoke_US

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\BitLord_Security_Bar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{941721A2-1777-490C-B1B1-9E330D9C37BF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCE665DD-F6DD-4808-968E-EAEC971F70EF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3CB8E43-F1A0-472F-9663-7D280B3219B2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\WhiteSmoke_US
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\BitLord_Security_Bar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8C5878D0-6106-423B-AAA8-144C143DBF44}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{941721A2-1777-490C-B1B1-9E330D9C37BF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A1A0559F-1A6B-4C31-92CC-19C6F8DDC6DC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCE665DD-F6DD-4808-968E-EAEC971F70EF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DFB02612-7A0D-4116-87FF-1A55F2036273}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E3CB8E43-F1A0-472F-9663-7D280B3219B2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2830765
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3198785
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C768F5D-306D-43C0-8AD4-6D5A71BDB8DD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{377644ED-4DA1-468B-89AC-6A5ACE96DF01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{77FB03B0-95F5-4301-B248-317DDF731A5E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F6CE05F7-2B42-48B4-B5C3-C1AF78AAC08A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BitLord_Security_Bar Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8C5878D0-6106-423B-AAA8-144C143DBF44}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCE665DD-F6DD-4808-968E-EAEC971F70EF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{941721A2-1777-490C-B1B1-9E330D9C37BF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E3CB8E43-F1A0-472F-9663-7D280B3219B2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitLord_Security_Bar Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_US Toolbar
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\WhiteSmoke_US
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{8C5878D0-6106-423B-AAA8-144C143DBF44}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CCE665DD-F6DD-4808-968E-EAEC971F70EF}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{8C5878D0-6106-423B-AAA8-144C143DBF44}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{CCE665DD-F6DD-4808-968E-EAEC971F70EF}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8C5878D0-6106-423B-AAA8-144C143DBF44}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCE665DD-F6DD-4808-968E-EAEC971F70EF}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT2830765 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxps://isearch.avg.com/tab?cid={3D85C387-3DD7-44D5-98C4-DB8D3F912143}&mid=37e67ec0f05247d09673d1543443bcb6-9a17500a96d428a5cdb8b2643968b9a928fc107f&lang=en&ds=ts024&pr=sa&d=2012-06-24 18:58:21&v=12.2.5.32&sap=nt --> hxxp://www.google.com

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default-1349230380593 [Profil par defaut]
File : C:\Documents and Settings\Franklin\Application Data\Mozilla\Firefox\Profiles\gcep061y.default-1349230380593\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Frank2\Application Data\Mozilla\Firefox\Profiles\nh5spcjr.default\prefs.js

Deleted : user_pref("avg.install.installDirPath", "C:\\Documents and Settings\\All Users\\Application Data\\AV[...]
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.startup.homepage", "hxxps://isearch.avg.com?cid=%7Bdf587595-266b-4620-83f3-36e52e[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.InstallationTime", 1344889034);
Deleted : user_pref("extensions.crossriderapp3491.3491.active", true);
Deleted : user_pref("extensions.crossriderapp3491.3491.addressbar", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.backgroundver", 11);
Deleted : user_pref("extensions.crossriderapp3491.3491.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp3491.3491.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.InstallationTime.value", "1344889034");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_aoi.value", "1344889034");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.expiration", "Sat Sep 22 2012 16:[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.expiration", "Sat Sep 29 2012 [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_country_code.value", "%22US%22");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_crr.value", "1348342664");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_geo.expiration", "Sat Sep 29 2012 15:37:40 [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_geo.value", "%7B%22geoplugin_request%22%3A%[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_pc_20120828.value", "1348342668679");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_product_id.value", "%221140%22");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie._GPL_zoneid.value", "%2267112%22");
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.cookie.dbtest.value", "1348342668166");
Deleted : user_pref("extensions.crossriderapp3491.3491.description", "Vid-Saver allows you to download your fa[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.domain", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp3491.3491.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.group", 0);
Deleted : user_pref("extensions.crossriderapp3491.3491.homepage", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.iframe", false);
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_appVer.value", "50");
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.expiration", "Sat Sep 22[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp3491.3491.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.name", "Vid-Saver");
Deleted : user_pref("extensions.crossriderapp3491.3491.newtab", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.opensearch", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000014.ver", 6);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_1000015.ver", 3);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.code", "(function(f,b){if(typeof(b)==[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_16.ver", 3);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp3491.3491.plugins_lists.plugins_1", "17,14,13,16,15,1000014");
Deleted : user_pref("extensions.crossriderapp3491.3491.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp3491.3491.pluginsversion", 15);
Deleted : user_pref("extensions.crossriderapp3491.3491.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp3491.3491.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp3491.3491.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp3491.3491.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp3491.3491.thankyou", "hxxp://vid-saver.com/thankyou.html");
Deleted : user_pref("extensions.crossriderapp3491.3491.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp3491.3491.ver", 50);
Deleted : user_pref("extensions.crossriderapp3491.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp3491.apps", "3491");
Deleted : user_pref("extensions.crossriderapp3491.bic", "13921a213ae4e2cb31460e9d86af5057");
Deleted : user_pref("extensions.crossriderapp3491.cid", 3491);
Deleted : user_pref("extensions.crossriderapp3491.firstrun", false);
Deleted : user_pref("extensions.crossriderapp3491.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp3491.installationdate", 1344889034);
Deleted : user_pref("extensions.crossriderapp3491.lastcheck", 22472378);
Deleted : user_pref("extensions.crossriderapp3491.lastcheckitem", 22472418);
Deleted : user_pref("extensions.crossriderapp3491.modetype", "production");
Deleted : user_pref("extensions.enabledAddons", "crossriderapp3491@crossrider.com:0.83.39,{CAFEEFAC-0016-0000-[...]
Deleted : user_pref("keyword.URL", "hxxps://isearch.avg.com/search?cid=%7Bdf587595-266b-4620-83f3-36e52ea2a52e[...]

Profile name : default
File : C:\Documents and Settings\Administrator.FRANK\Application Data\Mozilla\Firefox\Profiles\malosyjb.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [20744 octets] - [03/10/2012 16:48:48]

########## EOF - C:\AdwCleaner[S1].txt - [20805 octets] ##########
____


no major changes happened after i deleted the dragon software, i think, aside from a missing dll box that pops up at startup...
 
Joined
May 7, 2011
Messages
14,142
That scan has removed several bad toolbars.

Please open Windows Explorer and navigate to the folder indicated and delete it.

C:\Documents and Settings\Franklin\Local Settings\Application Data\Dragon Systems <---this folder

Once done tell me of any remaining problems.

Please post the Attach.txt log as requested.
 
Joined
May 7, 2011
Messages
14,142
I have included the removal of the folder above in these instructions which you may find easier. If you have already deleted it, it will do no harm to leave the entry in the script below.

This will take out the run key for Dragon Systems.

Please download OTM by OldTimer. Save it to your desktop.

Double click OTM.exe to start the tool.

  • Copy the text in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes
explorer.exe
:Files 
c:\documents and settings\franklin\local settings\application data\dragon systems
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ugzxhfeh"=-
:Commands
[emptyflash]
[emptytemp]
[resethosts]
[reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes...If not, reboot anyway. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file (mmddyyyy_hhmmss.log) and copy/paste the contents in your next reply.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
File/Folder c:\documents and settings\franklin\local settings\application data\dragon systems not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ugzxhfeh not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.FRANK
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Frank2
->Flash cache emptied: 0 bytes

User: Franklin
->Flash cache emptied: 492 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.FRANK
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Frank2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Franklin
->Temp folder emptied: 1097548 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6397947 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 7.00 mb

HOSTS file reset successfully

OTM by OldTimer - Version 3.1.21.0 log created on 10032012_214631

i kinda had a little trouble running the program though.. but it did say it cleared a 700mb or so the first time i ran almost successfully..but this was the only logfile there, with a bunch of numbered folders. but it is the newest log file.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
things seem to be a bit faster now, but the low virtual memory thing is still popping up though... and programs are still crashing and showing errors.
 

Attachments

Joined
May 7, 2011
Messages
14,142
Please uninstall the following programs:

BitLord 2.1
Java(TM) 6 Update 35
Java(TM) 6 Update 5
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking

Then please run this scan:

Eset online scan instructions.
IMPORTANT ---> Please make sure you follow the instruction to uncheck the box next to Remove found threats. Eset will detect anything that looks even remotely suspicious, this can include legitimate program files. If you do not uncheck the box, as instructed, Eset will automatically remove all suspect files which could leave some of your software inoperative. If you make a mistake these files can be restored from quarantine, but it would be preferable not to add any extra work to the clean up of your system.

  • Disable your existing Anti Virus following these instructions.
  • Please go here to use the Eset Online Scanner.
  • When the web page opens click on this button
  • If you are not using Internet Explorer you will see a message box open asking you to to download the ESET Smart Installer, click on the link and allow it to download and then run it. Accept the Terms of use and click on Start. The required components will download.
  • If using Internet Explorer the Terms of use box will open immediately, accept it and click on Start.
  • After the download is complete the Computer scan settings window will open, IMPORTANT ----> uncheck the box next to Remove found threats and click on Start. The virus signature database will then download which may take some time depending on the speed of your internet connection. The scan will automatically start when the download is complete.
  • This is a very thorough scan and may take several hours to complete depending on how much data you have on your hard drive. Do not interrupt it, be patient and let it finish.
  • A Scan Results window will appear at the end of the scan. If it lists any number of Infected Files click on List of found threats. Click on Copy to clipboard, come back to this thread and right click on the message box. Select Paste and the report will appear, add any comments you have and post the reply.
  • Back on the Eset window, click the Back button and then click on Finish.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
C:\Documents and Settings\Franklin\Local Settings\Application Data\{1EA2EAA4-99AF-11E1-826E-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\U\00000001.@ Win32/Conedex.I trojan
C:\Documents and Settings\Franklin\My Documents\zp800rc2free.exe Win32/Toolbar.Zugo application
C:\Documents and Settings\Franklin\My Documents\Downloads\cnet_setup_zip.exe a variant of Win32/InstallCore.D application
C:\Documents and Settings\Franklin\My Documents\Downloads\Speedtest_TuneUpUtilities2012_en-US.exe a variant of Win32/OpenInstall application
C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\U\00000001.@ Win32/Conedex.I trojan
C:\WINDOWS\system32\scimon.dll a variant of Win32/Kryptik.ALSU trojan
Operating memory multiple threats
 
Joined
May 7, 2011
Messages
14,142
There are some suspicious files in that report, so we need to run some other checks.

Download RogueKiller (by tigzy) and save direct to your Desktop.
On the web page click on this:


  • Quit all running programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished.
  • Ensure all boxes are ticked under "Report" tab.
  • Click on Scan.
  • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
  • NOTE: DO NOT attempt to remove anything that the scan detects.



______________________________________________________________

Please run Malwarebytes and post the log as follows:
  • Open Malwarebytes and allow it to update with the latest definitions, then run a Quick Scan.
  • When finished, a message box will say "The scan completed successfully. Click Show Results to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.


If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Franklin [Admin rights]
Mode : Scan -- Date : 10/04/2012 14:54:07

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Dragon Systems (RUNDLL32.EXE "C:\Documents and Settings\Franklin\Local Settings\Application Data\Dragon Systems\ugzxhfeh.dll",CoDeviceInstall) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1382798106-2655964274-225036220-1006[...]\Run : Dragon Systems (RUNDLL32.EXE "C:\Documents and Settings\Franklin\Local Settings\Application Data\Dragon Systems\ugzxhfeh.dll",CoDeviceInstall) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKLM\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\L --> FOUND
[ZeroAccess][FILE] @ : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xF7ABB3C4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xF7ABB37E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xF7ABB3CE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xF7ABB374)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xF7ABB383)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xF7ABB38D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xF7ABB3BF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xF7ABB392)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xF7ABB360)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xF7ABB365)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xF7ABB3E7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xF7ABB39C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xF7ABB3D8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xF7ABB397)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xF7ABB3D3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xF7ABB3DD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xF7ABB388)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xF7ABB3E2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xF7ABB36F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xF7ABB3F6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xF7ABB3FB)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 7134dda5b255042d808bcba884f0611b
[BSP] 458565b47929427de0e74425365dc444 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 9993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20466810 | Size: 70966 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 165806865 | Size: 71664 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.04.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Franklin :: FRANK [administrator]

10/4/2012 2:58:58 PM
mbam-log-2012-10-04 (15-06-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242633
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\n. -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Dragon Systems (Trojan.RedirRdll2.Gen) -> Data: RUNDLL32.EXE "C:\Documents and Settings\Franklin\Local Settings\Application Data\Dragon Systems\ugzxhfeh.dll",CoDeviceInstall -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Joined
May 7, 2011
Messages
14,142
We have now found the route of the problem, you have a ZeroAccess Rootkit infection. If you use this PC for any financial transactions or on-line banking you should inform the companies concerned that your system may have been compromised by a hacker and change all passwords used on a clean machine. Do not use this machine again to log into any accounts or make any on-line purchases until we are sure it is clean.


My instructions for Malwarebytes had this instruction included:

Make sure that everything is checked and then click Remove Selected.

You didn't check any of the detections. Please run Malwarebytes again and check everything for removal and post the new log. Please make sure you follow my instructions with a bit more care so we don't need to repeat anything ;).

Then run RogueKiller again, after the pre-scan has finished click on the Scan button.
When the scan completes click on the Delete button, when done, click on the Report button and post the log.

Once you have posted the logs please run RogueKiller again, after the pre-scan completes click on the Scan button. This time click on the Host Fix button, let it complete and then click on the Report button and post the log from that.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.04.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Franklin :: FRANK [administrator]

10/4/2012 9:17:06 PM
mbam-log-2012-10-04 (21-17-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242692
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Quarantined and deleted successfully.

(end)

sry about that, i think i got it though, :) or they might be hidden again :( the files listed didn't appear in the scans afterward.
 

tflpfshm

Thread Starter
Joined
Jan 21, 2011
Messages
18
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Franklin [Admin rights]
Mode : Remove -- Date : 10/04/2012 21:36:51

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKLM\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\@ --> REMOVED
[Del.Parent][FILE] 00000001.@ : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\U\00000001.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\L\00000004.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\WINDOWS\Installer\{2b3d4f86-6475-964e-e802-eadffd389001}\L --> REMOVED
[ZeroAccess][FILE] @ : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\@ --> REMOVED
[Del.Parent][FILE] 00000001.@ : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\U\00000001.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Franklin\Local Settings\Application Data\{2b3d4f86-6475-964e-e802-eadffd389001}\L --> REMOVED

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xF7B3C7B4)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xF7B3C76E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xF7B3C7BE)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xF7B3C764)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xF7B3C773)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xF7B3C77D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xF7B3C7AF)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xF7B3C782)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xF7B3C750)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xF7B3C755)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xF7B3C7D7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xF7B3C78C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xF7B3C7C8)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xF7B3C787)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xF7B3C7C3)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xF7B3C7CD)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xF7B3C778)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xF7B3C7D2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xF7B3C75F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xF7B3C7E6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xF7B3C7EB)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 7134dda5b255042d808bcba884f0611b
[BSP] 458565b47929427de0e74425365dc444 : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 9993 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20466810 | Size: 70966 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 165806865 | Size: 71664 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



after resetting hosts
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Franklin [Admin rights]
Mode : HOSTSFix -- Date : 10/04/2012 21:43:59

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ Resetted HOSTS: ¤¤¤


Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

i'm really sorry rkiller froze first scan so i scanned again after reboot then clicked on reset hosts after that..
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top