Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: kamikaze33 on July 24, 2011, 04:05:28 PM
-
I have been having this sketchy pop-up appear when i am browsing facebook/youtube in particular. It has to do with adobe flash player sending information to a website or something over the internet and it prompts me to allow it by changing the settings for it. I have not done so yet because the website it wants to send the information to appears to be sketchy ("vitaminworld" or something). I will post exactly what the dialogue box says the next time it appears. I went through the malware/spyware removal guide and have my logs if anyone would like me to post them, though when i did the self-help analysis thing of HJT nothing appeared to my attention regarding this issue.
EDIT: here is the window
(http://img28.imageshack.us/img28/7374/adobeg.png)
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************
Although this appears to be a legitimate site there is also a virus floating around by the same name. Let's try these two scans.
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
thanks superdave!
Heres the SAS log; MBAM log to come...
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/25/2011 at 06:34 AM
Application Version : 4.55.1000
Core Rules Database Version : 7451
Trace Rules Database Version: 5263
Scan type : Complete Scan
Total Scan Time : 13:51:33
Memory items scanned : 945
Memory threats detected : 0
Registry items scanned : 9799
Registry threats detected : 0
File items scanned : 218371
File threats detected : 76
Adware.Tracking Cookie
C:\Users\Joel\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Joel\AppData\Roaming\Microsoft\Windows\Cookies\joel@adxpose[1].txt
C:\Users\Joel\AppData\Roaming\Microsoft\Windows\Cookies\joel@atdmt[2].txt
.doubleclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.ru4.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.vitamine.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.r1-ads.ace.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.adxpose.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.yieldmanager.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.content.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.serving-sys.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.beartracks.ualberta.ca [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.vitamine.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.trafficjunky.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
www.googleadservices.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.pro-market.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.lucidmedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.media6degrees.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.zedo.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.fastclick.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.tribalfusion.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.beta-ads.ace.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.advertising.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ads.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.realmedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
network.realmedia.com [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.vitamine.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
vitamine.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
vitamine.networldmedia.net [ C:\Users\Joel\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
-
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7274
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/26/2011 6:35:58 AM
mbam-log-2011-07-26 (06-35-58).txt
Scan type: Full scan (C:\|D:\|K:\|)
Objects scanned: 999155
Time elapsed: 8 hour(s), 41 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
k:\Programs\river past video cleaner pro 7.7.16 & booster packs + keygen - anony014\keygen\Keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
k:\Programs\guitar pro 5.2! newest version! fully cracked!\guitar pro keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
-
Your computer appears to have keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?
Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware," which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.
Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.
*******************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
******************************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.
-
I can see that. These illegal programs are causing me farrrr more harm than good.
So when i tried to run SecurityCheck, it failed. This is what happens:
(http://img3.imageshack.us/img3/5236/fail1g.png)
NOTE: I encountered the blue screen this morning when trying to boot; i suspect it is another program UltraMon interfering with my graphics drivers. I had to do a system restore and remove UltraMon, and was able to boot now. This all has happened after i posted the above SAS/MBAM logs.
-
Log 1
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Joel at 16:46:02 on 2011-07-28
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.154 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Online Armor Firewall *Enabled* {32E71E58-6AAE-2557-2ABD-EA739069CE41}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
K:\Computer Restoration\Online Armor\OAcat.exe
K:\Computer Restoration\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe
C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
K:\Computer Restoration\Online Armor\oaui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
K:\Computer Restoration\Online Armor\OAhlp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
K:\Programs\Steam\Steam.exe
K:\Programs\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Uniblue\DriverScanner\driverscanner.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files\Uniblue\DriverScanner\dsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Windows\system32\rundll32.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Nero\Nero 10\Nero BackItUp\NBCore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Users\Joel\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
uRun: [Google Update] "c:\users\joel\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [DriverScanner] "c:\program files\uniblue\driverscanner\launcher.exe" delay 20000
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
mRun: [@OnlineArmor GUI] "k:\computer restoration\online armor\oaui.exe"
mRun: [Malwarebytes' Anti-Malware] "k:\computer restoration\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9972559C-35BD-4ED8-BD17-EEBD5E28DD3E} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9972559C-35BD-4ED8-BD17-EEBD5E28DD3E}\742796D6372697 : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - k:\comput~1\online~1\oaevent.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-14 165584]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-7-23 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-7-23 39048]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-7-23 25192]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-14 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-14 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-14 40384]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-7-23 21992]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-3-25 490280]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-24 2214504]
R2 OAcat;Online Armor Helper Service;k:\computer restoration\online armor\oacat.exe [2011-7-23 381512]
R2 SvcOnlineArmor;Online Armor;k:\computer restoration\online armor\oasrv.exe [2011-7-23 4326472]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-14 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-24 22712]
R3 OAnet;OnlineArmor Service;c:\windows\system32\drivers\OAnet.sys [2011-7-23 29312]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-7-24 197224]
S1 SASDIFSV;SASDIFSV;k:\computer restoration\sasdifsv.sys [2011-7-12 12880]
S1 SASKUTIL;SASKUTIL;k:\computer restoration\SASKUTIL.SYS [2011-7-12 67664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;k:\computer restoration\malwarebytes' anti-malware\mbamservice.exe [2011-7-24 366640]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-13 1343400]
.
=============== Created Last 30 ================
.
2011-07-28 22:30:09 -------- d-----w- c:\windows\pss
2011-07-28 22:29:38 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8eb197b5-5bc2-473c-a153-a5dfe3fdc4c2}\mpengine.dll
2011-07-25 22:37:58 -------- d-----w- c:\users\joel\appdata\local\Realtime Soft
2011-07-25 22:20:11 -------- d-----w- c:\users\joel\appdata\roaming\Realtime Soft
2011-07-25 22:19:42 -------- d-----w- c:\programdata\Realtime Soft
2011-07-25 22:19:42 -------- d-----w- c:\program files\UltraMon
2011-07-24 22:14:25 1606368 ----a-w- c:\windows\system32\drivers\athw.sys
2011-07-24 22:13:20 -------- d-----w- c:\windows\system32\sda
2011-07-24 22:13:01 9888360 ----a-w- c:\windows\system32\RtsUStoricon.dll
2011-07-24 22:12:51 197224 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2011-07-24 22:12:49 313960 ----a-w- c:\windows\system32\RtsUStor.dll
2011-07-24 22:08:45 485920 ----a-w- c:\windows\system32\nvuninst.exe
2011-07-24 22:07:43 485920 ----a-w- c:\windows\system32\nvunrm.exe
2011-07-24 22:07:25 287392 ----a-w- c:\windows\system32\drivers\nvmf6232.sys
2011-07-24 22:07:24 898048 ----a-w- c:\windows\system32\fdco2.dll
2011-07-24 22:07:24 155648 ----a-w- c:\windows\system32\nvconrm.dll
2011-07-24 21:26:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 21:13:02 -------- d-----w- c:\programdata\UAB
2011-07-24 21:12:57 -------- d-----w- c:\users\joel\appdata\local\PC_Drivers_Headquarters
2011-07-24 20:55:14 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-07-24 20:55:14 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2011-07-24 20:55:14 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2011-07-24 20:55:14 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2011-07-24 20:55:14 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-24 20:55:12 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-07-24 20:54:17 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-07-24 20:53:28 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-07-24 20:53:28 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-07-24 20:53:28 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-24 20:53:28 5301352 ----a-w- c:\windows\system32\nvcuda.dll
2011-07-24 20:53:28 2804328 ----a-w- c:\windows\system32\nvcuvid.dll
2011-07-24 20:53:28 2335848 ----a-w- c:\windows\system32\nvapi.dll
2011-07-24 20:53:28 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-07-24 20:53:28 16456296 ----a-w- c:\windows\system32\nvoglv32.dll
2011-07-24 20:53:28 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-07-24 20:53:28 10589800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-07-24 20:53:14 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-24 20:50:42 -------- d-----w- C:\NVIDIA
2011-07-24 20:46:34 -------- d-----w- c:\program files\SystemRequirementsLab
2011-07-24 20:37:08 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2011-07-24 20:33:08 16496 ------w- c:\windows\system32\drivers\NVXBAR.SYS
2011-07-24 20:32:49 29696 ------w- c:\windows\system32\FILTER.AX
2011-07-24 20:32:49 141582 ------w- c:\windows\system32\drivers\NVCAP.SYS
2011-07-24 20:32:35 221184 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-07-24 20:32:16 221184 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-07-24 20:31:56 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-07-24 20:31:48 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-07-24 06:45:24 388096 ----a-r- c:\users\joel\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-24 06:11:01 -------- d-----w- c:\users\joel\appdata\roaming\Malwarebytes
2011-07-24 06:09:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-24 06:09:07 -------- d-----w- c:\programdata\Malwarebytes
2011-07-24 06:08:49 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-23 21:30:52 -------- d-----w- c:\users\joel\appdata\roaming\SUPERAntiSpyware.com
2011-07-23 21:30:52 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-23 21:14:00 -------- d-----w- c:\program files\CCleaner
2011-07-23 18:56:02 -------- d-----w- c:\users\joel\appdata\roaming\OnlineArmor
2011-07-23 18:56:02 -------- d-----w- c:\programdata\OnlineArmor
2011-07-23 18:52:22 39048 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-07-23 18:52:22 29312 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-07-23 18:52:22 25192 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-07-23 18:52:22 205864 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-07-23 18:33:44 -------- d-----w- c:\programdata\Uniblue
2011-07-23 17:53:18 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-07-23 17:53:18 -------- d-----w- c:\program files\CPUID
2011-07-22 02:52:15 -------- d-----w- c:\users\joel\appdata\roaming\Uniblue
2011-07-22 02:52:08 -------- d-----w- c:\program files\Uniblue
2011-07-22 02:51:56 -------- d-----w- c:\users\joel\appdata\local\OpenCandy
2011-07-22 02:51:53 -------- d-----w- c:\users\joel\appdata\roaming\OpenCandy
2011-07-22 02:51:52 -------- d-----w- c:\program files\WinSCP
2011-07-14 22:19:08 -------- d-----w- c:\programdata\Tarma Installer
2011-07-14 22:19:08 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-13 03:09:49 2332672 ----a-w- c:\windows\system32\win32k.sys
2011-06-29 23:27:08 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
.
==================== Find3M ====================
.
2011-07-24 19:14:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-02 05:58:05 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-06-02 03:45:49 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-02 03:45:49 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-02 03:45:49 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-02 03:45:49 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:00:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-25 06:09:05 11992680 ----a-w- c:\windows\system32\nvd3dum.dll
2011-05-25 06:09:04 12392 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-05-14 06:35:55 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-05-14 06:33:14 271872 ----a-w- c:\windows\system32\conhost.exe
2011-05-04 02:43:59 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43:48 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43:41 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50:29 740864 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:49:55.33 ===============
-
Log 2
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume2
Install Date: 11/13/2010 9:52:54 PM
System Uptime: 7/28/2011 4:22:03 PM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NARRA2
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 225 GiB total, 149.883 GiB free.
D: is FIXED (NTFS) - 74 GiB total, 0.008 GiB free.
E: is CDROM (CDFS)
K: is FIXED (NTFS) - 932 GiB total, 272.484 GiB free.
L: is CDROM ()
M: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASDIFSV
Device ID: ROOT\LEGACY_SASDIFSV\0000
Manufacturer:
Name: SASDIFSV
PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
Service: SASDIFSV
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 9.4.5
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
BitLord 1.1
Bonjour
CCleaner
Combined Community Codec Pack 2008-01-24
Connect
CPUID CPU-Z 1.58
DivX Setup
DolbyFiles
Driver Detective
Google Chrome
Guitar Pro 5.2
High-Definition Video Playback 10
HiJackThis
HijackThis 2.0.2
iTunes
Java Auto Updater
Java(TM) 6 Update 26
kuler
Magic ISO Maker v5.5 (build 0261)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.0
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Primary Interoperability Assemblies 2005
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows Media Video 9 VCM
Movavi Video Suite 8
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 10 Menu TemplatePack Basic
Nero 10 Movie ThemePack Basic
Nero BackItUp 10
Nero BackItUp 10 Help (CHM)
Nero Burning ROM 10
Nero BurningROM 10 Help (CHM)
Nero BurnRights 10
Nero BurnRights 10 Help (CHM)
Nero Control Center 10
Nero ControlCenter
Nero ControlCenter 10 Help (CHM)
Nero Core Components 10
Nero CoverDesigner 10
Nero CoverDesigner 10 Help (CHM)
Nero DiscCopy Gadget 10
Nero DiscCopyGadget 10 Help (CHM)
Nero DiscSpeed 10
Nero DiscSpeed 10 Help (CHM)
Nero Dolby Files 10
Nero Express 10
Nero Express 10 Help (CHM)
Nero InfoTool 10
Nero InfoTool 10 Help (CHM)
Nero Installer
Nero MediaHome 4
Nero MediaHome 4 Help
Nero MediaHome 4 Trial
Nero MediaHub 10
Nero MediaHub 10 Help (CHM)
Nero Multimedia Suite 10
Nero Recode 10
Nero Recode 10 Help (CHM)
Nero RescueAgent 10
Nero RescueAgent 10 Help (CHM)
Nero SoundTrax 10
Nero SoundTrax 10 Help (CHM)
Nero StartSmart 10
Nero StartSmart 10 Help (CHM)
Nero Update
Nero Vision 10
Nero Vision 10 Help (CHM)
Nero WaveEditor 10
Nero WaveEditor 10 Help (CHM)
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 275.33
NVIDIA Control Panel 275.33
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA Update 1.3.5
NVIDIA Update Components
NVIDIA WDM Drivers
Online Armor 5.0
PDF Settings CS4
Photoshop Camera Raw
Portal
Portal 2
Portal 2 Authoring Tools - Beta
QuickTime
Realtek High Definition Audio Driver
River Past Video Cleaner Pro
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spelling Dictionaries Support For Adobe Reader 9
Steam
Suite Shared Configuration CS4
SUPERAntiSpyware
System Requirements Lab
TheMatrix Screen Saver version 1.14
Uniblue DriverScanner
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2553975)
VC80CRTRedist - 8.0.50727.4053
WinArchiver
WinRAR archiver
WinSCP 4.3.3
Yontoo Layers Runtime 1.10.01
.
==== Event Viewer Messages From Past Week ========
.
7/28/2011 4:30:28 PM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
7/28/2011 4:27:33 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
7/28/2011 4:27:18 PM, Error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
7/28/2011 4:22:51 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0x8ac8c004, 0x00000000, 0x8f3687d6, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072811-41418-01.
7/28/2011 4:12:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/28/2011 4:11:59 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:11:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/28/2011 4:11:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/28/2011 4:10:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/28/2011 4:10:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/28/2011 4:10:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/28/2011 4:10:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/28/2011 4:10:06 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0x8accb004, 0x00000000, 0x901787d6, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 072811-20124-01.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC DfsC discache NetBIOS NetBT nsiproxy OADevice oahlpXX OAmon Psched rdbss SASDIFSV SASKUTIL spldr tdx vwififlt Wanarpv6 WfpLwf
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/28/2011 4:10:03 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/26/2011 9:49:04 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
7/26/2011 8:59:20 PM, Error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
7/26/2011 8:55:01 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WerSvc service.
7/26/2011 6:45:15 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: Access is denied.
7/26/2011 6:45:15 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: Access is denied.
7/26/2011 6:45:15 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
7/26/2011 6:45:15 AM, Error: Service Control Manager [7000] - The SMB MiniRedirector Wrapper and Engine service failed to start due to the following error: Access is denied.
7/26/2011 6:45:12 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Browser Support Driver service which failed to start because of the following error: Access is denied.
7/26/2011 6:45:12 AM, Error: Service Control Manager [7000] - The Browser Support Driver service failed to start due to the following error: Access is denied.
7/26/2011 6:44:06 AM, Error: Service Control Manager [7000] - The adfs service failed to start due to the following error: Access is denied.
7/26/2011 6:43:57 AM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Access is denied.
7/26/2011 6:43:57 AM, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Access is denied.
7/26/2011 6:42:54 AM, Error: Service Control Manager [7001] - The Print Spooler service depends on the HTTP service which failed to start because of the following error: Access is denied.
7/26/2011 6:42:54 AM, Error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: Access is denied.
7/26/2011 5:54:17 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {8086EBD4-43E3-4B19-BEB3-F0EA4ECF319C}. The error: "5" Happened while starting this command: C:\Windows\System32\sdiagnhost.exe -Embedding
7/26/2011 5:08:03 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
7/26/2011 2:56:55 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Online Armor service to connect.
7/26/2011 2:56:55 AM, Error: Service Control Manager [7000] - The Online Armor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/26/2011 2:55:04 AM, Error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 2 time(s).
7/24/2011 7:17:02 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk7\DR7.
7/24/2011 4:29:05 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
7/24/2011 3:23:15 PM, Error: Service Control Manager [7000] - The Online Armor service failed to start due to the following error: The system cannot find the file specified.
7/24/2011 3:23:15 PM, Error: Service Control Manager [7000] - The Online Armor Helper Service service failed to start due to the following error: The system cannot find the file specified.
7/23/2011 9:54:01 PM, Error: Service Control Manager [7001] - The Server SMB 2.xxx Driver service depends on the srvnet service which failed to start because of the following error: Access is denied.
7/23/2011 9:54:01 PM, Error: Service Control Manager [7001] - The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
7/23/2011 9:54:01 PM, Error: Service Control Manager [7001] - The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
7/23/2011 9:54:01 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/23/2011 9:54:01 PM, Error: Service Control Manager [7000] - The srvnet service failed to start due to the following error: Access is denied.
7/23/2011 9:50:51 PM, Error: Service Control Manager [7000] - The Security Driver service failed to start due to the following error: Access is denied.
7/23/2011 3:04:18 PM, Error: Service Control Manager [7022] - The Online Armor service hung on starting.
7/21/2011 5:42:43 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
.
==== End Of File ===========================
-
just got the blue screen again, everything crashed. Doing a second restore O.o
-
This all has happened after i posted the above SAS/MBAM logs.
SAS only removed a bunch of cookies and MBAM removed two infected files.
yontoo layers is considered Adware. See here. (http://forums.spybot.info/showthread.php?t=62640)
P2P - I see you have P2P software installed on your machine (BitLord 1.1). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*****************************************************
Download BlueScreenView to your desktop.
BlueScreenView (http://www.nirsoft.net/utils/blue_screen_view.html)
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply
**************************************************************
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
can i do this all from safe mode (ie. download these programs on another computer and load them via usb) it appears i cant even start now without getting the bluescreen/my computer taking ages to boot up. and even then it eventually crashes.
-
can i do this all from safe mode (ie. download these programs on another computer and load them via usb) it appears i cant even start now without getting the bluescreen/my computer taking ages to boot up. and even then it eventually crashes.
How does the computer work in Safe Mode? If it works ok, you can try running them in Safe Mode.
-
yes it is working fine from what i can tell.
I cannot seem to turn off avast in safe mode? i did exactly what the tutorial you referenced me said (avast> avast! shields control> disable untill computer is restarted> yes) and when i try to run ComboFix, i still get a notification that avast is still running.
should i be addressing the issues in the order that you have posted them? im having difficulty understanding that Yontoo Layers removal thread; specifically how i should be searching for/deleting these files. I tried using the standard search option, but to no avail (ie. "Products that have a key or property named "{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" Im also unsure of how to locate these directories:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$COMMONAPPDATA>\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll".
The file at "<$COMMONAPPDATA>\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll".
The file at "<$COMMONAPPDATA>\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat".
The file at "<$COMMONAPPDATA>\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe".
The file at "<$COMMONAPPDATA>\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico".
The file at "<$LOCALSETTINGS>\Temp\YontooTix2700750.log".
The file at "<$PROGRAMFILES>\Yontoo Layers\YontooIEClient.dll".
-
BSOD
==================================================
Dump File : 080211-31980-01.dmp
Crash Time : 8/2/2011 5:55:17 PM
Bug Check String :
Bug Check Code : 0x00000116
Parameter 1 : 0x87ae5008
Parameter 2 : 0x91b4cb2c
Parameter 3 : 0x00000000
Parameter 4 : 0x00000002
Caused By Driver : nvlddmkm.sys
Caused By Address : nvlddmkm.sys+11fb2c
File Description : NVIDIA Windows Kernel Mode Driver, Version 275.33
Product Name : NVIDIA Windows Kernel Mode Driver, Version 275.33
Company : NVIDIA Corporation
File Version : 8.17.12.7533
Processor : 32-bit
Crash Address : ntkrnlpa.exe+dce3c
Stack Address 1 : dxgkrnl.sys+8cc26
Stack Address 2 : dxgkrnl.sys+8da45
Stack Address 3 : dxgmms1.sys+692c
Computer Name :
Full Path : C:\Windows\Minidump\080211-31980-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 223,200
==================================================
==================================================
Dump File : 080111-657029-01.dmp
Crash Time : 8/1/2011 10:30:08 PM
Bug Check String : DRIVER_POWER_STATE_FAILURE
Bug Check Code : 0x0000009f
Parameter 1 : 0x00000003
Parameter 2 : 0x84c7ab60
Parameter 3 : 0x82d67ae0
Parameter 4 : 0x8627c990
Caused By Driver : halmacpi.dll
Caused By Address : halmacpi.dll+37a0
File Description : Hardware Abstraction Layer DLL
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+dce3c
Stack Address 1 : ntkrnlpa.exe+3c024
Stack Address 2 : ntkrnlpa.exe+3b8b8
Stack Address 3 : ntkrnlpa.exe+6a16d
Computer Name :
Full Path : C:\Windows\Minidump\080111-657029-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 683,168
==================================================
-
I cannot seem to turn off avast in safe mode? i did exactly what the tutorial you referenced me said (avast> avast! shields control> disable untill computer is restarted> yes) and when i try to run ComboFix, i still get a notification that avast is still running.
That's ok. Run the ComboFix scan anyway.
im having difficulty understanding that Yontoo Layers removal thread; specifically how i should be searching for/deleting these files
You can find Yontoo Layers Runtime 1.10.01 in your Control Panel under Programs and Features. I'm not sure if this is the correct name since I don't have Windows 7.
-
ComboFix 11-08-02.03 - Joel 08/04/2011 18:11:42.1.2 - x86 MINIMAL
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.1466 [GMT -6:00]
ComboFix Log
Running from: k:\computer restoration\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
K:\Autorun.inf
k:\programs\Steam\Steam.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))
.
.
2011-08-03 00:07 . 2011-08-03 00:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-02 12:27 . 2011-08-02 12:27 -------- d-----w- c:\program files\NirSoft
2011-08-02 12:24 . 2011-08-02 12:24 1606368 ----a-w- c:\windows\system32\drivers\athw.sys
2011-08-02 10:28 . 2011-07-20 15:44 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8EA13145-693C-41A8-A926-B051183C4FF8}\mpengine.dll
2011-07-25 22:37 . 2011-07-25 22:38 -------- d-----w- c:\users\Joel\AppData\Local\Realtime Soft
2011-07-25 22:20 . 2011-07-25 22:20 -------- d-----w- c:\users\Joel\AppData\Roaming\Realtime Soft
2011-07-25 22:19 . 2011-07-29 00:20 -------- d-----w- c:\program files\UltraMon
2011-07-25 22:19 . 2011-07-25 22:19 -------- d-----w- c:\programdata\Realtime Soft
2011-07-24 22:13 . 2011-07-24 22:13 -------- d-----w- c:\windows\system32\sda
2011-07-24 22:13 . 2011-07-24 22:13 9888360 ----a-w- c:\windows\system32\RtsUStoricon.dll
2011-07-24 22:12 . 2011-07-24 22:12 197224 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2011-07-24 22:12 . 2011-07-24 22:12 313960 ----a-w- c:\windows\system32\RtsUStor.dll
2011-07-24 22:08 . 2011-07-24 22:07 485920 ----a-w- c:\windows\system32\nvuninst.exe
2011-07-24 22:07 . 2011-07-24 22:07 485920 ----a-w- c:\windows\system32\nvunrm.exe
2011-07-24 22:07 . 2011-07-24 22:07 287392 ----a-w- c:\windows\system32\drivers\nvmf6232.sys
2011-07-24 22:07 . 2011-07-24 22:07 898048 ----a-w- c:\windows\system32\fdco2.dll
2011-07-24 22:07 . 2011-07-24 22:07 155648 ----a-w- c:\windows\system32\nvconrm.dll
2011-07-24 21:26 . 2011-07-24 21:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 21:13 . 2011-07-24 21:13 -------- d-----w- c:\programdata\UAB
2011-07-24 21:12 . 2011-07-24 21:12 -------- d-----w- c:\users\Joel\AppData\Local\PC_Drivers_Headquarters
2011-07-24 20:55 . 2011-08-03 01:55 -------- d-----w- c:\users\UpdatusUser
2011-07-24 20:55 . 2011-08-02 06:15 -------- d-----w- c:\programdata\NVIDIA
2011-07-24 20:55 . 2011-05-25 06:09 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-07-24 20:55 . 2011-05-25 06:09 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2011-07-24 20:55 . 2011-05-25 06:09 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2011-07-24 20:55 . 2011-05-25 06:09 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-24 20:55 . 2011-05-25 06:09 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2011-07-24 20:55 . 2011-05-25 06:09 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-07-24 20:54 . 2011-07-24 20:54 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-07-24 20:53 . 2011-05-25 06:09 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-07-24 20:53 . 2011-05-25 06:09 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-07-24 20:53 . 2011-05-25 06:09 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-24 20:53 . 2011-05-25 06:09 16456296 ----a-w- c:\windows\system32\nvoglv32.dll
2011-07-24 20:53 . 2011-05-25 06:09 10589800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-07-24 20:53 . 2011-05-25 06:09 5301352 ----a-w- c:\windows\system32\nvcuda.dll
2011-07-24 20:53 . 2011-05-25 06:09 2804328 ----a-w- c:\windows\system32\nvcuvid.dll
2011-07-24 20:53 . 2011-05-25 06:09 2335848 ----a-w- c:\windows\system32\nvapi.dll
2011-07-24 20:53 . 2011-05-25 06:09 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-07-24 20:53 . 2011-05-25 06:09 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-07-24 20:53 . 2011-07-24 20:56 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-24 20:50 . 2011-07-24 20:50 -------- d-----w- C:\NVIDIA
2011-07-24 20:46 . 2011-07-24 20:46 -------- d-----w- c:\program files\SystemRequirementsLab
2011-07-24 20:37 . 2011-07-24 20:37 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2011-07-24 20:34 . 2011-07-24 20:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-07-24 20:33 . 2006-08-30 17:49 16496 ------w- c:\windows\system32\drivers\NVXBAR.SYS
2011-07-24 20:32 . 2006-08-30 17:49 141582 ------w- c:\windows\system32\drivers\NVCAP.SYS
2011-07-24 20:32 . 2006-08-30 17:49 29696 ------w- c:\windows\system32\FILTER.AX
2011-07-24 20:31 . 2011-07-24 20:32 -------- d-----w- c:\program files\Common Files\InstallShield
2011-07-24 19:15 . 2011-07-24 19:15 -------- d-----w- c:\program files\Common Files\Java
2011-07-24 06:45 . 2011-07-24 06:45 388096 ----a-r- c:\users\Joel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-24 06:11 . 2011-07-24 06:11 -------- d-----w- c:\users\Joel\AppData\Roaming\Malwarebytes
2011-07-24 06:09 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-24 06:09 . 2011-07-24 06:09 -------- d-----w- c:\programdata\Malwarebytes
2011-07-24 06:08 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-23 21:30 . 2011-07-23 21:30 -------- d-----w- c:\users\Joel\AppData\Roaming\SUPERAntiSpyware.com
2011-07-23 21:30 . 2011-07-23 21:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-23 21:14 . 2011-07-23 21:14 -------- d-----w- c:\program files\CCleaner
2011-07-23 18:56 . 2011-07-23 21:14 -------- d-----w- c:\programdata\OnlineArmor
2011-07-23 18:56 . 2011-07-23 18:56 -------- d-----w- c:\users\Joel\AppData\Roaming\OnlineArmor
2011-07-23 18:52 . 2011-04-06 19:02 39048 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-07-23 18:52 . 2011-04-06 19:01 29312 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-07-23 18:52 . 2011-04-06 19:01 25192 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-07-23 18:52 . 2011-04-06 19:01 205864 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-07-23 18:33 . 2011-07-23 18:33 -------- d-----w- c:\programdata\Uniblue
2011-07-23 17:53 . 2011-07-23 17:53 -------- d-----w- c:\program files\CPUID
2011-07-23 17:53 . 2010-11-09 21:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-07-22 02:52 . 2011-07-22 02:52 -------- d-----w- c:\users\Joel\AppData\Roaming\Uniblue
2011-07-22 02:52 . 2011-07-22 02:52 -------- d-----w- c:\program files\Uniblue
2011-07-22 02:51 . 2011-07-23 18:32 -------- d-----w- c:\users\Joel\AppData\Local\OpenCandy
2011-07-22 02:51 . 2011-07-22 02:51 -------- d-----w- c:\users\Joel\AppData\Roaming\OpenCandy
2011-07-22 02:51 . 2011-07-22 02:51 -------- d-----w- c:\program files\WinSCP
2011-07-14 22:19 . 2011-08-02 06:16 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-13 03:09 . 2011-06-11 02:37 2332672 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 19:14 . 2010-12-02 02:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-28 03:00 . 2011-06-15 02:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-25 06:09 . 2009-06-10 21:19 11992680 ----a-w- c:\windows\system32\nvd3dum.dll
2011-05-25 06:09 . 2011-07-24 20:53 12392 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-05-24 10:35 . 2011-06-29 23:27 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
[-] 2010-11-14 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-06-07 22:03 194848 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverScanner"="c:\program files\Uniblue\DriverScanner\launcher.exe" [2011-05-16 338296]
"SpybotSD TeaTimer"="k:\computer restoration\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-03-30 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-10 3622184]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"@OnlineArmor GUI"="k:\computer restoration\Online Armor\oaui.exe" [2011-04-06 2477032]
"Malwarebytes' Anti-Malware"="k:\computer restoration\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Joel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - k:\programs\Program Files\MagicDisc\MagicDisc.exe [2007-5-8 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "k:\comput~1\ONLINE~1\oaevent.dll" [2011-04-06 354720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:d580b26028a
.
R1 aswSP;aswSP;
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-06 205864]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-06 39048]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-06 25192]
R1 SASDIFSV;SASDIFSV;k:\computer restoration\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;k:\computer restoration\SASKUTIL.SYS
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
R2 aswFsBlk;aswFsBlk;
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
R2 MBAMService;MBAMService;k:\computer restoration\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]
R2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
R2 OAcat;Online Armor Helper Service;k:\computer restoration\Online Armor\OAcat.exe [2011-04-06 381512]
R2 SBSDWSCService;SBSD Security Center Service;k:\computer restoration\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 SvcOnlineArmor;Online Armor;k:\computer restoration\Online Armor\oasrv.exe [2011-04-06 4326472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2011-04-06 29312]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-14 1343400]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2011-07-24 197224]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\DriverScanner.job
- c:\program files\Uniblue\DriverScanner\dsmonitor.exe [2011-07-22 17:22]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472349457-1566537841-3038834570-1000Core.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-14 04:08]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472349457-1566537841-3038834570-1000UA.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-14 04:08]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - k:\programs\Steam\Steam.exe
AddRemove-Magic ISO Maker v5.5 (build 0261) - k:\progra~1\MagicISO\UNWISE.EXE
AddRemove-MagicDisc 2.7.106 - k:\progra~1\MAGICD~1\UNWISE.EXE
AddRemove-Steam App 400 - k:\programs\Steam\steam.exe
AddRemove-Steam App 620 - k:\programs\Steam\steam.exe
AddRemove-Steam App 629 - k:\programs\Steam\steam.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - k:\computer restoration\Uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-08-04 18:20:07
ComboFix-quarantined-files.txt 2011-08-05 00:20
.
Pre-Run: 162,554,998,784 bytes free
Post-Run: 162,449,031,168 bytes free
.
- - End Of File - - DB65B44EBD27546F62D54842A3EAC6ED
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Folder::
c:\program files\Yontoo Layers Runtime
DirLook::
c:\windows\system32\sda
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
i still cannot disable avast. I am doing exactly what you are supposed to do. Initially it isnt even showing up in the system tray (i am running in safe mode), sop i open it, then minimize it to the tray, disable all shields (untill next restart), and try to run combofix. Avast is telling me the shields are disabled, but combofix continually says avast shields are still up and running.
-
EDIT:
Under Task Manager > Services, avast Web, Mail and Antivirus services are all showing up if that helps
-
heres the log i got while still having the problems with disabling avast
ComboFix 11-08-05.03 - Joel 08/05/2011 21:00:14.2.2 - x86 NETWORK
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2047.1446 [GMT -6:00]
Running from: k:\computer restoration\ComboFix.exe
Command switches used :: k:\computer restoration\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yontoo Layers Runtime
c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-06 to 2011-08-06 )))))))))))))))))))))))))))))))
.
.
2011-08-06 03:06 . 2011-08-06 03:24 -------- d-----w- c:\users\Joel\AppData\Local\temp
2011-08-03 00:07 . 2011-08-03 00:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-02 12:27 . 2011-08-02 12:27 -------- d-----w- c:\program files\NirSoft
2011-08-02 12:24 . 2011-08-02 12:24 1606368 ----a-w- c:\windows\system32\drivers\athw.sys
2011-08-02 10:28 . 2011-07-20 15:44 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8EA13145-693C-41A8-A926-B051183C4FF8}\mpengine.dll
2011-07-25 22:37 . 2011-07-25 22:38 -------- d-----w- c:\users\Joel\AppData\Local\Realtime Soft
2011-07-25 22:20 . 2011-07-25 22:20 -------- d-----w- c:\users\Joel\AppData\Roaming\Realtime Soft
2011-07-25 22:19 . 2011-07-29 00:20 -------- d-----w- c:\program files\UltraMon
2011-07-25 22:19 . 2011-07-25 22:19 -------- d-----w- c:\programdata\Realtime Soft
2011-07-24 22:13 . 2011-07-24 22:13 -------- d-----w- c:\windows\system32\sda
2011-07-24 22:13 . 2011-07-24 22:13 9888360 ----a-w- c:\windows\system32\RtsUStoricon.dll
2011-07-24 22:12 . 2011-07-24 22:12 197224 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2011-07-24 22:12 . 2011-07-24 22:12 313960 ----a-w- c:\windows\system32\RtsUStor.dll
2011-07-24 22:08 . 2011-07-24 22:07 485920 ----a-w- c:\windows\system32\nvuninst.exe
2011-07-24 22:07 . 2011-07-24 22:07 485920 ----a-w- c:\windows\system32\nvunrm.exe
2011-07-24 22:07 . 2011-07-24 22:07 287392 ----a-w- c:\windows\system32\drivers\nvmf6232.sys
2011-07-24 22:07 . 2011-07-24 22:07 898048 ----a-w- c:\windows\system32\fdco2.dll
2011-07-24 22:07 . 2011-07-24 22:07 155648 ----a-w- c:\windows\system32\nvconrm.dll
2011-07-24 21:26 . 2011-07-24 21:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 21:13 . 2011-07-24 21:13 -------- d-----w- c:\programdata\UAB
2011-07-24 21:12 . 2011-07-24 21:12 -------- d-----w- c:\users\Joel\AppData\Local\PC_Drivers_Headquarters
2011-07-24 20:55 . 2011-08-03 01:55 -------- d-----w- c:\users\UpdatusUser
2011-07-24 20:55 . 2011-08-02 06:15 -------- d-----w- c:\programdata\NVIDIA
2011-07-24 20:55 . 2011-05-25 06:09 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-07-24 20:55 . 2011-05-25 06:09 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2011-07-24 20:55 . 2011-05-25 06:09 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2011-07-24 20:55 . 2011-05-25 06:09 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-07-24 20:55 . 2011-05-25 06:09 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2011-07-24 20:55 . 2011-05-25 06:09 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-07-24 20:54 . 2011-07-24 20:54 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-07-24 20:53 . 2011-05-25 06:09 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-07-24 20:53 . 2011-05-25 06:09 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-07-24 20:53 . 2011-05-25 06:09 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-07-24 20:53 . 2011-05-25 06:09 16456296 ----a-w- c:\windows\system32\nvoglv32.dll
2011-07-24 20:53 . 2011-05-25 06:09 10589800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-07-24 20:53 . 2011-05-25 06:09 5301352 ----a-w- c:\windows\system32\nvcuda.dll
2011-07-24 20:53 . 2011-05-25 06:09 2804328 ----a-w- c:\windows\system32\nvcuvid.dll
2011-07-24 20:53 . 2011-05-25 06:09 2335848 ----a-w- c:\windows\system32\nvapi.dll
2011-07-24 20:53 . 2011-05-25 06:09 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-07-24 20:53 . 2011-05-25 06:09 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-07-24 20:53 . 2011-07-24 20:56 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-24 20:50 . 2011-07-24 20:50 -------- d-----w- C:\NVIDIA
2011-07-24 20:46 . 2011-07-24 20:46 -------- d-----w- c:\program files\SystemRequirementsLab
2011-07-24 20:37 . 2011-07-24 20:37 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2011-07-24 20:34 . 2011-07-24 20:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-07-24 20:33 . 2006-08-30 17:49 16496 ------w- c:\windows\system32\drivers\NVXBAR.SYS
2011-07-24 20:32 . 2006-08-30 17:49 141582 ------w- c:\windows\system32\drivers\NVCAP.SYS
2011-07-24 20:32 . 2006-08-30 17:49 29696 ------w- c:\windows\system32\FILTER.AX
2011-07-24 20:31 . 2011-07-24 20:32 -------- d-----w- c:\program files\Common Files\InstallShield
2011-07-24 19:15 . 2011-07-24 19:15 -------- d-----w- c:\program files\Common Files\Java
2011-07-24 06:45 . 2011-07-24 06:45 388096 ----a-r- c:\users\Joel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-24 06:11 . 2011-07-24 06:11 -------- d-----w- c:\users\Joel\AppData\Roaming\Malwarebytes
2011-07-24 06:09 . 2011-07-07 01:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-24 06:09 . 2011-07-24 06:09 -------- d-----w- c:\programdata\Malwarebytes
2011-07-24 06:08 . 2011-07-07 01:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-23 21:30 . 2011-07-23 21:30 -------- d-----w- c:\users\Joel\AppData\Roaming\SUPERAntiSpyware.com
2011-07-23 21:30 . 2011-07-23 21:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-23 21:14 . 2011-07-23 21:14 -------- d-----w- c:\program files\CCleaner
2011-07-23 18:56 . 2011-07-23 21:14 -------- d-----w- c:\programdata\OnlineArmor
2011-07-23 18:56 . 2011-07-23 18:56 -------- d-----w- c:\users\Joel\AppData\Roaming\OnlineArmor
2011-07-23 18:52 . 2011-04-06 19:02 39048 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-07-23 18:52 . 2011-04-06 19:01 29312 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-07-23 18:52 . 2011-04-06 19:01 25192 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-07-23 18:52 . 2011-04-06 19:01 205864 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-07-23 18:33 . 2011-07-23 18:33 -------- d-----w- c:\programdata\Uniblue
2011-07-23 17:53 . 2011-07-23 17:53 -------- d-----w- c:\program files\CPUID
2011-07-23 17:53 . 2010-11-09 21:35 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-07-22 02:52 . 2011-07-22 02:52 -------- d-----w- c:\users\Joel\AppData\Roaming\Uniblue
2011-07-22 02:52 . 2011-07-22 02:52 -------- d-----w- c:\program files\Uniblue
2011-07-22 02:51 . 2011-07-23 18:32 -------- d-----w- c:\users\Joel\AppData\Local\OpenCandy
2011-07-22 02:51 . 2011-07-22 02:51 -------- d-----w- c:\users\Joel\AppData\Roaming\OpenCandy
2011-07-22 02:51 . 2011-07-22 02:51 -------- d-----w- c:\program files\WinSCP
2011-07-13 03:09 . 2011-06-11 02:37 2332672 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-24 19:14 . 2010-12-02 02:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-28 03:00 . 2011-06-15 02:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-25 06:09 . 2009-06-10 21:19 11992680 ----a-w- c:\windows\system32\nvd3dum.dll
2011-05-25 06:09 . 2011-07-24 20:53 12392 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-05-24 10:35 . 2011-06-29 23:27 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\sda ----
.
2011-07-24 22:13 . 2011-07-24 22:13 75880 ----a-w- c:\windows\system32\sda\SDRTCPRM.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverScanner"="c:\program files\Uniblue\DriverScanner\launcher.exe" [2011-05-16 338296]
"SpybotSD TeaTimer"="k:\computer restoration\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-03-30 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-10 3622184]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Malwarebytes' Anti-Malware"="k:\computer restoration\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Joel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - k:\programs\Program Files\MagicDisc\MagicDisc.exe [2007-5-8 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:d580b26028a
.
R1 SASDIFSV;SASDIFSV;k:\computer restoration\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;k:\computer restoration\SASKUTIL.SYS
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MBAMService;MBAMService;k:\computer restoration\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-14 1343400]
S1 aswSP;aswSP;
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-04-06 205864]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-04-06 39048]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-04-06 25192]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk;
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S2 SBSDWSCService;SBSD Security Center Service;k:\computer restoration\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]
S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2011-04-06 29312]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2011-07-24 197224]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-06 c:\windows\Tasks\DriverScanner.job
- c:\program files\Uniblue\DriverScanner\dsmonitor.exe [2011-07-22 17:22]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472349457-1566537841-3038834570-1000Core.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-14 04:08]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472349457-1566537841-3038834570-1000UA.job
- c:\users\Joel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-14 04:08]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(616)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(4304)
c:\windows\system32\prnfldr.dll
c:\windows\system32\dxp.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\System32\wscinterop.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
k:\computer restoration\Online Armor\OAcat.exe
k:\computer restoration\Online Armor\oasrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
k:\computer restoration\Online Armor\oaui.exe
k:\computer restoration\Online Armor\OAhlp.exe
c:\program files\iPod\bin\iPodService.exe
k:\computer restoration\Online Armor\OADump.exe
.
**************************************************************************
.
Completion time: 2011-08-05 21:45:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-06 03:44
ComboFix2.txt 2011-08-05 00:20
.
Pre-Run: 162,532,835,328 bytes free
Post-Run: 162,204,516,352 bytes free
.
- - End Of File - - A14753E3C83777F172C62377BB54CF85
-
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\sda\SDRTCPRM.dll
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
***************************************************
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
-
Jotti
http://virusscan.jotti.org/en/scanresult/507f8203dc80563ebde2cd72e29805865217e2d2
-
from safemode, i was unable to:
-start Online Armor (or to even check if i could disable it for that matter).
-most likely disable avast again, i followed the instructions but like i mentioned above regardless of what i click it still appears to be running both antivirus and firewall functions
-i think my trial of MBAM has run out, i could not find how to disable it (if it was even running at all from safe mode to begin with)
-i could not run RootRepeal. when i go under REPORT and click SCAN i get the following error-dialogue boxes:
(when clicking RootRepeal.exe)>FOPS - DeviceIoControl Error! Error Code = 0xc0000024
Extended Info (0x00000124)
(after clicking SCAN)> Could not initialize driver! Please contact the author!
>Error dumping SSDT (0xc0000024)!
>Attempt to read from address: 0x00000004)
>DeviceIoControl Error! Error Code = 0x0
-
Sorry. I forgot this is a 64 bit machine. Please try this.
Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.
- Double click it to start the tool.Vista and Windows7 run as administrator.
- Click Scan.
- Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
-
Rooter keeps crashing as well; Windows explorer is telling me the program has stopped working and prompts me to close it once i have clicked Scan.
At the top of the window where it says Rooter v1.0.2 it also says Os detected: [32_bits] Windows 7 if that helps
-
Ok. Let's try another one.
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
Ok so when i try to create the log now, it says it failed to start because i need to run it as an administrator. When i rightclick it, and do that, i still get the same error message. Then when i click Scan it appears to have frozen (there is nothing appearing under that same screen that would otherwise indicate it is scanning anything) and it freezes up. Would it almost be worth it to try and run my computer normally despite the fact that it crashed within a half hour of the 20% of successful boots? Safemode doesnt seem to be doing me any favors really.
Here is the log as is:
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No hidden files/folders found
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
(scan is still running; entering 47th hour, >2,800,000 files scanned, 42 threats found so far...)
-
Whoa. That's way too long. Please abort it and try again. If it still doesn't work, please try this one.
Run the BitDefender Online scanner (http://www.bitdefender.com/scanner/online/free.html)
Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.
Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.
When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.
This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.
Post the bdscan.txt file as an Attachment.
-
well i told it to also scan my external harddrive because that is where i am storing the majority of my non-essential programs so that my computer would run faster, which has about 750gb of stuff on it including pc backups. Should i just be scanning C: where my important windows stuff is?
And to update, the scan is STILL running, almost at 72 hours, >4,300,000 files scanned, 61 threats found. It is scanning my external drive right now and it is still finding threats, so should i let it run its course?
-
well it finished anyways haha here it is:
ESET Scan
C:\Qoobox\Quarantine\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll.vir Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
D:\JOEL-PC\Backup Set 2010-11-14 192412\Backup Files 2011-01-09 190001\Backup files 3.zip a variant of Win32/Adware.HotBar.H application deleted - quarantined
D:\JOEL-PC\Backup Set 2010-11-14 192412\Backup Files 2011-04-03 190005\Backup files 3.zip a variant of Win32/Adware.HotBar.H application deleted - quarantined
D:\JOEL-PC\Backup Set 2011-07-17 190008\Backup Files 2011-07-17 190008\Backup files 5.zip probably a variant of Win32/Adware.BGJATNS application deleted - quarantined
K:\Downloads\Harry Potter and the Deathly Hallows Part 2 2011 DVD Rip XviD-nDn\trz5232.tmp a variant of WMA/TrojanDownloader.GetCodec.gen trojan unable to clean
K:\Nero Autobackup\20110724_163859_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110724_163859_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_123156_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_123156_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_143151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_143151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_163225_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_163225_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_183200_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_183200_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_203202_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_203202_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_223201_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110725_223201_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_003201_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_003201_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_023152_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_023152_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_043153_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_043153_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_183155_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_183155_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_203157_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110726_203157_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_143825_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_143825_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_163151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_163151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_183159_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_183159_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_203153_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110727_203153_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_175150_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_175150_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_203152_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_203152_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_223151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110728_223151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_003151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_003151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_023152_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_023152_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_043151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_043151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_063150_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_063150_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_083151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_083151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_103150_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_103150_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_123150_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_123150_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_143151_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_143151_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_163159_Local Autobackup\C\Program Files\Yontoo Layers Runtime\YontooIEClient.dll Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
K:\Nero Autobackup\20110729_163159_Local Autobackup\C\Users\Joel\Downloads\PageRageSetup.exe probably a variant of Win32/Adware.BGJATNS application cleaned by deleting - quarantined
K:\Programs\Adobe\Adobe Soundbooth CS5.rar a variant of Win32/Keygen.BH application deleted - quarantined
-
Your computer must be running better now with all that crap removed. Please let me know if there are any other issues.
-
It started normally once, i updated itunes, tried to update my graphics card drivers (failed) and my computer prompted me to restart. I did so, and i got the bluescreen again. I cannot start it now without it prompting me for startup repair :(
EDIT: windows went ahead with startup repair. i am trying to cancel it but it says it cannot be cancelled; i dont want to just shut it off mid-operation for fear of making things worse. I hope this doesnt undo that 4 days worth of scanning eset just did :(
On a side note, could this also be a problem with my graphics card and that ultramon program i was running?
When i start up, my HP logo is distorted somewhat; there are a few pixels that are offcolor randomly. This was a symptom my computer had last time it was completely screwed up. Now that i have apparently removed my software ailments, could this be a hardware/driver issue possibly?
The thread i have for it is located here:
http://www.computerhope.com/forum/index.php/topic,121750.0.html (http://www.computerhope.com/forum/index.php/topic,121750.0.html)
-
I hope this doesnt undo that 4 days worth of scanning eset just did
No. A repair shouldn't hurt anything.
Now that i have apparently removed my software ailments, could this be a hardware/driver issue possibly?
Your computer only had two BSOD's according to the last scan. Please run the BlueScreenView scan as instructed in Reply # 9. I would like to see the log again. I'm quite sure that your computer is clean and something else is causing those problems.
could this also be a problem with my graphics card and that ultramon program i was running?
When i start up, my HP logo is distorted somewhat; there are a few pixels that are offcolor randomly. This was a symptom my computer had last time it was completely screwed up.
Try to attach a different monitor to your computer. If it's still doing it, that will indicate it's the graphics card or drivers.
-
==================================================
Dump File : 081311-20482-01.dmp
Crash Time : 8/13/2011 12:10:53 PM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0x8ac88008
Parameter 2 : 0x00000000
Parameter 3 : 0x8f2f5694
Parameter 4 : 0x00000000
Caused By Driver : nvlddmkm.sys
Caused By Address : nvlddmkm.sys+2d18bb
File Description : NVIDIA Windows Kernel Mode Driver, Version 258.96
Product Name : NVIDIA Windows Kernel Mode Driver, Version 258.96
Company : NVIDIA Corporation
File Version : 8.17.12.5896
Processor : 32-bit
Crash Address : ntkrnlpa.exe+85a0b
Stack Address 1 : ntkrnlpa.exe+46608
Stack Address 2 : nvlddmkm.sys+2d2694
Stack Address 3 : nvlddmkm.sys+2d4eb1
Computer Name :
Full Path : C:\Windows\Minidump\081311-20482-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 135,248
==================================================
==================================================
Dump File : 080211-31980-01.dmp
Crash Time : 8/2/2011 5:55:17 PM
Bug Check String :
Bug Check Code : 0x00000116
Parameter 1 : 0x87ae5008
Parameter 2 : 0x91b4cb2c
Parameter 3 : 0x00000000
Parameter 4 : 0x00000002
Caused By Driver : nvlddmkm.sys
Caused By Address : nvlddmkm.sys+11fb2c
File Description : NVIDIA Windows Kernel Mode Driver, Version 258.96
Product Name : NVIDIA Windows Kernel Mode Driver, Version 258.96
Company : NVIDIA Corporation
File Version : 8.17.12.5896
Processor : 32-bit
Crash Address : ntkrnlpa.exe+dce3c
Stack Address 1 : dxgkrnl.sys+8cc26
Stack Address 2 : dxgkrnl.sys+8da45
Stack Address 3 : dxgmms1.sys+692c
Computer Name :
Full Path : C:\Windows\Minidump\080211-31980-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 223,200
==================================================
==================================================
Dump File : 080111-657029-01.dmp
Crash Time : 8/1/2011 10:30:08 PM
Bug Check String : DRIVER_POWER_STATE_FAILURE
Bug Check Code : 0x0000009f
Parameter 1 : 0x00000003
Parameter 2 : 0x84c7ab60
Parameter 3 : 0x82d67ae0
Parameter 4 : 0x8627c990
Caused By Driver : halmacpi.dll
Caused By Address : halmacpi.dll+37a0
File Description : Hardware Abstraction Layer DLL
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+dce3c
Stack Address 1 : ntkrnlpa.exe+3c024
Stack Address 2 : ntkrnlpa.exe+3b8b8
Stack Address 3 : ntkrnlpa.exe+6a16d
Computer Name :
Full Path : C:\Windows\Minidump\080111-657029-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 683,168
==================================================
-
As you can see from the BlueScreen Viewer the problem has been caused By Driver : nvlddmkm.sys
We should do the clean up.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
**************************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
****************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
-
im not so sure the scan is working. Its been well over 26 hours, and im guessing it has frozen or something because it says "null" for status, and also it has 406 errors with it.
-
What scan are you running? 26 hrs. is too long for any scan.
-
i was doing the secunia one
-
i was doing the secunia one
Please just skip that one. It sometimes acts up.
-
it still will not start. when i start now, the hp logo has lost that pixelation that i was having before, however i got another bluescreen when i tried to start it normally. i did all i could on that "speed up my computer page ie. defragged all my drives and such. i will post the bluscreen log
-
sorry was on vacation. heres the log
==================================================
Dump File : 082111-33119-01.dmp
Crash Time : 8/21/2011 5:45:42 PM
Bug Check String : DRIVER_POWER_STATE_FAILURE
Bug Check Code : 0x0000009f
Parameter 1 : 0x00000003
Parameter 2 : 0x84c7ab60
Parameter 3 : 0x82d78ae0
Parameter 4 : 0x86374828
Caused By Driver : tcpip.sys
Caused By Address : tcpip.sys+f3f48
File Description : TCP/IP Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+dce34
Stack Address 1 : ntkrnlpa.exe+3c054
Stack Address 2 : ntkrnlpa.exe+3b8e8
Stack Address 3 : ntkrnlpa.exe+6a18d
Computer Name :
Full Path : C:\Windows\Minidump\082111-33119-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 581,648
==================================================
-
Do you have your OS disk?
-
you mean a boot disc? i will see if i can dig it up
-
yes i have them. took a while to dig up but i have them
-
ok i ended up just doing a complete format of my hard drive and reinstalled windows. everythings working fine now. thanks for your patience superdave!
-
ok i ended up just doing a complete format of my hard drive and reinstalled windows. everythings working fine now. thanks for your patience superdave!
When I asked for you OS disk I was going to ask you to do a system File check to see if any files were absent or corrupted not a complete re-format. However, now you have a new computer. I will lock this thread. If you need it reopened, please send me a pm