Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus I got from web

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus I got from web

Unread postby SSI01 » April 25th, 2011, 8:09 am

Good morning
I have downloaded and run the DDS program. What I get back looks like a box full of Japanese Kanji characters with letters and numbers interspersed. It runs to over 600,000 characters. Mention is made at the beginning of the box about not running the program in DOS mode. Is this what is happening?
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm
Advertisement
Register to Remove

Re: Virus I got from web

Unread postby Dakeyras » April 26th, 2011, 4:42 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Malware Removal. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan With RKUnHooker:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

Note: You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Scan with OTL:

Please download OTL and save it to your Desktop.

Alternate downloads are here and here. <-- Use either of these if the first download of OTL will not work.

  • Double-click on OTL.exe to start OTL.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • RKUnHooker Log.
  • Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Virus I got from web

Unread postby SSI01 » April 26th, 2011, 10:23 pm

I have downloaded the first tool mentioned and am in the process of running it now. We are scanning C and E drives - C is a 2TB drive dedicated to Flight Sim 2004 and has several hundred thousand files on it - it is taking a while to scan. E is the drive containing everything else. I back up everything w/Carbonite. Will comply with your instructions and want to learn how to defeat these things. Scan results coming your way.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » April 27th, 2011, 6:06 am

Good morning - it's been about 12 hours and no activity noted in the RKU scan beyond the "Please wait while RKU makes scan" screen. It is getting a list of files and directories in C drive. I don't know how fast this program works or to what level of detail. Also - I never got the warning you described when I started the scan.

For your info - the virus, or malware, apparently went through my email address book and sent out emails to everyone there, the email included an attachment with an infection hoping someone would be foolish enough to open it.

Will let the scan run as directed unless you think it is locked up or has otherwise encountered difficulty.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby Dakeyras » April 27th, 2011, 6:43 am

Hi. :)

OK abort the RKUnHooker scan and we can come back to that if the need. Reboot your machine and follow my prior instructions for downloading and running OTL, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Virus I got from web

Unread postby SSI01 » April 27th, 2011, 2:00 pm

Will do, and will keep you advised.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » April 27th, 2011, 2:46 pm

Here are the results in the OTL txt file:

OTL logfile created on: 4/27/2011 2:10:00 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = E:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 1863.01 Gb Total Space | 1532.81 Gb Free Space | 82.28% Space Free | Partition Type: NTFS
Drive E: | 298.08 Gb Total Space | 275.32 Gb Free Space | 92.36% Space Free | Partition Type: NTFS

Computer Name: OWNER-COMPUTER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - E:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - E:\Program Files\IObit\Game Booster\GameBox.exe (IObit)
PRC - E:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
PRC - E:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - E:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe ()
PRC - E:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - E:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - E:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - E:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - E:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe (Hewlett-Packard Development Company, L.P.)
PRC - E:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - E:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - E:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (ioloSystemService) -- E:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- E:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (CarboniteService) -- E:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (NMSAccess) -- E:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (vseqrts) -- E:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- E:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- E:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)


========== Driver Services (SafeList) ==========

DRV - (FileDisk) -- E:\WINDOWS\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (NVHDA) -- E:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation)
DRV - (AMP) -- E:\WINDOWS\system32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- E:\WINDOWS\system32\drivers\ampse.sys (Authentium, Inc)
DRV - (StarOpen) -- E:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (nvgts) -- E:\WINDOWS\system32\DRIVERS\nvgts.sys (NVIDIA Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- E:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- E:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- E:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (AmdPPM) -- E:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- E:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- E:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- E:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- E:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- E:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (ADM8511) -- E:\WINDOWS\system32\drivers\ADM8511.SYS (ADMtek Incorporated)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.foxnews.com/
IE - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\msntoolbar@msn.com: E:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox [2010/11/11 11:03:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: E:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/11/11 11:03:52 | 000,000,000 | ---D | M]

[2010/10/15 16:55:23 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/11/11 11:29:58 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8o32id9r.default\extensions
[2010/10/20 09:19:26 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8o32id9r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/11 11:29:58 | 000,000,000 | ---D | M] (Microsoft Default Manager) -- E:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8o32id9r.default\extensions\DefaultManager@Microsoft
[2010/10/20 09:19:26 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8o32id9r.default\extensions\staged-xpis
[2010/12/12 20:49:49 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2010/10/15 16:02:41 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/10/15 16:02:34 | 000,000,000 | ---D | M] (Java Quick Starter) -- E:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/10/15 16:02:34 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2002/12/31 08:00:00 | 000,000,734 | ---- | M]) - E:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Carbonite Backup] E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] E:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] E:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\WINDOWS\System32\iavlsp.dll (iolo technologies, LLC)
O15 - HKU\S-1-5-21-1060284298-1604221776-1801674531-1003\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDow ... ab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resour ... se6886.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupda ... 3190617328 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: E:\Documents and Settings\Owner\My Documents\My Pictures\f4%201.gif
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/03 03:18:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{bf2a2eb9-dd89-11df-b3ad-005070561137}\Shell - "" = AutoRun
O33 - MountPoints2\{bf2a2eb9-dd89-11df-b3ad-005070561137}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bf2a2eb9-dd89-11df-b3ad-005070561137}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{bf2a2ebb-dd89-11df-b3ad-005070561137}\Shell - "" = AutoRun
O33 - MountPoints2\{bf2a2ebb-dd89-11df-b3ad-005070561137}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bf2a2ebb-dd89-11df-b3ad-005070561137}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (autocheck smrgdf E:\Documents and Settings\Owner\Application Data\iolo\) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/27 14:08:28 | 000,580,608 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/04/27 14:06:30 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Desktop\Malware cleanup
[2011/04/24 09:33:42 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Application Data\Driver Smith
[2011/04/24 09:33:39 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\DriverSmith
[2011/04/24 09:33:37 | 000,000,000 | ---D | C] -- E:\Program Files\DriverSmith
[2011/04/23 15:45:38 | 000,446,464 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvunrm.exe
[2011/04/23 11:16:15 | 000,000,000 | ---D | C] -- E:\Program Files\Realtek AC97
[2011/04/23 11:03:26 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Desktop\Registration keys
[2011/04/23 01:28:14 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Desktop\DXDIAG folder
[2011/04/23 00:35:13 | 000,074,072 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_5.dll
[2011/04/23 00:35:12 | 000,527,192 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_7.dll
[2011/04/23 00:35:11 | 000,239,960 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_7.dll
[2011/04/23 00:35:10 | 002,106,216 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_43.dll
[2011/04/23 00:35:09 | 001,868,128 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dcsx_43.dll
[2011/04/23 00:35:08 | 000,248,672 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx11_43.dll
[2011/04/23 00:35:07 | 000,470,880 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_43.dll
[2011/04/23 00:35:05 | 001,998,168 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_43.dll
[2011/04/23 00:35:04 | 000,528,216 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_6.dll
[2011/04/23 00:35:04 | 000,074,072 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_4.dll
[2011/04/23 00:35:03 | 000,238,936 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_6.dll
[2011/04/23 00:35:02 | 000,022,360 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_7.dll
[2011/04/23 00:35:01 | 000,515,416 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_5.dll
[2011/04/23 00:35:00 | 000,238,936 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_5.dll
[2011/04/23 00:34:58 | 001,974,616 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_42.dll
[2011/04/23 00:34:57 | 005,501,792 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dcsx_42.dll
[2011/04/23 00:34:55 | 000,235,344 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx11_42.dll
[2011/04/23 00:34:54 | 000,453,456 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_42.dll
[2011/04/23 00:34:53 | 001,892,184 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_42.dll
[2011/04/23 00:34:52 | 001,846,632 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_41.dll
[2011/04/23 00:34:52 | 000,453,456 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_41.dll
[2011/04/23 00:34:50 | 004,178,264 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_41.dll
[2011/04/23 00:34:49 | 000,517,448 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_4.dll
[2011/04/23 00:34:49 | 000,069,464 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_3.dll
[2011/04/23 00:34:48 | 000,235,352 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_4.dll
[2011/04/23 00:34:47 | 000,022,360 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_6.dll
[2011/04/23 00:34:46 | 002,036,576 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_40.dll
[2011/04/23 00:34:45 | 000,452,440 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_40.dll
[2011/04/23 00:34:43 | 004,379,984 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_40.dll
[2011/04/23 00:34:42 | 000,514,384 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_3.dll
[2011/04/23 00:34:42 | 000,070,992 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_2.dll
[2011/04/23 00:34:41 | 000,235,856 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_3.dll
[2011/04/23 00:34:40 | 000,023,376 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_5.dll
[2011/04/23 00:34:39 | 000,509,448 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_2.dll
[2011/04/23 00:34:39 | 000,068,616 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_1.dll
[2011/04/23 00:34:38 | 000,238,088 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_2.dll
[2011/04/23 00:34:37 | 001,493,528 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_39.dll
[2011/04/23 00:34:37 | 000,467,984 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_39.dll
[2011/04/23 00:34:35 | 003,851,784 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_39.dll
[2011/04/23 00:34:34 | 000,507,400 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_1.dll
[2011/04/23 00:34:34 | 000,065,032 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAPOFX1_0.dll
[2011/04/23 00:34:33 | 000,238,088 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_1.dll
[2011/04/23 00:34:32 | 000,025,608 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_4.dll
[2011/04/23 00:34:31 | 001,491,992 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_38.dll
[2011/04/23 00:34:31 | 000,467,984 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_38.dll
[2011/04/23 00:34:29 | 003,850,760 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_38.dll
[2011/04/23 00:34:28 | 000,479,752 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\XAudio2_0.dll
[2011/04/23 00:34:27 | 000,238,088 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine3_0.dll
[2011/04/23 00:34:26 | 000,025,608 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_3.dll
[2011/04/23 00:34:25 | 001,420,824 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_37.dll
[2011/04/23 00:34:25 | 000,462,864 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_37.dll
[2011/04/23 00:34:23 | 003,786,760 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DX9_37.dll
[2011/04/23 00:34:23 | 000,267,272 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine2_10.dll
[2011/04/23 00:34:21 | 000,444,776 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_36.dll
[2011/04/23 00:34:20 | 001,374,232 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_36.dll
[2011/04/23 00:34:19 | 003,734,536 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx9_36.dll
[2011/04/23 00:34:18 | 000,267,112 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine2_9.dll
[2011/04/23 00:34:17 | 000,444,776 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_35.dll
[2011/04/23 00:34:16 | 001,358,192 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_35.dll
[2011/04/23 00:34:15 | 003,727,720 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx9_35.dll
[2011/04/23 00:34:14 | 000,266,088 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine2_8.dll
[2011/04/23 00:34:14 | 000,017,928 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\X3DAudio1_2.dll
[2011/04/23 00:34:13 | 001,124,720 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_34.dll
[2011/04/23 00:34:13 | 000,443,752 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_34.dll
[2011/04/23 00:34:11 | 003,497,832 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx9_34.dll
[2011/04/23 00:34:09 | 000,261,480 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine2_7.dll
[2011/04/23 00:34:08 | 001,123,696 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\D3DCompiler_33.dll
[2011/04/23 00:34:08 | 000,443,752 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx10_33.dll
[2011/04/23 00:34:06 | 003,495,784 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\d3dx9_33.dll
[2011/04/23 00:34:04 | 000,255,848 | ---- | C] (Microsoft Corporation) -- E:\WINDOWS\System32\xactengine2_6.dll
[2011/04/23 00:30:37 | 000,000,000 | ---D | C] -- E:\WINDOWS\Logs
[2011/04/21 08:21:42 | 088,715,952 | ---- | C] (NVIDIA Corporation) -- E:\Documents and Settings\Owner\My Documents\270.61-desktop-winxp-32bit-english-whql.exe
[2011/04/20 11:12:20 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/04/20 11:10:08 | 000,837,224 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvhdagenco322040.dll
[2011/04/20 11:10:00 | 000,944,232 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvdispco3220140.dll
[2011/04/20 11:10:00 | 000,855,656 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvgenco322060.dll
[2011/04/20 11:01:45 | 000,000,000 | ---D | C] -- E:\Program Files\SystemRequirementsLab
[2011/04/19 08:27:30 | 000,000,000 | ---D | C] -- E:\WINDOWS\pss
[2011/04/18 14:10:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Desktop\flash screens
[2011/04/17 21:30:06 | 000,888,424 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvdispco32.dll
[2011/04/17 21:30:06 | 000,813,672 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvgenco32.dll
[2011/04/16 23:46:57 | 000,000,000 | RH-D | C] -- E:\Documents and Settings\Owner\Recent
[2011/04/14 22:27:38 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Start Menu\Programs\Radio Range v4.0
[2011/04/14 11:40:03 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Start Menu\Programs\Aerocardal
[2011/04/10 09:42:27 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Start Menu\Programs\SFS Classics Boeing 707-320A, B and C
[2011/04/07 22:15:38 | 000,580,200 | ---- | C] (NVIDIA Corporation) -- E:\WINDOWS\System32\easyUpdatusAPIU.dll
[2011/04/06 09:46:27 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Start Menu\Programs\Classic Wings Cierva C.30 For Fs9
[2011/04/05 20:00:37 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Desktop\Constellation fuel management
[2011/04/03 18:50:48 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\CLS Piper Arrow
[2011/03/31 13:12:48 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\Local Settings\Application Data\EditVoicepack
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/27 14:08:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/04/27 14:06:14 | 000,000,250 | ---- | M] () -- E:\WINDOWS\tasks\Game_Booster_Startup.job
[2011/04/27 14:04:34 | 000,002,422 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2011/04/27 14:04:27 | 000,000,448 | ---- | M] () -- E:\WINDOWS\System32\iolo.ini
[2011/04/27 14:04:11 | 000,000,882 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cc043ead487b56.job
[2011/04/27 14:04:05 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2011/04/25 11:56:26 | 000,002,473 | ---- | M] () -- E:\Documents and Settings\Owner\Desktop\Microsoft Word.lnk
[2011/04/23 15:53:30 | 000,502,350 | ---- | M] () -- E:\WINDOWS\System32\perfh009.dat
[2011/04/23 15:53:30 | 000,087,812 | ---- | M] () -- E:\WINDOWS\System32\perfc009.dat
[2011/04/22 23:09:06 | 000,000,664 | ---- | M] () -- E:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 22:46:47 | 000,240,592 | ---- | M] () -- E:\WINDOWS\System32\nvdrsdb0.bin
[2011/04/22 22:46:47 | 000,000,001 | ---- | M] () -- E:\WINDOWS\System32\nvdrssel.bin
[2011/04/22 22:46:41 | 000,240,592 | ---- | M] () -- E:\WINDOWS\System32\nvdrsdb1.bin
[2011/04/21 08:21:43 | 088,715,952 | ---- | M] (NVIDIA Corporation) -- E:\Documents and Settings\Owner\My Documents\270.61-desktop-winxp-32bit-english-whql.exe
[2011/04/17 21:35:16 | 000,146,016 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/16 01:55:37 | 000,000,406 | ---- | M] () -- E:\WINDOWS\System32\ioloBootDefrag.cfg
[2011/04/08 01:14:00 | 000,944,232 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvdispco3220140.dll
[2011/04/08 01:14:00 | 000,855,656 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\System32\nvgenco322060.dll
[2011/04/07 22:15:38 | 000,580,200 | ---- | M] (NVIDIA Corporation) -- E:\WINDOWS\System32\easyUpdatusAPIU.dll
[2011/04/03 18:47:31 | 001,449,790 | ---- | M] () -- E:\Documents and Settings\Owner\Desktop\CLS Piper Arrow.pdf
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/27 14:04:27 | 000,000,448 | ---- | C] () -- E:\WINDOWS\System32\iolo.ini
[2011/04/26 14:20:52 | 000,000,882 | ---- | C] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cc043ead487b56.job
[2011/04/23 16:08:55 | 000,001,818 | ---- | C] () -- E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2011/04/23 16:08:55 | 000,000,808 | ---- | C] () -- E:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2011/04/23 16:08:54 | 000,001,735 | ---- | C] () -- E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/04/23 15:45:40 | 000,004,984 | ---- | C] () -- E:\WINDOWS\System32\drivers\nvphy.bin
[2011/04/23 15:45:39 | 000,006,045 | ---- | C] () -- E:\WINDOWS\System32\nvnrm.nvu
[2011/04/22 22:52:15 | 000,000,664 | ---- | C] () -- E:\WINDOWS\System32\d3d9caps.dat
[2011/04/17 21:30:06 | 000,003,739 | ---- | C] () -- E:\WINDOWS\System32\nvinfo.pb
[2011/04/03 18:51:15 | 001,449,790 | ---- | C] () -- E:\Documents and Settings\Owner\Desktop\CLS Piper Arrow.pdf
[2011/01/31 18:05:23 | 000,136,298 | ---- | C] () -- E:\WINDOWS\hpwins10.dat
[2011/01/31 18:03:38 | 000,010,376 | ---- | C] () -- E:\WINDOWS\hpwscr10.dat
[2011/01/31 18:03:38 | 000,001,042 | ---- | C] () -- E:\WINDOWS\hpwmdl10.dat
[2011/01/22 12:57:14 | 000,000,376 | ---- | C] () -- E:\WINDOWS\ODBC.INI
[2011/01/05 21:59:51 | 000,000,128 | ---- | C] () -- E:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2010/12/27 19:34:59 | 000,177,134 | ---- | C] () -- E:\WINDOWS\Lockheed C-130J Hercules Uninstaller.exe
[2010/11/24 00:17:18 | 000,000,552 | ---- | C] () -- E:\WINDOWS\System32\d3d8caps.dat
[2010/11/24 00:16:07 | 000,240,592 | ---- | C] () -- E:\WINDOWS\System32\nvdrsdb0.bin
[2010/11/24 00:16:05 | 000,240,592 | ---- | C] () -- E:\WINDOWS\System32\nvdrsdb1.bin
[2010/11/24 00:16:05 | 000,000,001 | ---- | C] () -- E:\WINDOWS\System32\nvdrssel.bin
[2010/11/23 11:45:11 | 000,555,624 | ---- | C] () -- E:\WINDOWS\nvShell.dll
[2010/11/13 03:50:02 | 000,000,754 | ---- | C] () -- E:\WINDOWS\WORDPAD.INI
[2010/11/05 22:45:41 | 000,003,584 | ---- | C] () -- E:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/30 10:27:25 | 000,000,145 | ---- | C] () -- E:\WINDOWS\System32\EBPPORT3.DAT
[2010/10/23 14:33:48 | 000,000,061 | -HS- | C] () -- E:\WINDOWS\cnerolf.dat
[2010/10/22 20:23:07 | 000,000,000 | ---- | C] () -- E:\WINDOWS\CoPilot.INI
[2010/10/15 16:55:16 | 000,000,000 | ---- | C] () -- E:\WINDOWS\nsreg.dat
[2010/10/15 16:07:29 | 000,007,168 | ---- | C] () -- E:\WINDOWS\System32\drivers\StarOpen.sys
[2010/10/15 16:03:27 | 000,165,376 | ---- | C] () -- E:\WINDOWS\System32\unrar.dll
[2010/10/15 16:03:27 | 000,000,038 | ---- | C] () -- E:\WINDOWS\avisplitter.ini
[2010/10/15 16:03:26 | 000,790,528 | ---- | C] () -- E:\WINDOWS\System32\xvidcore.dll
[2010/10/15 16:03:25 | 000,134,144 | ---- | C] () -- E:\WINDOWS\System32\xvidvfw.dll
[2010/10/15 16:03:25 | 000,108,032 | ---- | C] () -- E:\WINDOWS\System32\ff_vfw.dll
[2006/07/31 01:59:36 | 000,000,338 | ---- | C] () -- E:\WINDOWS\scrub2k.ini
[2006/07/31 01:59:34 | 000,065,536 | ---- | C] () -- E:\WINDOWS\scrub2k.exe
[2004/01/03 23:35:30 | 002,293,194 | ---- | C] () -- E:\WINDOWS\System32\nvdata.bin
[2004/01/03 21:01:39 | 000,147,456 | ---- | C] () -- E:\WINDOWS\System32\RtlCPAPI.dll
[2004/01/03 21:01:39 | 000,049,152 | ---- | C] () -- E:\WINDOWS\System32\ChCfg.exe
[2004/01/03 03:20:40 | 000,002,048 | --S- | C] () -- E:\WINDOWS\bootstat.dat
[2004/01/03 03:15:32 | 000,021,640 | ---- | C] () -- E:\WINDOWS\System32\emptyregdb.dat
[2004/01/02 22:10:24 | 000,004,161 | ---- | C] () -- E:\WINDOWS\ODBCINST.INI
[2004/01/02 22:07:59 | 000,146,016 | ---- | C] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2004/01/01 00:06:31 | 000,074,703 | ---- | C] () -- E:\WINDOWS\System32\mfc45.dll
[2002/12/31 08:00:00 | 013,107,200 | ---- | C] () -- E:\WINDOWS\System32\oembios.bin
[2002/12/31 08:00:00 | 000,673,088 | ---- | C] () -- E:\WINDOWS\System32\mlang.dat
[2002/12/31 08:00:00 | 000,502,350 | ---- | C] () -- E:\WINDOWS\System32\perfh009.dat
[2002/12/31 08:00:00 | 000,272,128 | ---- | C] () -- E:\WINDOWS\System32\perfi009.dat
[2002/12/31 08:00:00 | 000,218,003 | ---- | C] () -- E:\WINDOWS\System32\dssec.dat
[2002/12/31 08:00:00 | 000,087,812 | ---- | C] () -- E:\WINDOWS\System32\perfc009.dat
[2002/12/31 08:00:00 | 000,046,258 | ---- | C] () -- E:\WINDOWS\System32\mib.bin
[2002/12/31 08:00:00 | 000,028,626 | ---- | C] () -- E:\WINDOWS\System32\perfd009.dat
[2002/12/31 08:00:00 | 000,004,569 | ---- | C] () -- E:\WINDOWS\System32\secupd.dat
[2002/12/31 08:00:00 | 000,004,461 | ---- | C] () -- E:\WINDOWS\System32\oembios.dat
[2002/12/31 08:00:00 | 000,001,804 | ---- | C] () -- E:\WINDOWS\System32\Dcache.bin
[2002/12/31 08:00:00 | 000,000,741 | ---- | C] () -- E:\WINDOWS\System32\noise.dat

< End of report >
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » April 27th, 2011, 2:47 pm

Here are the results of the OTL Extras scan:

OTL Extras logfile created on: 4/27/2011 2:10:00 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = E:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): E:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 1863.01 Gb Total Space | 1532.81 Gb Free Space | 82.28% Space Free | Partition Type: NTFS
Drive E: | 298.08 Gb Total Space | 275.32 Gb Free Space | 92.36% Space Free | Partition Type: NTFS

Computer Name: OWNER-COMPUTER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "E:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "E:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Program Files\iolo\System Mechanic Professional\SysMech.exe" = E:\Program Files\iolo\System Mechanic Professional\SysMech.exe:*:Enabled:iolo System Shield® -- (iolo technologies, LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00020409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Standard
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0963A62D-9D44-4298-A485-D94BFA4AEC0F}" = SE161 Languedoc for FS2004
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D005F09-A5F4-473B-A901-5735C6AF5628}" = Silent Hunter 4 Wolves of the Pacific
"{0FE99481-4EF0-4EE3-AB82-FEEA47C9324F}" = Vickers Viking for FS2004
"{11655C91-EF58-4aab-BF09-E8F205324FBF}" = BPDSoftware
"{11A8A988-19DD-4878-B146-D0E50C5838D5}" = FS2004 Night Time
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1EC65D1D-3911-4F7D-8B6A-63C69EDBFC6E}" = EditVoicepack
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2016C182-43CC-4C7E-B99D-9CE36D485843}" = Short Empire for FS2004
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{30DBAD4A-BA6D-4F9D-8AB0-2F6C7B0612A4}" = AVSDK5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3922A9D2-B25C-4A37-B5E8-09260F5ABA23}" = Douglas DC-4 and C-54 3.0 for FS2004
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C43EAE7-22C0-4b33-ABFB-3757ECA5FD7B}" = HP Officejet All-In-One Series
"{40724630-C95F-449d-B71D-777CFDE9EA21}" = J5700
"{40BA976E-38B8-4C63-990C-50999C8C3521}" = BPD_Scan
"{41A96655-19FB-473c-AAB7-429E372527C8}" = ProductContext
"{4640FDE1-B83A-4376-84ED-86F86BEE2D41}" = Driver Detective
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CF3CCC5-B416-45B1-8F42-370BAFA884DE}" = Handley Page Hermes for FS2004
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{541B7911-4138-4E4F-944C-2E1D9D6F73FB}" = DH106 Comet 1 and 2 for FS2004
"{578596FF-7F65-4767-9F90-37920741148C}" = MSN Toolbar Platform
"{5D0F0C1F-46B0-4AA2-B8DC-02E5FE777C19}" = 5700_Help
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{650D4D47-DE2B-4823-9AE6-679D1F0F011D}" = Vickers Viscount for FS2004
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{7BD976B9-53AB-4B03-ADB7-DE8EE07A5427}" = Virtavia F-106 Delta Dart FS9
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{84BA2683-3ED5-4795-866F-E2520F2E0B82}" = Canadair Agonaut 3.0 for FS2004
"{8686235E-CA06-46F2-BF8F-5D50BF9C134E}" = Virtavia Gloster Javelin FS9
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8FEA05B1-2BA1-4C50-9870-E6523794DD88}" = Ilyushin IL-14 for FS2004
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{A2CC286B-BFE9-4D1F-9EDA-AA3E8289CA12}" = BPDSoftware_Ini
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A979B2D8-E3EE-4523-A26C-4AF0A6809280}" = Sniper Elite
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{BBD3F66B-1180-4785-B679-3F91572CD3B4}_is1" = iolo technologies' System Mechanic Professional
"{BD01BF5C-11C1-4470-AE97-BEB1A8AD666D}" = Canadair C-4 Argonaut for FS2004
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41B33BC-90BB-4C11-B9E1-4E8B01A2E3E6}" = Short Solent for FS2004
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E149E957-F289-45E3-8645-1794A173F5AB}" = Pacific Fighters
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FB4F9000-04FC-11E0-85D2-001AA037B01E}" = Google Earth Plug-in
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"DriverSmith_is1" = DriverSmith
"EAA - F1 - Spirit" = Flight One Software Spirit of St. Louis
"Game Booster_is1" = Game Booster
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"InstallShield_{E149E957-F289-45E3-8645-1794A173F5AB}" = Pacific Fighters
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.4.0 (Full)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PROSet" = Intel(R) Network Connections Drivers
"Search Toolbar" = Search Toolbar
"ST6UNST #1" = FSACC
"SystemRequirementsLab" = System Requirements Lab
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1060284298-1604221776-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BVAir B747-400 FS9" = BVAir B747-400 FS9
"Classic Wings Cierva C.30 For Fs9" = Classic Wings Cierva C.30 For Fs9
"Classic Wings Junkers K-47 & A-48 For Fs9" = Classic Wings Junkers K-47 & A-48 For Fs9
"DC3_RR41P" = DC3_RR41P
"FS9 Sproat Lake Mars Water Bomber Base" = FS9 Sproat Lake Mars Water Bomber Base
"Golden Age Simulations Taylor J-2 Cub for FS9" = Golden Age Simulations Taylor J-2 Cub for FS9
"Mystere IVA" = Mystere IVA
"Piper PA18 Cubdrivers Supercub" = Piper PA18 Cubdrivers Supercub
"Rarewings General Aviation GA-43 for FS9" = Rarewings General Aviation GA-43 for FS9
"Rarewings General Aviation Ga-43j for FS9" = Rarewings General Aviation Ga-43j for FS9
"Rarewings.com Miller Hm-4 Aeroval for FS9" = Rarewings.com Miller Hm-4 Aeroval for FS9
"The Horten HO 18 C "Amerika-Bomber"" = The Horten HO 18 C "Amerika-Bomber"

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/23/2011 3:53:27 PM | Computer Name = OWNER-COMPUTER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 5614, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 4/23/2011 3:53:27 PM | Computer Name = OWNER-COMPUTER | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 4/23/2011 3:53:30 PM | Computer Name = OWNER-COMPUTER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 5614, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 4/23/2011 5:33:36 PM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application fs9.exe, version 9.1.0.40901, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/23/2011 8:04:16 PM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application fs9.exe, version 9.1.0.40901, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/23/2011 10:03:41 PM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application fs9.exe, version 9.1.0.40901, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/23/2011 10:45:26 PM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application fs9.exe, version 9.1.0.40901, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/23/2011 11:30:59 PM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application fs9.exe, version 9.1.0.40901, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/25/2011 8:07:10 AM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/25/2011 8:07:33 AM | Computer Name = OWNER-COMPUTER | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

[ iolo Applications Events ]
Error - 12/21/2010 11:47:12 PM | Computer Name = OWNER-COMPUTER | Source = System Shield | ID = 11
Description =

[ System Events ]
Error - 4/17/2011 4:52:21 PM | Computer Name = OWNER-COMPUTER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the CarboniteService service,
but this action failed with the following error: %%1056

Error - 4/20/2011 3:37:38 PM | Computer Name = OWNER-COMPUTER | Source = Service Control Manager | ID = 7031
Description = The CarboniteService service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/20/2011 3:38:37 PM | Computer Name = OWNER-COMPUTER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the CarboniteService service,
but this action failed with the following error: %%1056

Error - 4/21/2011 5:01:01 AM | Computer Name = OWNER-COMPUTER | Source = VolSnap | ID = 393241
Description = The shadow copy of volume C: was aborted because the diff area file
could not grow in time. Consider reducing the IO load on this system to avoid this
problem in the future.

Error - 4/21/2011 5:01:36 AM | Computer Name = OWNER-COMPUTER | Source = Service Control Manager | ID = 7031
Description = The CarboniteService service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/21/2011 5:02:28 AM | Computer Name = OWNER-COMPUTER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the CarboniteService service,
but this action failed with the following error: %%1056

Error - 4/21/2011 7:06:13 AM | Computer Name = OWNER-COMPUTER | Source = VolSnap | ID = 393228
Description = The shadow copy of volume C: became low on diff area space before
it was properly installed.

Error - 4/21/2011 7:08:42 AM | Computer Name = OWNER-COMPUTER | Source = VolSnap | ID = 393241
Description = The shadow copy of volume C: was aborted because the diff area file
could not grow in time. Consider reducing the IO load on this system to avoid this
problem in the future.

Error - 4/24/2011 1:37:20 PM | Computer Name = OWNER-COMPUTER | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 4/27/2011 12:20:16 AM | Computer Name = OWNER-COMPUTER | Source = VolSnap | ID = 393236
Description = The shadow copy of volume C: was aborted because of a failed free
space computation.


< End of report >
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » April 27th, 2011, 2:54 pm

After I aborted the RKU scan, I got info on drivers in E drive. The "Save Report" option is greyed-out.

I tried running FS 2004 and noted the same thing happening (i.e., sim getting slower and slower until it finally greys the aircraft out and locks the screen).
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby Carolyn » April 29th, 2011, 8:28 am

Hello,

Dakeyras has been unable to reply and asked that I forward his apology to you for the delay.

My name is Carolyn, and if it is okay with you, I will take over where Dakeyras left off.


GMER

Please download GMER Rootkit Scanner from Here.
  1. Boot to Safe Mode
    • Restart your computer
    • During startup, but before the Windows logo appears, tap the F5/F8 key continually or hold down the Shift key;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • When asked to proceed to safe mode, click Yes.
  2. Double click the .exe file. If asked to allow .sys driver to load, please consent.
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image

  5. Then click the Scan button & wait for it to finish
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  7. Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

If GMER crashes, then restart your computer in Safe Mode and try again, this time also uncheck Devices.

When done, reboot to Normal Mode and post the log for my review.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Virus I got from web

Unread postby SSI01 » April 29th, 2011, 11:36 am

Hello Carolyn, and welcome to the Quest.

I downloaded GMER as directed and started the scan as directed as well. It ran for a while and I then got a blue screen. It flashed only momentarily but I managed to read "A Problem has occurred and." I also for the first four letter "IRQT_" before the screen went away. The error report box generated by this event bore the following information:

Error Signature
BCCode: 1000000a BCP1: 89E77AEC BCP2: 00000002
BCP3: 00000000 BCP4: 806F4413 OSVers: 5_1_2600
SP: 3_0 Product: 256_1

The files to be included in the error report were:

E:\DOCUME~1\Owner\Locals~1\Temp\WER9aea.dir00\Mini042911-01dmp
E:\DOCUME~1\Owner\Locals~1\Temp\WER9aea.dir00\sysdata.xml

I then reread the instructions and unchecked the "devices" box in GMER, thinking it may have been the cause of the above. When I ran the GMER scan again, the scan again died abruptly and I got another blue screen, this one saying something about "not_less_or_equal_to" before it disappeared.

This time the error report box had a slightly different msg:

BCCode: 10000001 BCP1: DA1F0038 BCP2: 00000002
BCP3: 00000000 BCP4: F745ED8F OSVers: 5_1_2600 SP: 3_0
Product: 256_1

The error report was also slight different:
E:\Docume~1\Owner\Locals~1\Temp\WER456d.dir00\Mini042911-02.dmp
E:\Docume~1\Owner\Locals~1\Temp\WER456d.dir00\sysdata.xml

I was hoping to be sending you a little more hopeful msg but it looks like that's temporarily not going to happen.

Ready for the next try.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby Carolyn » April 30th, 2011, 8:11 am

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).

* Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
* Click on the Options block on the left. Select Advanced.
Uncheck Only delete files in Windows Temp folders older than 48 hours.
* Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
* Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

==============================================

Malwarebytes Anti-Malware:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

==============================================

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==============================================

Please post the following in your next reply:
  • The Malwarebytes' log
  • The Eset log
  • A description of how your computer is behaving
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Virus I got from web

Unread postby SSI01 » April 30th, 2011, 7:22 pm

Everything downloaded as directed and all scans run. Here are the results.

MALWAREBYTES:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6478

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/30/2011 11:01:09 AM
mbam-log-2011-04-30 (11-01-09).txt

Scan type: Quick scan
Objects scanned: 165399
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=5b097eda6ec9164cb1862249405309a2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-30 11:08:30
# local_time=2011-04-30 07:08:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 16928216 16928216 0 0
# compatibility_mode=7425 16777189 50 92 0 94822747 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=1327652
# found=6
# cleaned=0
# scan_time=17039
E:\Documents and Settings\All Users\Application Data\iolo\System Shield\Quarantined\A0002188.EXE.INFECTED Win32/PSWTool.RAS.A application (unable to clean) 00000000000000000000000000000000 I
E:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\15\4995624f-1d60a720 a variant of Java/TrojanDownloader.OpenStream.NBF trojan (unable to clean) 00000000000000000000000000000000 I
E:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\6\4374c006-186c0599 Java/TrojanDownloader.OpenStream.AF trojan (unable to clean) 00000000000000000000000000000000 I
E:\Documents and Settings\Owner\Desktop\COMPUTER MAINTENANCE & UPKEEP\Lagrange5.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
E:\Documents and Settings\Owner\Desktop\COMPUTER MAINTENANCE & UPKEEP\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
E:\Program Files\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I


The infection had sent emails to everyone in my address book and sent the virus as an attachment. I've sent no emails since this was reported to me.

The flight sim opens as usual, and the aircraft texture goes to grey after engines are started; however, now I can get the aircraft to taxi and even fly (albeit with a plain grey texture) whereas before the sim always locked up when starting to taxi. Maybe we are on to something, not sure.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » April 30th, 2011, 10:12 pm

I have some good news to report for a change. I performed a test flight after the above post and was able to start the engines in the aircraft, taxi and take off normally. All scenery is good, and the aircraft textures remain on the aircraft. I was able to almost complete a 2.6 hr flight when, upon descending for landing, the aircraft greyed up again and the scenery locked. I suspect we may almost have this thing licked.
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm

Re: Virus I got from web

Unread postby SSI01 » May 1st, 2011, 8:31 pm

I forgot to include in the above that I still have to shut down FS2004 using ctrl-alt-del. The error report subsequently generated still says "hungapp."
SSI01
Regular Member
 
Posts: 20
Joined: April 24th, 2011, 9:36 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 125 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware