Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help!

Unread postby Pipps » December 4th, 2011, 1:38 pm

Please help - my computer seems to have become infected with a virus or malware. It may be Trojan.Agent/Gen-UsrMgr.Process, which was identified on a SuperAntiSpyware scan.

The problem is causing my computer to repeatedly freeze, and is causing lots of unnecessary and disconcerting hard disk activity.

Here are my logs:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 17:34:11 on 2011-12-04
============== Running Processes ===============
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\FlashFolder\FlashFolder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\VolumeMouse\volumouse.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\RealTemp_349\RealTemp.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\explorer++_1.1_x86\Explorer++.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - No File
uRun: [$Volumouse$] "c:\program files\volumemouse\volumouse.exe" /nodlg
uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [VistaSwitcher] "c:\program files\vistaswitcher\vswitch.exe" /startup
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{87956400-34C1-440C-BA8F-0DE9DFFBE3AB} : DhcpNameServer =
TCP: Interfaces\{C8C9E877-CFF5-412C-9E11-09C9E0D3555C} : DhcpNameServer =
TCP: Interfaces\{F2F716C6-E038-4451-98F3-0AEBA9654E45} : DhcpNameServer =
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tfzrrhwq.default\
FF - prefs.js: browser.search.selectedEngine - Google UK
FF - prefs.js: browser.startup.homepage - http://www.google.co.uk
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
FF - Ext: Compact Menu 2: {57068FBE-1506-42ee-AB02-BD183E7999E4} - %profile%\extensions\{57068FBE-1506-42ee-AB02-BD183E7999E4}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
============= SERVICES / DRIVERS ===============
R? Ambfilt;Ambfilt
R? BazisVirtualCD;Virtual CD driver
R? GenericMount Helper Service;GenericMount Helper Service
R? GenericMount;Generic Mount Driver
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? hid7906;hid7906
R? hid8101;hid8101
R? hid8103;hid8103
R? HTCAND32;HTC Device Driver
R? htcnprot;HTC NDIS Protocol Driver
R? libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007,
R? ntcdrdrv;ntcdrdrv
R? PsShutdownSvc;PsShutdown
R? SwitchBoard;SwitchBoard
R? SymSnapService;SymSnapService
R? VirtDiskBus;Virtual disk Enumerator
S? !SASCORE;SAS Core Service
S? AtiHDAudioService;ATI Function Driver for HD Audio Service
S? BazisVirtualCDBus;WinCDEmu Virtual Bus Driver
S? cmdAgent;COMODO Internet Security Helper Service
S? cmderd;COMODO Internet Security Eradication Driver
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? cpuz132;cpuz132
S? FlashFolder;FlashFolder
S? L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller
S? NPF;NetGroup Packet Filter Driver
S? PassThru Service;Internet Pass-Through Service
S? Printer Control;Printer Control
S? WinRing0_1_2_0;WinRing0_1_2_0
=============== File Associations ===============
=============== Created Last 30 ================
2011-11-15 22:15:12 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe
2011-11-13 21:20:27 -------- d-----w- c:\program files\SystemRequirementsLab
2011-11-13 19:49:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-13 19:49:39 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-13 10:39:56 -------- d-----w- c:\program files\common files\ATI Technologies
2011-11-05 12:45:46 -------- d-----w- c:\program files\ATI
2011-11-05 12:45:28 -------- d-----w- c:\program files\ATI Technologies
2011-11-05 12:45:00 -------- d-----w- C:\ATI
==================== Find3M ====================
2011-11-13 19:55:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 01:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-08 18:24:14 7180800 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-09-08 18:17:00 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-09-08 17:50:08 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-09-08 17:50:02 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-09-08 17:46:32 5701632 ----a-w- c:\windows\system32\aticaldd.dll
2011-09-08 17:41:52 18571264 ----a-w- c:\windows\system32\atioglxx.dll
2011-09-08 17:26:46 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-09-08 17:25:58 3953280 ----a-w- c:\windows\system32\ati3duag.dll
2011-09-08 17:25:42 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-09-08 17:19:36 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-09-08 17:09:28 3174656 ----a-w- c:\windows\system32\ativvaxx.dll
2011-09-08 17:09:18 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-09-08 17:09:08 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-09-08 17:09:02 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-09-08 17:08:54 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-09-08 17:08:42 188416 ------w- c:\windows\system32\ati2evxx.dll
2011-09-08 17:07:36 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-09-08 17:06:26 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-09-08 17:05:10 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-09-08 17:01:54 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-09-08 17:00:28 528384 ----a-w- c:\windows\system32\atiok3x2.dll
2011-09-08 16:58:28 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-09-08 16:58:06 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-09-08 16:52:44 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-09-08 16:52:08 65024 ----a-w- c:\windows\system32\atimpc32.dll
2011-09-08 16:52:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2011-09-08 16:52:06 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
============= FINISH: 17:34:22.95 ===============

==== Installed Programs ======================
32 Bit HP CIO Components Installer
7-Zip 4.65
Adobe AIR
Adobe Audition 1.0
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop CS5.1
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
COMODO Internet Security
CPUID CPU-Z 1.52.2
DH Driver Cleaner Professional Edition
Dropbox Folder Sync
DVD Flick
Exact Audio Copy 0.99pb5
FileZilla Client 3.5.0
FLAC 1.2.1b (remove only)
Foxit Phantom
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth Plug-in
Google Update Helper
HashCheck Shell Extension (x86-32)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB954550-v5)
HTC Driver Installer
HTC Sync
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 29
Launchy 2.1.2
LightScribe Diagnostic Utility
LightScribe System Software
Live 8.0.3
Malwarebytes' Anti-Malware version
Medieval CUE Splitter
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mixed In Key 2.5
MixMeister BPM Analyzer 1.0
Monkey's Audio
Mozilla Firefox (3.6.24)
Mp3tag v2.47b
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 6.0 Parser
MyDefrag v4.3.1
ObjectDock Plus
OpenOffice.org 3.2
PDF Settings CS5
PDFTools Version 1.3 (08/26/2007)
Rainmeter (remove only)
Readiris Pro 10
Real Alternative 2.0.1 Lite
REALTEK GbE & FE Ethernet PCI-E NIC Driver
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Revo Uninstaller 1.92
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Express Labeler 3
Samsung SCX-4300 Series
SmarThru 4
Sonic Activation Module
SpeedFan (remove only)
SUPERAntiSpyware Free Edition
System Requirements Lab CYRI
TeraCopy 1.22
Unlocker 1.8.7
Update for Windows XP (KB955839)
USB Network Driver
VLC media player 1.0.3
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
WinPcap 4.1.2
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
==== End Of File ===========================

Please help - thank you!
Active Member
Posts: 2
Joined: December 4th, 2011, 1:33 pm
Register to Remove

Re: Please help!

Unread postby diver79 » December 4th, 2011, 5:42 pm

Hi and welcome to MalwareRemoval.com, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems. I am currently in training at the Malware University. All of my instructions need to be checked and approved by a teacher, which may lead to a slight delay.

Before we start please note the following important guidelines.
  • The instructions given are for THIS computer only! Using these instructions on a different computer, can make it inoperable!
  • Please DO NOT run any other software or scans whilst I am helping you.

Note: If you haven't done so already, please ensure you have read the following article. ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
diver79 wrote:Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP?
How to backup your data - Vista/Win7

Looking into your logs now. Will post instructions soon...

User avatar
Retired Graduate
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Please help!

Unread postby Pipps » December 4th, 2011, 5:56 pm

Thanks for your help. I've backed-up all files and I look forward to your advice.
Active Member
Posts: 2
Joined: December 4th, 2011, 1:33 pm

Re: Please help!

Unread postby diver79 » December 6th, 2011, 6:14 am

Hi Pipps,

We need to run some more scans to help identify the issue. Also please let me know if the computer is for personal or business use.

Remove P2P Programs
  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • While you are there please also uninstall the below programs.
    Java(TM) 6 Update 16
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Run CKScanner
  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Double-click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

OTL Scan
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

For Your Next Reply
  • Business/Personal use answer.
  • Confirmation of uninstalled programs.
  • CKScanner log.
  • OTL.Txt and Extras.Txt.
  • GMER log.
User avatar
Retired Graduate
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Please help!

Unread postby Cypher » December 9th, 2011, 11:26 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Posts: 14936
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Register to Remove

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware