1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Clock Says Virus Alert/Combofix & SDFix Won't Run/All Icons On Desktop Delete

Discussion in 'Virus & Other Malware Removal' started by Dragon Wizard, Oct 17, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    My computer was crashing all day yesterday with a blue screen of death saying 'Page Fault In Nonpaged Area' yet I hadn't made any recent hardware changes. It was crashing every two hours or so, and I left it off all night. However when I booted it up this morning I found my clock saying Virus Alert, all the icons on my desktop were deleted and three are now there saying 'System Crash Fixer', among other things. Also the start menu is limited and you can't open anything from it. I tried running combofix which I already had and nothing happened, so I downloaded SDFix and tried running that, again nothing happened. I re-booted into safe mode and yet they would still not run. Hijackthis will not run either, and task manager won't open. Also if not in safe mode, explorer.exe will close about five minutes after starting the computer up, and since task manager doesn't work, there's no way to bring it back.

    I fail to see how I can eradicate this virus if it's stopping me from running anything to get rid of it.

    Please help.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
    5. Now click the Run Scan button on the toolbar.
    6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    7. When the scan is complete Notepad will open with the report file loaded in it.
    8. Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  3. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    When I ran the scan I got an error saying the event log is corrupted, so I had to uncheck the EventViewer Errors in additional scans before it would run. The log is attached.
     

    Attached Files:

  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Go to Control Panel, admin tools, event viewer, right click on Application and select clear all events. Repeat with System. It will ask if you want to save the file you can save it if you want but I would say no.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.


    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - Non-Microsoft Only]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> brastk -> %SystemRoot%\system32\brastk.exe [brastk.exegramFiles%]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> brastk -> %SystemRoot%\system32\brastk.exe [C:\WINDOWS\system32\brastk.exe]
    < Run [HKEY_USERS\S-1-5-21-2025429265-1604221776-725345543-1003\] > -> HKEY_USERS\S-1-5-21-2025429265-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> brastk -> %SystemRoot%\system32\brastk.exe [C:\WINDOWS\system32\brastk.exe]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YY -> karna.datrvice -> %SystemRoot%\system32\karna.dat
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    YY -> {F5497993-2353-4DFA-B7AD-82C85E44265D} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\ngwstxfd.dll [ngwstxfd]
    YY -> {782CDCC7-C7A8-4E5D-9392-319915A0E1D1} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\qrbgltos.dll [qrbgltos]
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YY -> {758F6D53-DCC7-4CCF-9080-4B6F9389F641} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\iifDUmKd.dll []
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YY -> {758F6D53-DCC7-4CCF-9080-4B6F9389F641} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\iifDUmKd.dll [Reg Error: Value  does not exist or could not be read.]
    YY -> {F292743D-33E2-4946-8918-38E64DB104AE} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\iifCvUnN.dll [Reg Error: Value  does not exist or could not be read.]
    [Registry - Additional Scans - Non-Microsoft Only]
    < BotCheck > -> 
    *Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
    YY -> C:\WINDOWS\system32\iifCvUnN -> %SystemRoot%\system32\iifCvUnN.dll
    < BotCheck > -> 
    [Files/Folders - Created Within 30 days]
    NY -> beep.sys -> %SystemRoot%\System32\dllcache\beep.sys
    NY -> akttzn.exe -> %SystemRoot%\System32\akttzn.exe
    NY -> anticipator.dll -> %SystemRoot%\System32\anticipator.dll
    NY -> awtoolb.dll -> %SystemRoot%\System32\awtoolb.dll
    NY -> bdn.com -> %SystemRoot%\System32\bdn.com
    NY -> bsva-egihsg52.exe -> %SystemRoot%\System32\bsva-egihsg52.exe
    NY -> dpcproxy.exe -> %SystemRoot%\System32\dpcproxy.exe
    NY -> emesx.dll -> %SystemRoot%\System32\emesx.dll
    NY -> gaeffect.sti -> %SystemRoot%\System32\gaeffect.sti
    NY -> gafilter.sti -> %SystemRoot%\System32\gafilter.sti
    NY -> [email protected]@@k.dll -> %SystemRoot%\System32\[email protected]@@k.dll
    NY -> hoproxy.dll -> %SystemRoot%\System32\hoproxy.dll
    NY -> hxiwlgpm.exe -> %SystemRoot%\System32\hxiwlgpm.exe
    NY -> iifCvUnN.dll -> %SystemRoot%\System32\iifCvUnN.dll
    NY -> iifDUmKd.dll -> %SystemRoot%\System32\iifDUmKd.dll
    NY -> k86.bin -> %SystemRoot%\System32\k86.bin
    NY -> karna.dat -> %SystemRoot%\System32\karna.dat
    NY -> mdgrcncp.exe -> %SystemRoot%\System32\mdgrcncp.exe
    NY -> medup012.dll -> %SystemRoot%\System32\medup012.dll
    NY -> medup020.dll -> %SystemRoot%\System32\medup020.dll
    NY -> msgp.exe -> %SystemRoot%\System32\msgp.exe
    NY -> msnbho.dll -> %SystemRoot%\System32\msnbho.dll
    NY -> mssecu.exe -> %SystemRoot%\System32\mssecu.exe
    NY -> msvchost.exe -> %SystemRoot%\System32\msvchost.exe
    NY -> mtr2.exe -> %SystemRoot%\System32\mtr2.exe
    NY -> mwin32.exe -> %SystemRoot%\System32\mwin32.exe
    NY -> netode.exe -> %SystemRoot%\System32\netode.exe
    NY -> newsd32.exe -> %SystemRoot%\System32\newsd32.exe
    NY -> NnUvCfii.ini -> %SystemRoot%\System32\NnUvCfii.ini
    NY -> NnUvCfii.ini2 -> %SystemRoot%\System32\NnUvCfii.ini2
    NY -> pmnOiJBQ.dll -> %SystemRoot%\System32\pmnOiJBQ.dll
    NY -> ps1.exe -> %SystemRoot%\System32\ps1.exe
    NY -> psof1.exe -> %SystemRoot%\System32\psof1.exe
    NY -> psoft1.exe -> %SystemRoot%\System32\psoft1.exe
    NY -> regc64.dll -> %SystemRoot%\System32\regc64.dll
    NY -> regm64.dll -> %SystemRoot%\System32\regm64.dll
    NY -> Rundl1.exe -> %SystemRoot%\System32\Rundl1.exe
    NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> sncntr.exe -> %SystemRoot%\System32\sncntr.exe
    NY -> ssvchost.com -> %SystemRoot%\System32\ssvchost.com
    NY -> ssvchost.exe -> %SystemRoot%\System32\ssvchost.exe
    NY -> sysreq.exe -> %SystemRoot%\System32\sysreq.exe
    NY -> taack.dat -> %SystemRoot%\System32\taack.dat
    NY -> taack.exe -> %SystemRoot%\System32\taack.exe
    NY -> temp#01.exe -> %SystemRoot%\System32\temp#01.exe
    NY -> thun.dll -> %SystemRoot%\System32\thun.dll
    NY -> thun32.dll -> %SystemRoot%\System32\thun32.dll
    NY -> VBIEWER.OCX -> %SystemRoot%\System32\VBIEWER.OCX
    NY -> vbsys2.dll -> %SystemRoot%\System32\vbsys2.dll
    NY -> vcatchpi.dll -> %SystemRoot%\System32\vcatchpi.dll
    NY -> wini104552664.exe -> %SystemRoot%\System32\wini104552664.exe
    NY -> winlogonpc.exe -> %SystemRoot%\System32\winlogonpc.exe
    NY -> winsystem.exe -> %SystemRoot%\System32\winsystem.exe
    NY -> WINWGPX.EXE -> %SystemRoot%\System32\WINWGPX.EXE
    NY -> a.bat -> %SystemRoot%\a.bat
    NY -> bdn.com -> %SystemRoot%\bdn.com
    NY -> brastk.exe -> %SystemRoot%\brastk.exe
    NY -> exwg.exe -> %SystemRoot%\exwg.exe
    NY -> FVProtect.exe -> %SystemRoot%\FVProtect.exe
    NY -> grfxbanosar.dll -> %SystemRoot%\grfxbanosar.dll
    NY -> iTunesMusic.exe -> %SystemRoot%\iTunesMusic.exe
    NY -> karna.dat -> %SystemRoot%\karna.dat
    NY -> 146 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> lomxeqsn.exe -> %SystemRoot%\lomxeqsn.exe
    NY -> mslagent -> %SystemRoot%\mslagent
    NY -> mssecu.exe -> %SystemRoot%\mssecu.exe
    NY -> ngwstxfd.dll -> %SystemRoot%\ngwstxfd.dll
    NY -> qrbgltos.dll -> %SystemRoot%\qrbgltos.dll
    NY -> rosqxvmn.dll -> %SystemRoot%\rosqxvmn.dll
    NY -> SwSys1.bmp -> %SystemRoot%\SwSys1.bmp
    NY -> SwSys2.bmp -> %SystemRoot%\SwSys2.bmp
    NY -> userconfig9x.dll -> %SystemRoot%\userconfig9x.dll
    NY -> winsystem.exe -> %SystemRoot%\winsystem.exe
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
    

    The fix should only take a short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
    Post that information back here.

    I will review the information when it comes back in.
     
  6. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    It crashed the first time so I had to run it again. It didn't seem to fix anything though....

    Explorer killed successfully
    [Registry - Non-Microsoft Only]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk deleted successfully.
    C:\WINDOWS\system32\brastk.exe moved successfully.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk not found.
    File C:\WINDOWS\system32\brastk.exe not found.
    Registry value HKEY_USERS\S-1-5-21-2025429265-1604221776-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\brastk not found.
    File C:\WINDOWS\system32\brastk.exe not found.
    Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:karna.datrvice .
    C:\WINDOWS\system32\karna.dat moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\ngwstxfd not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5497993-2353-4DFA-B7AD-82C85E44265D}\ not found.
    File C:\WINDOWS\ngwstxfd.dll not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\qrbgltos not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{782CDCC7-C7A8-4E5D-9392-319915A0E1D1}\ not found.
    File C:\WINDOWS\qrbgltos.dll not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{758F6D53-DCC7-4CCF-9080-4B6F9389F641} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{758F6D53-DCC7-4CCF-9080-4B6F9389F641}\ deleted successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifDUmKd.dll
    C:\WINDOWS\system32\iifDUmKd.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\iifDUmKd.dll scheduled to be moved on reboot.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{758F6D53-DCC7-4CCF-9080-4B6F9389F641}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{758F6D53-DCC7-4CCF-9080-4B6F9389F641}\ not found.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifDUmKd.dll
    C:\WINDOWS\system32\iifDUmKd.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\iifDUmKd.dll scheduled to be moved on reboot.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F292743D-33E2-4946-8918-38E64DB104AE}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F292743D-33E2-4946-8918-38E64DB104AE}\ not found.
    File C:\WINDOWS\system32\iifCvUnN.dll not found.
    [Registry - Additional Scans - Non-Microsoft Only]
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\iifCvUnN deleted successfully.
    File C:\WINDOWS\system32\iifCvUnN.dll not found.
    [Files/Folders - Created Within 30 days]
    File C:\WINDOWS\System32\dllcache\beep.sys not found!
    File C:\WINDOWS\System32\akttzn.exe not found!
    File C:\WINDOWS\System32\anticipator.dll not found!
    File C:\WINDOWS\System32\awtoolb.dll not found!
    File C:\WINDOWS\System32\bdn.com not found!
    File C:\WINDOWS\System32\bsva-egihsg52.exe not found!
    File C:\WINDOWS\System32\dpcproxy.exe not found!
    File C:\WINDOWS\System32\emesx.dll not found!
    File C:\WINDOWS\System32\gaeffect.sti not found!
    File C:\WINDOWS\System32\gafilter.sti not found!
    File C:\WINDOWS\System32\[email protected]@@k.dll not found!
    File C:\WINDOWS\System32\hoproxy.dll not found!
    File C:\WINDOWS\System32\hxiwlgpm.exe not found!
    File C:\WINDOWS\System32\iifCvUnN.dll not found!
    DllUnregisterServer procedure not found in C:\WINDOWS\System32\iifDUmKd.dll
    C:\WINDOWS\System32\iifDUmKd.dll NOT unregistered.
    File move failed. C:\WINDOWS\System32\iifDUmKd.dll scheduled to be moved on reboot.
    C:\WINDOWS\System32\k86.bin moved successfully.
    File C:\WINDOWS\System32\karna.dat not found!
    File C:\WINDOWS\System32\mdgrcncp.exe not found!
    File C:\WINDOWS\System32\medup012.dll not found!
    File C:\WINDOWS\System32\medup020.dll not found!
    File C:\WINDOWS\System32\msgp.exe not found!
    File C:\WINDOWS\System32\msnbho.dll not found!
    File C:\WINDOWS\System32\mssecu.exe not found!
    File C:\WINDOWS\System32\msvchost.exe not found!
    File C:\WINDOWS\System32\mtr2.exe not found!
    File C:\WINDOWS\System32\mwin32.exe not found!
    File C:\WINDOWS\System32\netode.exe not found!
    File C:\WINDOWS\System32\newsd32.exe not found!
    File C:\WINDOWS\System32\NnUvCfii.ini not found!
    File C:\WINDOWS\System32\NnUvCfii.ini2 not found!
    File C:\WINDOWS\System32\pmnOiJBQ.dll not found!
    File C:\WINDOWS\System32\ps1.exe not found!
    File C:\WINDOWS\System32\psof1.exe not found!
    File C:\WINDOWS\System32\psoft1.exe not found!
    File C:\WINDOWS\System32\regc64.dll not found!
    File C:\WINDOWS\System32\regm64.dll not found!
    File C:\WINDOWS\System32\Rundl1.exe not found!
    File C:\WINDOWS\System32\sncntr.exe not found!
    File C:\WINDOWS\System32\ssvchost.com not found!
    File C:\WINDOWS\System32\ssvchost.exe not found!
    File C:\WINDOWS\System32\sysreq.exe not found!
    File C:\WINDOWS\System32\taack.dat not found!
    File C:\WINDOWS\System32\taack.exe not found!
    File C:\WINDOWS\System32\temp#01.exe not found!
    File C:\WINDOWS\System32\thun.dll not found!
    File C:\WINDOWS\System32\thun32.dll not found!
    File C:\WINDOWS\System32\VBIEWER.OCX not found!
    File C:\WINDOWS\System32\vbsys2.dll not found!
    File C:\WINDOWS\System32\vcatchpi.dll not found!
    File C:\WINDOWS\System32\wini104552664.exe not found!
    File C:\WINDOWS\System32\winlogonpc.exe not found!
    File C:\WINDOWS\System32\winsystem.exe not found!
    File C:\WINDOWS\System32\WINWGPX.EXE not found!
    File C:\WINDOWS\a.bat not found!
    File C:\WINDOWS\bdn.com not found!
    C:\WINDOWS\brastk.exe moved successfully.
    File C:\WINDOWS\exwg.exe not found!
    File C:\WINDOWS\FVProtect.exe not found!
    File C:\WINDOWS\grfxbanosar.dll not found!
    File C:\WINDOWS\iTunesMusic.exe not found!
    C:\WINDOWS\karna.dat moved successfully.
    File C:\WINDOWS\lomxeqsn.exe not found!
    File C:\WINDOWS\mslagent not found!
    File C:\WINDOWS\mssecu.exe not found!
    File C:\WINDOWS\ngwstxfd.dll not found!
    File C:\WINDOWS\qrbgltos.dll not found!
    File C:\WINDOWS\rosqxvmn.dll not found!
    File C:\WINDOWS\SwSys1.bmp not found!
    File C:\WINDOWS\SwSys2.bmp not found!
    File C:\WINDOWS\userconfig9x.dll not found!
    File C:\WINDOWS\winsystem.exe not found!
    [Empty Temp Folders]
    User's Temp folder emptied.
    User's Temporary Internet Files folder emptied.
    User's Internet Explorer cache folder emptied.
    Local Service Temp folder emptied.
    Local Service Temporary Internet Files folder emptied.
    Windows Temp folder emptied.
    Java cache emptied.
    FireFox cache emptied.
    Opera cache emptied.
    RecycleBin -> emptied.
    Explorer started successfully
    < End of fix log >
    OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 10182008_093401

    Files moved on Reboot...
    File move failed. C:\WINDOWS\system32\iifDUmKd.dll scheduled to be moved on reboot.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Can you post a hijackthis log now?
     
  8. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    'Fraid not.

    It still won't run.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Rename hijackthis.exe to kitty.exe and see if it will run.

    If not try SDFix and/or ComboFix again.
     
  10. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    Renaming HijackThis didn't work at all, renaming ComboFix allowed the program to run, yet nothing happened when the blue command window came up, and renaming SDFix worked fine, yet when it got to the screen that said scanning processes it closed...

    I tried all three normally and in safe mode with no difference...
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found: [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
     
  12. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    About 25% of the way through the scan I got a blue screen of death saying "IRQL_NOT_LESS_OR_EQUAL".

    Upon booting the computer up again it seemed to have fixed a lot of the problems though. Task manager was working and I could run everything. Explorer.exe was still closing a lot, however I then ran combofix and it seems to have fixed everything.

    Here is the log:

    ComboFix 08-10-18.03 - Rio 2008-10-18 15:07:43.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2160 [GMT -7:00]
    Running from: C:\Documents and Settings\Rio\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\Rio\Application Data\Adobe\crc.dat
    C:\Documents and Settings\Rio\Application Data\Adobe\Player.exe
    C:\Documents and Settings\Rio\Application Data\Adobe\Player.exe.bak
    C:\Program Files\akl
    C:\Program Files\akl\akl.dll
    C:\Program Files\akl\akl.exe
    C:\Program Files\akl\uninstall.exe
    C:\Program Files\akl\unsetup.exe
    C:\Program Files\Inet Delivery
    C:\Program Files\Inet Delivery\inetdl.exe
    C:\Program Files\Inet Delivery\intdel.exe
    C:\WINDOWS\brastk.exe
    C:\WINDOWS\karna.dat
    C:\WINDOWS\system32\hxiwlgpm.dat
    C:\WINDOWS\system32\iifDUmKd.dll
    C:\WINDOWS\system32\k86.bin
    C:\WINDOWS\system32\karna.dat
    C:\WINDOWS\system32\smp
    C:\WINDOWS\system32\smp\msrc.exe
    C:\WINDOWS\system32\ssurf022.dll
    C:\WINDOWS\system32\tremir.bin
    C:\WINDOWS\system32\vbagz.sys
    C:\WINDOWS\system32\vtUlJaaX.dll
    C:\WINDOWS\system32\wini104552664.exe
    C:\WINDOWS\system32\XaaJlUtv.ini
    C:\WINDOWS\system32\XaaJlUtv.ini2

    ----- BITS: Possible infected sites -----

    hxxp://62.176.16.10
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
    .

    2008-10-18 12:42 . 2008-10-18 12:54 <DIR> d-------- C:\Documents and Settings\Rio\DoctorWeb
    2008-10-18 12:19 . 2008-10-18 12:19 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-10-18 12:18 . 2008-10-18 12:18 <DIR> d-------- C:\Bla
    2008-10-18 12:11 . 2008-10-18 12:36 <DIR> d-------- C:\SDFix
    2008-10-18 12:05 . 2008-10-18 12:05 <DIR> d-------- C:\Blaa
    2008-10-18 09:18 . 2008-10-18 09:18 <DIR> d-------- C:\_OTScanIt
    2008-10-17 11:30 . 2008-10-17 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Subversion
    2008-10-17 11:11 . 2008-10-17 11:11 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-10-17 09:35 . 2008-10-17 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfgfohyv
    2008-10-17 09:35 . 2008-10-17 09:35 146 --a------ C:\Documents and Settings\Rio\delself.bat
    2008-10-16 13:34 . 2008-10-18 10:38 7 --a------ C:\WINDOWS\system32\ngxt.bin
    2008-10-15 12:47 . 2008-10-15 12:49 <DIR> d-------- C:\Documents and Settings\Rio\Application Data\Winamp
    2008-10-14 16:16 . 2008-08-14 03:11 2,189,184 --a------ C:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-10-14 16:16 . 2008-08-14 03:09 2,145,280 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-10-14 16:16 . 2008-08-14 02:33 2,066,048 --a------ C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-10-14 16:16 . 2008-08-14 02:33 2,023,936 --a------ C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-10-14 16:16 . 2008-09-15 05:12 1,846,400 --a------ C:\WINDOWS\system32\dllcache\win32k.sys
    2008-10-14 16:16 . 2008-09-08 03:41 333,824 --a------ C:\WINDOWS\system32\dllcache\srv.sys
    2008-10-11 11:48 . 2008-10-11 11:48 <DIR> d-------- C:\Program Files\Bullfrog
    2008-10-11 11:46 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
    2008-10-11 11:07 . 2008-10-11 11:07 <DIR> d-------- C:\Documents and Settings\Rio\WINDOWS
    2008-10-11 11:01 . 2008-10-11 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-10-11 11:01 . 2008-10-11 11:01 581,120 ---hs---- C:\Documents and Settings\Rio\intelOP.exe
    2008-10-11 11:01 . 2008-10-11 11:01 77,824 ---hs---- C:\Documents and Settings\Rio\MediaTubeCodec_ver1.1463.0.exe
    2008-10-10 15:34 . 2008-10-10 15:34 <DIR> d-------- C:\Documents and Settings\Rio\Application Data\Nexon
    2008-10-10 15:33 . 2003-07-20 11:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
    2008-10-10 15:33 . 2005-01-04 02:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
    2008-10-10 15:32 . 2008-10-10 15:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
    2008-10-10 15:19 . 2008-10-10 15:19 <DIR> d-------- C:\Nexon
    2008-10-09 16:29 . 2008-10-09 16:29 <DIR> d-------- C:\Program Files\Ulead Systems
    2008-10-09 16:29 . 1999-10-15 12:50 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
    2008-10-09 16:29 . 1999-01-28 15:44 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
    2008-10-09 16:29 . 2008-10-11 16:13 427 --a------ C:\WINDOWS\ULEAD32.INI
    2008-10-09 13:32 . 2008-10-16 15:56 <DIR> d-------- C:\Program Files\Game_Maker7
    2008-10-09 10:04 . 2008-10-09 10:04 16 --a------ C:\WINDOWS\aninst00.whe
    2008-10-09 10:03 . 2008-10-09 12:33 <DIR> d-------- C:\Program Files\Animagic
    2008-10-09 09:25 . 2008-10-09 09:25 <DIR> d-------- C:\Documents and Settings\Rio\Application Data\Alchemy Mindworks
    2008-10-08 21:26 . 2008-10-08 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-10-08 17:53 . 2008-10-08 17:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-10-04 23:26 . 2008-10-04 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
    2008-10-04 23:20 . 2008-10-04 23:20 200 --a------ C:\sqmnoopt04.sqm
    2008-10-04 23:20 . 2008-10-04 23:20 200 --a------ C:\sqmdata04.sqm
    2008-10-04 12:46 . 2008-10-04 17:33 <DIR> d-------- C:\Program Files\EsetOnlineScanner
    2008-09-29 12:23 . 2008-09-29 12:23 <DIR> d-------- C:\Documents and Settings\Rio\Application Data\acccore
    2008-09-29 10:54 . 2008-09-29 10:54 <DIR> d-------- C:\Program Files\Viewpoint
    2008-09-29 10:54 . 2008-09-29 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-09-29 10:54 . 2008-09-29 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
    2008-09-29 10:54 . 2008-09-29 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
    2008-09-29 10:54 . 2008-09-29 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
    2008-09-29 10:53 . 2008-09-29 10:53 <DIR> d-------- C:\Program Files\Common Files\AOL
    2008-09-29 10:53 . 2008-09-29 10:54 <DIR> d-------- C:\Program Files\AIM6
    2008-09-29 10:53 . 2008-09-29 10:54 365 --ah----- C:\IPH.PH
    2008-09-28 20:34 . 2008-09-28 20:34 <DIR> d-------- C:\Program Files\Mp3tag
    2008-09-28 20:34 . 2008-09-28 20:38 <DIR> d-------- C:\Documents and Settings\Rio\Application Data\Mp3tag
    2008-09-28 15:27 . 2008-09-28 15:28 <DIR> d-------- C:\Program Files\Magic Video Converter
    2008-09-28 15:27 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
    2008-09-28 15:27 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
    2008-09-28 15:27 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
    2008-09-28 14:29 . 2008-09-28 14:29 <DIR> d-------- C:\Program Files\MagicISO
    2008-09-28 14:12 . 2008-09-28 14:12 53 --a------ C:\WINDOWS\REGKEYNT.INI
    2008-09-28 14:04 . 2008-09-28 14:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-28 13:46 . 2008-09-28 14:07 <DIR> d-------- C:\Program Files\Magic MP3 Tagger
    2008-09-28 13:25 . 2008-09-28 14:21 <DIR> d-------- C:\Program Files\Cloudbrain
    2008-09-28 09:33 . 2008-09-29 20:53 <DIR> d-------- C:\Program Files\mIRC
    2008-09-26 21:39 . 2008-09-26 21:39 200 --a------ C:\sqmnoopt03.sqm
    2008-09-26 21:39 . 2008-09-26 21:39 200 --a------ C:\sqmdata03.sqm
    2008-09-26 12:52 . 2008-09-26 12:52 200 --a------ C:\sqmnoopt02.sqm
    2008-09-26 12:52 . 2008-09-26 12:52 200 --a------ C:\sqmdata02.sqm
    2008-09-25 19:33 . 2008-10-18 12:32 <DIR> d-------- C:\Documents and Settings\Rio\Tracing
    2008-09-25 19:30 . 2008-09-25 19:30 <DIR> d-------- C:\Program Files\Microsoft
    2008-09-25 19:27 . 2008-09-25 19:27 <DIR> d-------- C:\Program Files\Common Files\Windows Live
    2008-09-23 10:53 . 2008-09-27 12:26 <DIR> d-------- C:\Program Files\Multiwinia
    2008-09-19 12:45 . 2008-09-19 12:45 <DIR> d-------- C:\Program Files\Microsoft.NET
    2008-09-19 12:44 . 2008-09-19 12:46 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
    2008-09-19 12:44 . 2008-09-19 12:46 <DIR> d-------- C:\Program Files\Common Files\Merge Modules

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-18 22:27 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
    2008-10-18 22:27 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
    2008-10-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-10-18 17:32 --------- d-----w C:\Documents and Settings\Rio\Application Data\uTorrent
    2008-10-18 16:39 --------- d-----w C:\Program Files\Steam
    2008-10-17 17:53 --------- d-----w C:\Program Files\Windows Live Safety Center
    2008-10-16 23:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-10-15 19:49 --------- d-----w C:\Program Files\Winamp
    2008-10-15 10:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-10-15 02:12 3,766 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
    2008-10-14 17:35 --------- d-----w C:\Program Files\Opera
    2008-10-09 23:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-09 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
    2008-10-09 01:24 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-09-29 05:39 --------- d-----w C:\Documents and Settings\Rio\Application Data\mIRC
    2008-09-26 02:29 --------- d-----w C:\Program Files\Windows Live
    2008-09-22 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
    2008-09-17 02:00 --------- d-----w C:\Program Files\YVD
    2008-09-16 17:37 --------- d-----w C:\Program Files\Kaiba Corp VDS
    2008-09-12 23:56 --------- d-----w C:\Program Files\QT Lite
    2008-09-12 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-09-12 23:51 --------- d-----w C:\Program Files\Common Files\Apple
    2008-09-12 21:54 --------- d-----w C:\Program Files\iTunes
    2008-09-12 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-09-12 21:53 --------- d-----w C:\Program Files\iPod
    2008-09-12 21:51 --------- d-----w C:\Program Files\Bonjour
    2008-09-12 21:03 --------- d-----w C:\Program Files\The Sabres
    2008-09-12 02:35 --------- d-----w C:\Program Files\Frets On Fire
    2008-09-08 17:28 --------- d-----w C:\Program Files\Common Files\NSV
    2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
    2008-09-04 00:32 --------- d-----w C:\Documents and Settings\Rio\Application Data\SPORE
    2008-09-03 16:49 --------- d-----w C:\Program Files\BookmarkSync
    2008-09-03 04:26 --------- d-----w C:\Documents and Settings\Rio\Application Data\TortoiseSVN
    2008-09-03 04:26 --------- d-----w C:\Documents and Settings\Rio\Application Data\Subversion
    2008-09-03 04:15 --------- d-----w C:\Program Files\TortoiseSVN
    2008-09-03 04:15 --------- d-----w C:\Program Files\Common Files\TortoiseOverlays
    2008-09-03 00:12 --------- d-----w C:\Program Files\Panda Security
    2008-08-31 17:05 --------- d-----w C:\Documents and Settings\Rio\Application Data\Leadertech
    2008-08-31 17:04 --------- d-----w C:\Program Files\Common Files\LogiShrd
    2008-08-31 17:00 --------- d-----w C:\Program Files\Logitech
    2008-08-31 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
    2008-08-25 16:12 --------- d-----w C:\Program Files\Apple Software Update
    2008-08-19 00:15 --------- d-----w C:\Program Files\Real Alternative
    2008-08-19 00:04 --------- d-----w C:\Documents and Settings\Rio\Application Data\Media Player Classic
    2008-08-18 04:35 --------- d-----w C:\Program Files\LucasArts
    2008-08-06 03:19 88 --sh--r C:\Documents and Settings\All Users\Application Data\A4AE76D7BC.sys
    2008-06-30 08:20 22,328 ----a-w C:\Documents and Settings\Rio\Application Data\PnkBstrK.sys
    2008-05-16 03:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 17:52 80384 --a------ C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
    "Steam"="c:\program files\steam\steam.exe" [2008-10-11 1410296]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "DAEMON Tools Pro Agent"="H:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
    "uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-08-14 267056]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2008-09-09 3513344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
    "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
    "nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 C:\WINDOWS\CTHELPER.EXE]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 C:\WINDOWS\system32\CTXFIHLP.EXE]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter"= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "H:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
    "H:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
    "H:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "H:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "C:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dragonwizardz\\team fortress 2\\hl2.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\AIM6\\aim6.exe"=

    R2 LtcyCfgSvc;PCI Latency Tool Service;C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120]
    R2 NMSAccessU;NMSAccessU;C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe [2007-10-12 71096]
    R2 PSI_SVC_2;Protexis Licensing V2;C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
    R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 11032]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
    R3 LtcyCfgWDM;PCI Latency Tool Driver Service;C:\WINDOWS\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656]
    R3 LVRS;Logitech RightSound Filter Driver;C:\WINDOWS\system32\DRIVERS\lvrs.sys [2008-07-26 627864]
    S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [ ]
    S1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-11-10 24064]
    S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-05-23 547744]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt [ ]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12dec1fd-1269-11dd-8649-001320640918}]
    \Shell\AutoRun\command - D:\SETUP.EXE

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b081004-4287-11dd-afd1-806d6172696f}]
    \Shell\AutoRun\command - D:\SETUP.EXE

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97f31bc2-11f3-11dd-8915-806d6172696f}]
    \Shell\AutoRun\command - D:\setup.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{758F6D53-DCC7-4CCF-9080-4B6F9389F641} - C:\WINDOWS\system32\iifDUmKd.dll
    BHO-{9CFFE08E-BB13-4206-A795-C0E0E3449AC7} - C:\WINDOWS\system32\vtUlJaaX.dll
    HKCU-Run-MonDscProc - C:\WINDOWS\system32\mdgrcncp.exe
    ShellExecuteHooks-{758F6D53-DCC7-4CCF-9080-4B6F9389F641} - C:\WINDOWS\system32\iifDUmKd.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Rio\Application Data\Mozilla\Firefox\Profiles\woo1y2t9.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-18 15:28:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
    "ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Opera\opera.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-18 15:42:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-18 22:42:14
    ComboFix2.txt 2008-10-03 02:52:28

    Pre-Run: 3,760,402,432 bytes free
    Post-Run: 3,734,523,904 bytes free

    335 --- E O F --- 2008-10-15 10:08:27

    And I have attached a HijackThis log.
     

    Attached Files:

  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Download a new copy of Combofix and run that.
     
  14. Dragon Wizard

    Dragon Wizard Thread Starter

    Joined:
    Jun 24, 2008
    Messages:
    39
    Hmm, didn't see your reply. I already did what you have asked and edited my last post though.
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


    I don't see any anti-virus software running.
    Look in the TSG Library of Knowledge for suggestions. Some are purchased and some are free. Pick one and get your system protected.


    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/760051

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice