Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32K/Stream and Med.Codec Trojans Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32K/Stream and Med.Codec Trojans Infection

Unread postby jackie5 » September 26th, 2009, 9:40 am

I can't get HijackThis to download due to the nature of my computer's infection. I am able to post this OldTimer version instead. I am unable to use malware removal tools once downloaded (Spybot, Malwarebytes and Stopzilla). However, a Stopzilla scan showed my computer to be infected with Win32K/ Stream and med.codec Trojans. Whenever I attempt to run a scan to remove malware I receive the following message:

Windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item.

I would appreciate any assistance you could provide as I am unable to find a working solution.

Thank you







OTL logfile created on: 9/23/2009 4:43:48 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

190.48 Mb Total Physical Memory | 35.37 Mb Available Physical Memory | 18.57% Memory free
535.56 Mb Paging File | 84.88 Mb Available in Paging File | 15.85% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.03 Gb Total Space | 22.51 Gb Free Space | 64.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-6307263345
Current User Name: Jackie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2004/09/13 14:49:42 | 01,192,050 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/01/28 10:31:30 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2004/03/26 01:07:12 | 00,049,152 | R--- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\VTTimer.exe
PRC - [2004/05/03 16:49:04 | 00,135,168 | R--- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\System32\VTtrayp.exe
PRC - [2005/01/28 16:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
PRC - [2004/07/01 05:23:32 | 00,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/03/04 15:01:56 | 00,088,209 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2004/09/13 04:51:06 | 01,450,096 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2004/11/02 23:24:46 | 00,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PRC - [2007/12/10 15:55:26 | 00,323,584 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\PixArt\PAC207\Monitor.exe
PRC - [2009/01/28 10:30:35 | 01,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/28 10:32:30 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/01/28 10:33:34 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/02/05 14:29:20 | 00,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
PRC - [2009/01/28 10:33:19 | 00,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2006/02/24 17:41:08 | 02,334,720 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
PRC - [2009/01/28 10:33:31 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2006/02/24 17:41:38 | 02,478,080 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
PRC - [2009/01/28 10:33:31 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/03/18 18:50:30 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2009/06/29 03:35:10 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/09/23 16:42:46 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - File not found -- -- (AVG Anti-Spyware Guard [Auto | Stopped])
SRV - [2009/01/28 10:32:30 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/01/28 10:31:30 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - File not found -- -- (ESHRGDNC [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2004/09/13 14:49:42 | 01,192,050 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (QOG [On_Demand | Stopped])
SRV - File not found -- -- (szserver [Auto | Stopped])
SRV - File not found -- -- (TUPRXNDTYOB [On_Demand | Stopped])
SRV - [2005/01/28 16:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2005/10/06 21:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 18:47:52 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (ZILLAbar Browser Helper Object) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll File not found
O3 - HKLM\..\Toolbar: (STOPzilla) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe File not found
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Jackie.YOUR-6307263345\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 4502719968 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/12 11:52:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/09/23 16:42:30 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\OTL.exe
[2009/09/23 16:37:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\settings.dat
[2009/09/23 16:36:41 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\RootRepeal.exe
[2009/09/23 16:00:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\Malwarebytes
[2009/09/23 16:00:43 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/23 15:59:09 | 04,045,536 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\mbam-setup.exe
[2009/09/23 15:55:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/23 15:52:50 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\NTREGOPT.lnk
[2009/09/23 15:52:50 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\ERUNT.lnk
[2009/09/23 15:52:41 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/09/23 15:51:06 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\erunt_setup.exe
[2009/09/23 15:47:16 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\SysRestorePoint.exe
[2009/09/23 15:18:54 | 00,271,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\TFC.exe
[2009/09/23 11:22:06 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\Spybot - Search & Destroy.lnk
[2009/09/23 11:14:30 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\setup-spybotsd162.exe
[2009/09/23 10:38:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\win32k.sys
[2009/09/23 08:22:42 | 04,538,368 | ---- | C] () -- C:\WINDOWS\System32\WKEX
[2009/09/23 08:19:41 | 04,534,272 | ---- | C] () -- C:\WINDOWS\System32\LJJNFMMVP
[2009/09/23 08:18:14 | 04,534,272 | ---- | C] () -- C:\WINDOWS\System32\XLWT
[2009/09/23 07:09:26 | 00,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2009/09/22 13:31:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/09/22 13:28:30 | 00,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2009/09/22 13:28:25 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/09/22 13:28:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/09/22 12:23:58 | 00,008,224 | ---- | C] () -- C:\WINDOWS\System32\GDIPFONTCACHEV1.DAT
[2009/09/22 09:03:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1024
[2009/09/22 09:03:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/09/22 09:03:21 | 00,000,000 | ---D | C] -- C:\Program Files\RegCure
[2009/09/21 04:51:33 | 00,008,690 | ---- | C] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\MSN.com.url
[2009/09/21 03:38:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\MSNInstaller
[2009/09/21 03:09:46 | 00,004,566 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/09/20 01:20:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\My Documents\Downloads
[2009/09/20 01:19:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Local Settings\Application Data\Google
[2009/09/19 10:18:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\Grisoft
[2009/09/19 03:38:07 | 00,000,246 | -H-- | C] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/09/18 15:49:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\ParetoLogic
[2009/09/18 15:47:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/09/18 14:15:54 | 00,000,000 | -HSD | C] -- C:\found.001

========== Files - Modified Within 14 Days ==========

[2009/09/23 16:42:46 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\OTL.exe
[2009/09/23 16:37:00 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\settings.dat
[2009/09/23 16:36:53 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\RootRepeal.exe
[2009/09/23 16:16:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/23 16:16:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\win32k.sys
[2009/09/23 16:16:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/23 16:14:04 | 04,834,580 | -H-- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Local Settings\Application Data\IconCache.db
[2009/09/23 16:10:22 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/23 16:07:48 | 04,045,536 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\mbam-setup.exe
[2009/09/23 16:00:01 | 00,000,246 | -H-- | M] () -- C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[2009/09/23 15:52:50 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\NTREGOPT.lnk
[2009/09/23 15:52:50 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\ERUNT.lnk
[2009/09/23 15:51:31 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\erunt_setup.exe
[2009/09/23 15:47:30 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\SysRestorePoint.exe
[2009/09/23 15:19:10 | 00,271,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\TFC.exe
[2009/09/23 11:22:06 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\Spybot - Search & Destroy.lnk
[2009/09/23 11:19:22 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\setup-spybotsd162.exe
[2009/09/23 08:58:33 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/23 08:49:03 | 41,682,288 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/09/23 08:48:16 | 00,112,900 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/09/23 08:41:49 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx(2).dll
[2009/09/23 08:41:08 | 00,463,779 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/09/23 08:22:46 | 04,538,368 | ---- | M] () -- C:\WINDOWS\System32\WKEX
[2009/09/23 08:19:44 | 04,534,272 | ---- | M] () -- C:\WINDOWS\System32\LJJNFMMVP
[2009/09/23 08:18:18 | 04,534,272 | ---- | M] () -- C:\WINDOWS\System32\XLWT
[2009/09/22 12:23:58 | 00,008,224 | ---- | M] () -- C:\WINDOWS\System32\GDIPFONTCACHEV1.DAT
[2009/09/22 12:11:04 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/21 05:05:41 | 00,008,690 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Desktop\MSN.com.url
[2009/09/21 03:47:51 | 00,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/21 03:47:46 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/21 03:47:46 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/19 19:11:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/09/15 18:55:36 | 00,020,456 | ---- | M] () -- C:\Documents and Settings\Jackie.YOUR-6307263345\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== LOP Check ==========

[2009/09/23 10:56:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data
[2006/02/06 13:27:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2006/06/21 09:08:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7(2)
[2006/06/23 14:16:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2006/02/06 13:27:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/09/18 15:47:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2006/06/21 09:08:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
[2009/04/23 11:48:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2009/05/02 11:04:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008/07/23 16:20:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2006/06/29 14:51:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2009/09/22 13:31:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/09/23 07:28:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2008/08/27 08:39:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SweetIM
[2008/12/18 22:48:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/08/11 14:23:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/09/23 16:00:58 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data
[2009/06/18 23:56:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\ArcSoft
[2009/09/19 10:18:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\Grisoft
[2009/09/21 03:38:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\MSNInstaller
[2009/09/23 16:23:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\OpenOffice.org2
[2009/09/18 15:49:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jackie.YOUR-6307263345\Application Data\ParetoLogic
[2009/09/19 19:11:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/23 16:16:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/09/23 16:00:01 | 00,000,246 | -H-- | M] () -- C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/13 19:11:53 | 00,061,952 | ---- | M] () -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logevent.dll
< End of report >
jackie5
Active Member
 
Posts: 3
Joined: September 22nd, 2009, 2:10 pm
Advertisement
Register to Remove

Re: Win32K/Stream and Med.Codec Trojans Infection

Unread postby MWR 3 day Mod » October 1st, 2009, 1:25 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Win32K/Stream and Med.Codec Trojans Infection

Unread postby NonSuch » October 5th, 2009, 1:09 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware