need virus help

Question

thaner12000 0 Light Poster

14 Years Ago

I got up this morning and computer was working funny. I rebooted and crypt_20 would not end. I had no idea what this file was. I clicked end program and rebooted. I ran malwarebytes and found 6 or so virus's and/or rootkits. I rebooted and ran again. found 2 nasties this time. I repeated again and still 2 nasties. Girlfriend said she was on youtube and got redirected off site and something started and she closed it right away. Not in time I guess.

Rather than bother anyone with this online, I decided to just reformat. After reformatting I ran malwarebytes again and had 14 viruses and/or rootkits. So if reformatting won't get rid of them I think I need help.

The GmerOne.log is completely blank, but the rest is below.

Thanks in advance for any help. (currently can't open iexplorer etc...)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-11 02:42:26
Windows 5.1.2600 Service Pack 2
Running: tmorzbyi.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\awgdypod.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon iP1600\PrinterDriverData@CnmSLM_TimeLastUpdated 1949031

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4793

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/11/2010 5:31:00 AM
mbam-log-2010-10-11 (05-31-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 319529
Time elapsed: 2 hour(s), 45 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\hp\drivers\hplsbwatcher\lsburnwatcherSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\ComboFix\NircmdBSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\ComboFix\PEVSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Desktop\fix computer\ATF-CleanerSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
D:\MiniNT\system32\RESTORESrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
D:\MiniNT\system32\MBRSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
D:\MiniNT\system32\shutdownSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.

DDS (Ver_10-10-10.03) - NTFSx86
Run by HP_Owner at 5:36:12.60 on Mon 10/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.516 [GMT -3:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\HP_Owner\Desktop\fix computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286756524402
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286763704765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-10-11 06:26:29 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-10-11 06:26:29 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-10-11 06:26:28 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-10-11 06:26:27 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2010-10-11 06:26:27 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2010-10-11 06:26:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-10-11 06:26:24 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2010-10-11 06:26:19 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-10-11 03:44:36 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-11 02:06:49 8704 ----a-w- c:\windows\system32\CNMVS75.DLL
2010-10-11 02:06:49 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP75.DLL
2010-10-11 02:06:49 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD75.DLL
2010-10-11 02:06:49 139776 ----a-w- c:\windows\system32\CNMLM75.DLL
2010-10-11 02:06:44 90112 ----a-w- c:\windows\system32\CNMCP75.exe
2010-10-11 01:23:16 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-10-11 01:23:07 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-10-11 01:22:33 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2010-10-11 01:22:33 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2010-10-11 00:59:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 00:59:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 00:59:07 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-10-11 00:53:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-11 00:53:38 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-11 00:41:18 -------- d-sh--r- C:\cmdcons
2010-10-11 00:40:57 -------- d-----w- c:\windows\setupupd
2010-10-11 00:34:20 -------- d-sh--r- c:\windows\system32\dllcache
2010-10-11 00:31:11 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-10-11 00:31:11 -------- d-----w- c:\windows\system32\PreInstall
2010-10-11 00:24:49 22744 ----a-w- c:\windows\system32\wuauserv.dll
2010-10-11 00:24:49 22744 ----a-w- c:\windows\system32\dllcache\wuauserv.dll
2010-10-11 00:24:49 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-10-11 00:24:49 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-10-11 00:24:48 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-10-11 00:24:48 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-10-11 00:24:48 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-10-11 00:09:45 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-10-11 00:09:44 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-10-11 00:09:43 133616 ------w- c:\windows\system32\pxafs.dll
2010-10-10 23:54:26 -------- d-s---w- c:\documents and settings\hp_owner\UserData
2010-10-10 23:53:50 -------- d-----w- c:\docume~1\hp_owner\applic~1\Ylsus
2010-10-10 23:53:50 -------- d-----w- c:\docume~1\hp_owner\applic~1\Ydtiyw
2010-10-10 23:52:20 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-10 20:11:25 -------- d-----w- C:\ComboFix
2010-10-10 14:22:02 -------- d-----w- c:\program files\windows
2010-10-07 01:49:37 -------- d-----w- c:\docume~1\hp_owner\applic~1\Bery
2010-09-14 22:51:39 241664 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-09-14 22:51:39 241664 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-09-14 22:51:39 241664 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-09-14 22:51:39 241664 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

==================== Find3M ====================

2010-10-10 15:04:18 782336 ----a-w- C:\StubInstaller.exe
2009-10-21 08:10:31 14265 ----a-w- c:\program files\common files\nadyh.scr
2009-10-21 08:10:30 13638 ----a-w- c:\program files\common files\ovawuq.sys
2009-10-21 08:10:30 10872 ----a-w- c:\program files\common files\xatar.com
2009-10-21 07:57:20 11122 ----a-w- c:\program files\common files\emumy.exe
2009-08-13 06:54:14 19444 ----a-w- c:\program files\common files\aqewymuvov.vbs
2009-08-13 06:54:13 18715 ----a-w- c:\program files\common files\edowymu.vbs
2009-08-13 06:54:13 18544 ----a-w- c:\program files\common files\ezyhife.reg
2009-08-13 06:54:13 15608 ----a-w- c:\program files\common files\batytucyb.dll

============= FINISH: 5:39:26.92 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/11/2010 12:50:04 AM
System Uptime: 10/11/2010 5:32:57 AM (0 hours ago)

Motherboard: MSI | | ALBACORE
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 1772/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 179 GiB total, 53.94 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 1.378 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
ATI Control Panel
ATI Display Driver
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Holidays from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
BufferChm
CameraDrivers
Canon iP1600
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
Crystal Maze from Hewlett-Packard Desktops (remove only)
CueTour
Destinations
Director
DivX Setup
DocProc
DocumentViewer
Easy Internet Sign-up
Fax
ffdshow v1.1.3562 [2010-09-07]
Final Drive Nitro from Hewlett-Packard Desktops (remove only)
FinalBurner Free v2.20.0.187
Google Toolbar for Internet Explorer
Help and Support Additions
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP Deskjet Printer Preload
HP Help and Support 4.0
HP Image Zone 4.8.6
HP Image Zone Plus 4.8.6
HP Organize
HP Photosmart Cameras 4.5
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
Java Auto Updater
Java(TM) 6 Update 21
KBD
Lexibox Deluxe from Hewlett-Packard Desktops (remove only)
LS_HSI
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.0
Overball from Hewlett-Packard Desktops (remove only)
PanoStandAlone
PC-Doctor for Windows
Phoenix Assault from Hewlett-Packard Desktops (remove only)
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
PrintScreen
PS2
PSPrinters06
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Remove WeatherBug installer
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB982381)
Segoe UI
Shooting Stars Pool from Hewlett-Packard Desktops (remove only)
SkinsHP1
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Super Granny from Hewlett-Packard Desktops (remove only)
Tradewinds from Hewlett-Packard Desktops (remove only)
TrayApp
Unload
Update for Windows XP (KB898461)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Updates from HP
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 14.5

==== Event Viewer Messages From Past Week ========

10/11/2010 12:26:32 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.3355, the version of the system file is 5.1.2600.3355.
10/11/2010 12:26:25 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
10/11/2010 12:26:25 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
10/11/2010 12:26:19 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
10/11/2010 12:26:18 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 10.0.0.3646, the version of the system file is 10.0.0.3646.
10/11/2010 12:09:43 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.3664, the version of the system file is 6.0.2900.3664.
10/10/2010 9:51:53 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
10/10/2010 9:21:04 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
10/10/2010 9:09:17 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.ATL. Reference error message: The referenced assembly is not installed on your system. .
10/10/2010 9:09:17 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\DivX\DivX Transcode Engine\mtw178.ddc. Reference error message: The operation completed successfully. .
10/10/2010 9:09:17 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\DivX\DivX Transcode Engine\gzHF330.ddc. Reference error message: The operation completed successfully. .
10/10/2010 9:09:17 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.ATL could not be found and Last Error was The referenced assembly is not installed on your system.
10/10/2010 8:54:54 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
10/10/2010 8:54:54 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\tmp9fec816f\kill.exe. Reference error message: The operation completed successfully. .
10/10/2010 8:54:54 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
10/10/2010 11:02:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k
10/10/2010 10:32:28 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft GDI+ Detection Tool (KB873374).

==== End Of File ===========================

windows-virus

4 Contributors
18 Replies
501 Views
2 Days Discussion Span
Latest Post 14 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

14 Years Ago

Was it a proper reformat, or just a repair? What programs did you install after? How many files did you backup and put back on your C drive?

==

Make sure to use Internet Explorer for this

Please go to VirSCAN.org FREE on-line scan service

Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
c:\windows\system32\userinit.exe

Click on the Upload button

If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

Paste the contents of the Clipboard in your next reply.

Also scan these,
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Edited 14 Years Ago by crunchie because: n/a

crunchie 990 Most Valuable Poster

14 Years Ago

I reckon you are up for a reformat.

Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on the Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Edited 14 Years Ago by crunchie because: n/a

bingo19 0 Newbie Poster

14 Years Ago

You may try NOD 32 antivirus once, before formatting. It comes with 30 days trial license.
Its really effective in removing notorious viruses.
______________________________________________________________________________

Edited 14 Years Ago by crunchie because: Remove fake sig.

chris311fan 0 Newbie Poster

14 Years Ago

well, I have removed many viruses. And maybe i'm overlooking something, but what I usually do is have malwarebytes run a scan AFTER i download an rkill file. if you search "virus removal bleeping computer.com" a link will come up, open to the page, and downlaod the rkill.com link. if you can't find it i'll attach it. But, what you do is move this exe file to your desktop and restart your computer, and click the file on the desktop as fast as possible, beating any malware processes to the punch. what this will do is end and quarantine all nasty processes and then you can scan and remove them. Let me know if that works, best of luck.

crunchie 990 Most Valuable Poster

14 Years Ago

Looks like I was right. That virus is related to Virut, which infects almost every executable file on the pc.
Hope you have your Windows CD?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

thaner12000 0 Light Poster · Answer 1 · 2010-10-11T23:48:01+00:00

I just did the f10 on reboot, restored computer to factory settings, but it keeps all data files that were created. Has always worked in the past, but not this time it seems. I did the windows updates (100's of them), and installed live messenger, media player, divx codecs, printer drivers, fddshow, and removed old norton and spy subtract.

When I enter each of the three files you posted I get the same resulting error.
ERROR: Failed to find flength file!

I ran malwarebytes again when I went to bed and here is the new log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4793

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/11/2010 2:25:01 PM
mbam-log-2010-10-11 (14-25-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 320518
Time elapsed: 1 hour(s), 53 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3feb2f9f-105a-82f7-dd5e-3592272644d1} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner\Application Data\Idceu\zoxye.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\tmp755d895f\kill.exe (Trojan.Agent) -> Quarantined and deleted successfully.

thaner12000 0 Light Poster · Answer 2 · 2010-10-12T18:37:48+00:00

the report won't post. thousands of lines long. let me know how to attach a file if you need to see all report and I haven't figured out how to attach the file. here is first few lines of report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Tuesday, October 12, 2010
 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Monday, October 11, 2010 18:05:56
 Records in database: 4203867
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    K:\

Scan statistics:
    Objects scanned: 139564
    Threats found: 6
    Infected objects found: 1991
    Suspicious objects found: 0
    Scan duration: 06:11:33


File name / Threat / Threats count
C:\Program Files\WinRAR\rarext.dll/C:\Program Files\WinRAR\rarext.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll/C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll Infected: Virus.Win32.Nimnul.a  1
c:\Program Files\Common Files\LightScribe\MSVCR71.dll/c:\Program Files\Common Files\LightScribe\MSVCR71.dll Infected: Virus.Win32.Nimnul.a  1
C:\PROGRA~1\Java\jre6\bin\client\jvm.dll/C:\PROGRA~1\Java\jre6\bin\client\jvm.dll   Infected: Virus.Win32.Nimnul.a  1
C:\PROGRA~1\Java\jre6\bin\java.dll/C:\PROGRA~1\Java\jre6\bin\java.dll   Infected: Virus.Win32.Nimnul.a  1
C:\PROGRA~1\Java\jre6\bin\hpi.dll/C:\PROGRA~1\Java\jre6\bin\hpi.dll Infected: Virus.Win32.Nimnul.a  1
C:\Program Files\Java\jre6\bin\deploy.dll/C:\Program Files\Java\jre6\bin\deploy.dll Infected: Virus.Win32.Nimnul.a  2
C:\Program Files\Java\jre6\bin\net.dll/C:\Program Files\Java\jre6\bin\net.dll   Infected: Virus.Win32.Nimnul.a  2
C:\Program Files\Java\jre6\bin\regutils.dll/C:\Program Files\Java\jre6\bin\regutils.dll Infected: Virus.Win32.Nimnul.a  2
C:\Program Files\Java\jre6\bin\client\jvm.dll/C:\Program Files\Java\jre6\bin\client\jvm.dll Infected: Virus.Win32.Nimnul.a  1
C:\Program Files\Java\jre6\bin\java.dll/C:\Program Files\Java\jre6\bin\java.dll Infected: Virus.Win32.Nimnul.a  1
C:\Program Files\Java\jre6\bin\hpi.dll/C:\Program Files\Java\jre6\bin\hpi.dll   Infected: Virus.Win32.Nimnul.a  1
C:\ComboFix\iexplore.exe    Infected: Virus.Win32.Nimnul.a  1
C:\ComboFix\NircmdB.exe Infected: Virus.Win32.Nimnul.a  1
C:\ComboFix\pev.exe Infected: Virus.Win32.Nimnul.a  1
C:\ComboFix\SF.exe  Infected: Virus.Win32.Nimnul.a  1
C:\ComboFix\swreg.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Driver2\CNMPV.DLL  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Driver2\CNMSTMN.DLL    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Driver2\CNMUI.DLL  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis5.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\Cnmvsa.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\devid.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\helpkicker.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\Setup.Exe    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.5.30.2.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140007_42816\EasyShrx.Dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0002_85868e\EasyShrx.Dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\CCS\CCSStop.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\ESS\bindbins\bindbins.exe Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\KDEVICES\CR2\cr_stop.exe  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\Ksu\ksustop.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\update.exe    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCDFTSN3DFIYSRFFTF0\NCTAudioFormatSettings3.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCIDCMESLFNSDRFFTF0\NCTVideoCompress.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCIDTAFODLINSIFFFF0\NCTVideoTransform.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCUDCMESDLINSIFFFF0\NCTAudioCompress2.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCUDCMESDLINSIFFTF0\NCTAudioCompress3.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOIETCUITMILLFNSDRFFTF0\NCTQuickTimeFile.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOUIEDTCIDCRDLWNSDFFFT0\NCTVideoCoreM.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOUIEDTCIDFLLLISDIFFTF0\NCTVideoFile.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECEOUIEDTCMAFLLLISDIFFTF0\NCTImageFile.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRESNAUOI2DFIYSRFFFF0\NCTAudioFile2.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNAUOERDLFNSDRFFTF0\NCTAudioRecord2.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNAUOLERLFNSDRFFTF0\NCTAudioPlayer2.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNAUORBEDLINSIFFTF0\NCTAudioGrabber2.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNUOALI2DFIYSRFFFF0\NCTAudioVisualization2.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNUORMINLLISDIFFTF0\NCTAudioInformation2.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOIRSNUORSFMDFWSSRFFFF0\NCTAudioTransform2.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOORSNAUODORLFNSDRFFTF0\NCTAudioEditor2.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOORSNUODABRDFWSSRFFFF0\NCTAudioCDGrabber2.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECIOUIRESNWMIELLISDIFFTF0\NCTWMAFile2.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECSOERDRDTAMSGDFIYSRFFFF0\AdjMmsEng.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECVEOUIEDTCMVLDFWSSRFFFF0\NCTWMVFile.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCECVEOUIEDTCVILDFWSSRFFFF0\NCTAVIFile.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEIENDACRTRICAOLLISDIFFFF0\AVICreator.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEIENDWCRTRVCAOLLISDIFFFF0\WMVCreator.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEMDXDBRNGKIMSDDFWSSRFFTF0\NMSDVDX.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEMRAFAKNEINBE4LLISDIFFFF0\SkinBoxer43.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEMXDBRNGKIMSCSXEISDIFFFF0\NMSAccess.exe   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEMXDBRNGKIMSDULFNYIRFFFF0\NMSDVDXU.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCETRDEORDRUESCNELWIYDFFFF0\DirectEncode.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCETRDEORDRUESP2DFIYSRFFFF0\erdmpg-5.2.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEVAHOCIXCTOSV7DFWSSRFFFF1\msvcr71.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCEXEDXMSABXCORLLFREIRFFFF0\ExControl.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCVECAIOUIRESLEEDLINSIFFFF0\lame_enc.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMGCVEVAHOCIXCTOFCDLINSIFFFF0\MFC71.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFGMMGCVERPTEEFECCIRMLTGEIFFFF0\IsDRM.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFIDOSSSTM3OGENEXFWNSSDRFFFFFF0\OggEnc.exe  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFIDSSSTM3MSCR0DLFINYSIRFFFFTF0\msvcr70.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEIEDIRAPUTDFWSSRFFTFF0\Manipulate.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVENOONAOUNMOLLISDIFFFF0\Uncommon.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEPUATEIAPPADLWNSDFFTF0\AppUpdate.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEV2KLENLLTAGEDIFFFFFF0\lame_enc.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEV2KT2OLLTAGEDIFFFFFF0\TVE2COM.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEV2KTE2LLTAGEDIFFFFFF0\TVE2.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFRGMMGCVEYICOYIETRLWIYDFFFFFF0\comLyricGetter.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFWIDOSSSTM3LAEEEFINYSIRFFFFFF0\Lame.exe    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFYTMEALEMIPDIRBDBDLINSIFFFTFF0\CDDBUI.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFYTMEALEMIPDIRBDBNRDLWNSDFFTF0\CDDBControl.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\offline\IFYTMEALEMIPDIRBZI2LTAEDFFFFFF0\Unzip32.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\13FAFF0F\74AD4AE7\lame_enc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\15FCD408\1D442A03\viscomaudiodata.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\1BFDA811\F62D5284\ExControl.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\1C419080\387EEA1E\IsDRM.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\1EAA014C\74AD4AE7\TVE4.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\1F3C49AE\8FD17A8B\Faac.exe  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\2267BC26\BE9F39B8\viscomflvenc_licenseto_MystikMedia.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\240ECBFB\BE9F39B8\viscomaudioencoder.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\24A1ED17\2302A1E7\SkinBoxer43.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\2E01768B\1D442A03\viscommpgenc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\30AB743C\BE9F39B8\viscomdata1.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\3D16E0C4\BE9F39B8\viscomsplitter.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\3DA0E39D\1D442A03\viscomdvds.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\46DCAF14\431AE4FA\Lame.exe  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\4978668B\BE9F39B8\viscomwave.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\4DE1DBE1\1D442A03\msvcr71.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\511E84A9\BE9F39B8\gdiplus.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\5640A05\BE9F39B8\viscomflvdec_licenseto_MystikMedia.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\5E036521\BE9F39B8\viscommpgdec.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\63B71039\BE9F39B8\viscomtran.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\63E85F6B\431AE4FA\OggEnc.exe    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\7DC8CFBD\F4168408\Manipulate.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\8012801F\1D442A03\MFC71.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\86784D0\BE9F39B8\viscomdata3.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\879D649D\BE9F39B8\viscomqtenc.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\92862F82\74AD4AE7\TVE4COM.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\9844C3DB\1D442A03\lame_enc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\9F630A2F\4CE0045E\DirectEncode.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\A0C8CFD5\39093834\viscomdvdimg.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\A5327326\BE9F39B8\viscom3gpenc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\AD38ADA6\BE9F39B8\viscomqtde.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\AFC491F9\AF8C2D79\AudioGenie2.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\B18CBFF8\BE9F39B8\viscomaudiodata.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\B7C91652\BE9F39B8\viscommpgenc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\BDA55513\BE9F39B8\viscommpgadec.dll Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\CCE4E3A6\1AD538CD\comLyricGetter.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\CED1CDE5\F0B0E335\NCTImageFile.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\D7552C32\B7886AB6\Uncommon.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\D97BCDE2\BE9F39B8\viscomgifenc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\DA6E97FC\BE9F39B8\viscomframe.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\E12C82FD\BE9F39B8\viscomdata2.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\E27A35DF\5104EFF1\NormalizeDSP.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\E5FB8439\1D442A03\lame_enc.dll  Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\E8DCC26C\CDC1F3D7\Unzip32.dll   Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\EC3470FD\1D442A03\viscomaudioencoder.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\EF5CA551\1D442A03\viscomwave.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\F9204BA9\1D442A03\MFC71u.dll    Infected: Virus.Win32.Nimnul.a  1
C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\OFFLINE\FF4AF513\1D442A03\viscommpgdecrip.dll   Infected: Virus.Win32.Nimnul.a  1

thaner12000 0 Light Poster · Answer 3 · 2010-10-12T18:38:34+00:00

I think I attached file properly.
Thanks for your help.

thaner12000 0 Light Poster · Answer 4 · 2010-10-13T06:27:24+00:00

There was no cd. It's a HP machine and I guess the reformatting stuff is on a partition somewhere. I'll give a reformat a shot, but any quick help in how to do it with an HP computer that didn't come with a cd would be appreciated.

Also I have an XP cd for the other computer we have. Can I use that CD with the key on the side of this computer, even though its not the CD that came with the machine?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2010-10-13T07:15:04+00:00

As long as the XP on the CD is the same as on the PC you should be ok. ie: XP home

thaner12000 0 Light Poster · Answer 6 · 2010-10-13T13:18:30+00:00

Used other xp cd and all seems well. Everything working now. However the other computer that we rarely use is infected with something as well. I checked hotmail on it today and it was fine. Then tonight not so fine. Malewarbytes found a few things etc... Anyway, can I just post the logs here and get help with the other computer, or should I start a new thread. Just hoping this computer doesn't also need a reformat. It is only used for work until today. Thanks a million for the help. Wish I could help people with this too, but above my head sometime.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2010-10-13T14:29:11+00:00

crunchie 990 Most Valuable Poster

14 Years Ago

Sure. Post the same logs from the sticky in this thread.

thaner12000 0 Light Poster · Answer 8 · 2010-10-13T14:33:42+00:00

Thanks. Here are the 5 logs.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-10-13 03:39:10
Windows 5.1.2600 Service Pack 2
Running: 47mjooce[1].exe; Driver: C:\DOCUME~1\hal\LOCALS~1\Temp\kxgdyfow.sys

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 82BF2EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-13 03:47:36
Windows 5.1.2600 Service Pack 2
Running: 47mjooce[1].exe; Driver: C:\DOCUME~1\hal\LOCALS~1\Temp\kxgdyfow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF7D35DF0]

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 82BF2EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4808

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/13/2010 4:02:51 AM
mbam-log-2010-10-13 (04-02-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 167330
Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/20/2008 6:45:44 AM
System Uptime: 10/13/2010 4:04:59 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S533MX
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | PGA 478 | 2801/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 75 GiB total, 57.627 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP548: 7/14/2010 2:00:08 AM - System Checkpoint
RP549: 7/15/2010 2:53:47 AM - System Checkpoint
RP550: 7/16/2010 3:51:31 AM - System Checkpoint
RP551: 7/17/2010 3:53:47 AM - System Checkpoint
RP552: 7/18/2010 4:53:47 AM - System Checkpoint
RP553: 7/19/2010 5:36:34 AM - System Checkpoint
RP554: 7/20/2010 6:12:38 AM - System Checkpoint
RP555: 7/21/2010 6:22:37 AM - System Checkpoint
RP556: 7/22/2010 7:38:23 AM - System Checkpoint
RP557: 7/23/2010 8:12:26 AM - System Checkpoint
RP558: 7/24/2010 9:12:27 AM - System Checkpoint
RP559: 7/25/2010 10:12:26 AM - System Checkpoint
RP560: 7/26/2010 11:12:26 AM - System Checkpoint
RP561: 7/27/2010 12:12:26 PM - System Checkpoint
RP562: 7/28/2010 1:12:26 PM - System Checkpoint
RP563: 7/29/2010 1:56:04 PM - System Checkpoint
RP564: 7/30/2010 2:12:26 PM - System Checkpoint
RP565: 7/31/2010 3:11:51 PM - System Checkpoint
RP566: 8/1/2010 4:11:51 PM - System Checkpoint
RP567: 8/2/2010 4:14:00 PM - System Checkpoint
RP568: 8/3/2010 5:13:09 PM - System Checkpoint
RP569: 8/4/2010 5:42:22 PM - System Checkpoint
RP570: 8/5/2010 5:52:02 PM - System Checkpoint
RP571: 8/6/2010 6:39:19 PM - System Checkpoint
RP572: 8/7/2010 7:58:40 PM - System Checkpoint
RP573: 8/8/2010 8:10:39 PM - System Checkpoint
RP574: 8/9/2010 9:08:10 PM - System Checkpoint
RP575: 8/10/2010 11:01:23 PM - System Checkpoint
RP576: 8/11/2010 11:22:41 PM - System Checkpoint
RP577: 8/12/2010 11:37:37 PM - System Checkpoint
RP578: 8/13/2010 11:38:58 PM - System Checkpoint
RP579: 8/15/2010 1:05:30 AM - System Checkpoint
RP580: 8/16/2010 1:53:07 AM - System Checkpoint
RP581: 8/17/2010 2:38:53 AM - System Checkpoint
RP582: 8/18/2010 6:14:33 AM - System Checkpoint
RP583: 8/19/2010 6:38:26 AM - System Checkpoint
RP584: 8/20/2010 7:04:37 AM - System Checkpoint
RP585: 8/21/2010 7:15:26 AM - System Checkpoint
RP586: 8/22/2010 7:38:26 AM - System Checkpoint
RP587: 8/23/2010 12:05:24 PM - System Checkpoint
RP588: 8/24/2010 12:38:26 PM - System Checkpoint
RP589: 8/25/2010 12:40:15 PM - System Checkpoint
RP590: 8/26/2010 1:38:26 PM - System Checkpoint
RP591: 8/27/2010 2:36:03 PM - System Checkpoint
RP592: 8/28/2010 2:37:59 PM - System Checkpoint
RP593: 8/29/2010 3:37:50 PM - System Checkpoint
RP594: 8/30/2010 4:37:49 PM - System Checkpoint
RP595: 8/31/2010 5:37:50 PM - System Checkpoint
RP596: 9/1/2010 6:37:51 PM - System Checkpoint
RP597: 9/1/2010 9:03:30 PM - Installed Java(TM) 6 Update 21
RP598: 9/2/2010 9:43:43 PM - System Checkpoint
RP599: 9/3/2010 10:44:24 PM - System Checkpoint
RP600: 9/4/2010 11:36:44 PM - System Checkpoint
RP601: 9/5/2010 11:37:17 PM - System Checkpoint
RP602: 9/7/2010 12:37:23 AM - System Checkpoint
RP603: 9/8/2010 1:19:25 AM - System Checkpoint
RP604: 9/9/2010 2:19:24 AM - System Checkpoint
RP605: 9/10/2010 3:19:24 AM - System Checkpoint
RP606: 9/11/2010 4:19:24 AM - System Checkpoint
RP607: 9/12/2010 5:17:57 AM - System Checkpoint
RP608: 9/13/2010 6:19:24 AM - System Checkpoint
RP609: 9/14/2010 6:48:40 AM - System Checkpoint
RP610: 9/15/2010 7:18:49 AM - System Checkpoint
RP611: 9/16/2010 7:31:55 AM - System Checkpoint
RP612: 9/17/2010 9:26:08 AM - System Checkpoint
RP613: 9/18/2010 10:18:48 AM - System Checkpoint
RP614: 9/19/2010 11:18:48 AM - System Checkpoint
RP615: 9/20/2010 11:26:48 AM - System Checkpoint
RP616: 9/21/2010 12:17:54 PM - System Checkpoint
RP617: 9/22/2010 3:18:44 PM - System Checkpoint
RP618: 9/23/2010 4:17:15 PM - System Checkpoint
RP619: 9/24/2010 5:17:17 PM - System Checkpoint
RP620: 9/25/2010 6:17:16 PM - System Checkpoint
RP621: 9/26/2010 6:26:57 PM - System Checkpoint
RP622: 9/27/2010 7:17:15 PM - System Checkpoint
RP623: 9/28/2010 8:17:16 PM - System Checkpoint
RP624: 9/29/2010 8:17:21 PM - System Checkpoint
RP625: 9/30/2010 9:16:46 PM - System Checkpoint
RP626: 10/1/2010 10:16:46 PM - System Checkpoint
RP627: 10/2/2010 11:16:29 PM - System Checkpoint
RP628: 10/3/2010 11:16:46 PM - System Checkpoint
RP629: 10/5/2010 12:14:44 AM - System Checkpoint
RP630: 10/6/2010 12:16:46 AM - System Checkpoint
RP631: 10/7/2010 1:16:09 AM - System Checkpoint
RP632: 10/8/2010 2:15:29 AM - System Checkpoint
RP633: 10/9/2010 3:15:29 AM - System Checkpoint
RP634: 10/10/2010 4:15:30 AM - System Checkpoint
RP635: 10/11/2010 4:48:19 AM - System Checkpoint
RP636: 10/13/2010 12:23:57 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
50 FREE MP3s +1 Free Audiobook!
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Bejeweled 2 Deluxe (remove only)
Belarc Advisor 7.2
CDisplay 1.8
efxtra
GAIN Rates 1.0.004
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes' Anti-Malware
Matrox Driver
Matrox PowerDesk-SE
MetaTrader 4.00
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
MSVCRT
MSXML 4.0 SP2 (KB954430)
PCI SoftV92 Modem
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SoundMAX
SUPERAntiSpyware Free Edition
TradeStation 8.4 (Build 1693)
TradeStation 8.5 (Build 2289)
Uniblue RegistryBooster 2009
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Winamp
Winamp Remote
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XP Codec Pack

==== Event Viewer Messages From Past Week ========

10/12/2010 11:04:05 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
10/12/2010 11:04:05 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

DDS (Ver_10-10-10.03) - FAT32x86
Run by hal at 4:10:36.62 on Wed 10/13/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.297 [GMT -3:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hal\Local Settings\Temporary Internet Files\Content.IE5\V66RUJZO\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [Matrox PowerDesk SE] "c:\program files\matrox graphics inc\powerdesk se\Matrox.PowerDesk SE.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Cribbage - hxxp://origin.games.yahoo.net/games/clients/y/it1_x.cab
DPF: Yahoo! Freecell Solitaire - hxxp://presence.games.yahoo.com/yog/y/fs10_x.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221946977859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games2.gamefools.com/onlinegames/Yahtzee/zylomplayer.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 Mtxparmx;Mtxparmx;c:\windows\system32\drivers\mtxparmx.sys [2009-1-29 5504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\matrox graphics inc\powerdesk\services\Matrox.PowerDesk.Services.exe [2008-6-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\matrox graphics inc\powerdesk se\Matrox.Pdesk.ServicesHost.exe [2008-6-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\drivers\MTXPARM.sys [2009-1-29 1485568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 MTXPARH;MTXPARH;c:\windows\system32\drivers\mtxparhm.sys [2004-8-4 452736]

=============== Created Last 30 ================

2010-10-13 06:36:42 23040 ----a-w- c:\windows\system32\drivers\itmzenef.sys
2010-10-13 05:52:46 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-13 02:11:32 -------- d-----w- c:\docume~1\hal\applic~1\Malwarebytes
2010-10-13 02:11:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 02:11:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 02:11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 02:11:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-10 20:36:44 -------- d-----w- c:\program files\Microsoft
2010-10-10 20:35:37 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc14.tmp

==================== Find3M ====================

2010-07-17 08:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 05:42:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 4:11:01.39 ===============

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2010-10-13T15:24:05+00:00

This one needs combofix running.

Delete any copies of Combofix that you may have on this pc, then:

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

thaner12000 0 Light Poster · Answer 10 · 2010-10-13T15:49:26+00:00

ComboFix 10-10-12.03 - hal 10/13/2010 6:40.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512.356 [GMT -3:00]
Running from: c:\documents and settings\hal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.bat
c:\windows\system32\autorun.bat
c:\windows\system32\AutoRun.inf
c:\windows\system32\autorun.ini
c:\windows\system32\autorun.reg
c:\windows\system32\autorun.vbs

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 06:36 . 2010-10-13 06:36 23040 ----a-w- c:\windows\system32\drivers\itmzenef.sys
2010-10-13 05:52 . 2010-10-13 05:52 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-13 02:11 . 2010-10-13 02:11 -------- d-----w- c:\documents and settings\hal\Application Data\Malwarebytes
2010-10-13 02:11 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 02:11 . 2010-10-13 02:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 02:11 . 2010-10-13 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 02:11 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-10 20:36 . 2010-10-10 20:36 -------- d-----w- c:\program files\Microsoft
2010-10-10 20:35 . 2010-10-10 20:35 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc14.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-02 328056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2008-06-11 2630664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-22 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\efxtra\\efxtrader.exe"=
"c:\\Program Files\\MetaTrader 4\\terminal.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:trading

R1 Mtxparmx;Mtxparmx;c:\windows\system32\drivers\mtxparmx.sys [1/29/2009 11:48 AM 5504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [6/11/2008 4:29 PM 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [6/11/2008 4:33 PM 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\drivers\MTXPARM.sys [1/29/2009 11:48 AM 1485568]
S3 MTXPARH;MTXPARH;c:\windows\system32\drivers\mtxparhm.sys [8/4/2004 2:29 AM 452736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Yahoo! Cribbage - hxxp://origin.games.yahoo.net/games/clients/y/it1_x.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://games2.gamefools.com/onlinegames/Yahtzee/zylomplayer.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
AddRemove-{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A} - C:\Uninstall.exe

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2010-10-13 06:45:13
ComboFix-quarantined-files.txt 2010-10-13 09:45

Pre-Run: 61,809,426,432 bytes free
Post-Run: 62,106,664,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=signature(dd50b8c5)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
signature(dd50b8c5)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - B3CF081530E0AE08E4D483226F82655C

Thanks again!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2010-10-13T16:43:48+00:00

uTorrent = mystery prizes. You never know what you are going to get.

I see nothing else in that log.

How is the PC?

thaner12000 0 Light Poster · Answer 12 · 2010-10-14T00:54:56+00:00

so far since combo fix ran its fine. So hopefully all issues are solved now. Thanks a million again!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2010-10-14T02:50:24+00:00

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.