Solve : Weird virus issue-I think I'm infected!!?

1.	Solve : Weird virus issue-I think I'm infected!!?
Answer» Ok. Let's try to get it running this way. Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat Navigate to Start --> Run, and enter the following command exactly as shown: "%userprofile%\desktop\blackpudding.bat" /killall See if ComboFix will run now Quote from: SuperDave on January 31, 2011, 04:36:50 PM Ok. Let's try to get it running this way. Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat Navigate to Start --> Run, and enter the following command exactly as shown: "%userprofile%\desktop\blackpudding.bat" /killall See if ComboFix will run now Edit/Update: Oh yeah, nice job back there, OTL froze solid, ie would not run, task manager got royaly screwed and Explorer got dumped solid. Fortunetly restarting resulted in a blue screen of death, though it froze and gotstuck on the desktop before displaying it it seems, a hard; ACPI reboot purged these issues quickly... Pentium D 2.52Ghz processor, 4 GB RAM Windows 7 x64 bit Ultimate I don't know if there's another virus or something on my PC doing this or Combofix truly is Rogue and nobody has yet found this out yet. I have just ran combofix and now that I've install Photoshop Pro on my PC now, now IT'S corrupted, and gives the same error message when trying to run. Seriously WT? Double edit: And now apparently Opening any window or link in Explorer opens double... Interesting. Superdave:* I had to restart, apparently, so where would the combofix log be stored at? I checked the temp folder to no avail.I need to see the ComboFix log.Unfortunately Superdave, I was unable to get the Combofix log because Windows failed to boot recently... Yes, I know, I should've been trying to re-run the scan when I had the time, but my harddrive has been giving me weird clicks and whirs, and attempting to boot Windows 7 today...failed... It got stuck on the loading screen: 'Starting Windows' But no animation, it just got stuck like that... Data is still ACCESSIBLE and readable, though who knows for how long... I'm not sure, it also could be a rootkit attempting to run on my system at boot... how would I tell? Please help me, Avast only does scans to 32 bit OSes, so x64 bit I do not think is a possibility yet, and with my luck the rootkit already executed Plus I feel I cannot trust Combofix to run on Windows 7... god forbid it does something to my *payed, and loved program Photoshop, I won't be getting a refund, my PC will, except where it'll go is in the parking lot. I'm not trying to be paranoid or something of this program, but I just cannot trust it because it was the last program I ran before noticing problems... Or.... Maybe Paint.NET is the virus...-D Quote 4. Please DO NOT* run any other tools or scans while I am helping you. 6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe. Here are two things I quoted you in my original reply. Yet, you went ahead and installed PhotoShop Pro. To Run the SFC /SCANNOW Command in Windows 7 1. Open an elevated command prompt. 2. To Scan and Repair System Files NOTE: Scans the integrity of all protected system files and repairs the system files if needed. A) In the elevated command prompt, type sfc /scannow and press Enter. (see screenshot below) NOTE: This may take some time to finish. B) Go to step 4. 3. To Only Verify if the System Files are Corrupted NOTE: Scans and only verifies the integrity of all proteced system files only. A) In the elevated command prompt, type sfc /verifyonly and press Enter. 4. When the scan is complete, hopefully you will see all is ok like the screenshot below. NOTE: If not, then you can attempt to run a System Restore using a restore point dated before the bad file occured to fix it. You may need to repeat doing a System Restore until you find a older restore point that may work. 5. When done, close the elevated command prompt. The ComboFix log should be here: C:\Combo-Fix folder Quote from: SuperDave on February 03, 2011, 12:46:10 PM Here are two things I quoted you in my original reply. Yet, you went ahead and installed PhotoShop Pro. To Run the SFC /SCANNOW Command in Windows 7 1. Open an elevated command prompt. 2. To Scan and Repair System Files NOTE: Scans the integrity of all protected system files and repairs the system files if needed. A) In the elevated command prompt, type sfc /scannow and press Enter. (see screenshot below) NOTE: This may take some time to finish. B) Go to step 4. 3. To Only Verify if the System Files are Corrupted NOTE: Scans and only verifies the integrity of all proteced system files only. A) In the elevated command prompt, type sfc /verifyonly and press Enter. 4. When the scan is complete, hopefully you will see all is ok like the screenshot below. NOTE: If not, then you can attempt to run a System Restore using a restore point dated before the bad file occured to fix it. You may need to repeat doing a System Restore until you find a older restore point that may work. 5. When done, close the elevated command prompt. The ComboFix log should be here: C:\Combo-Fix folder This was on Windows Xp, my other harddrive, seen as C: whilst my windows 7 drive remains untouched. anyways, The Combofix folder apparently just links to the "My Computer" folder... Also, just wanted to add this: If I cannot boot from Windows 7, how would I run SFC on it? SFC from Xp on a 7 system will just heavily damage and may corrupt the OS, so I suppose you mean the Windows 7 repair disk correct? Ok. Will attempt to retrieve the combofix log from the drive anyways...You did not do as I asked in Reply # 3 for the HJT fix. Please do it now and post the new log. Also, you did not do as I asked in Reply # 9 for the OTL fix. Unless you do as I ask, I will discontinue my help.Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:46:13 PM, on 1/22/2011 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16700) Boot mode: Normal Running processes: G:\Program Files\Alwil Software\Avast5\AvastUI.exe G:\Program Files (x86)\Mozilla Firefox\firefox.exe G:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe G:\Program Files (x86)\Internet Explorer\iexplore.exe G:\Program Files (x86)\Internet Explorer\iexplore.exe G:\Program Files (x86)\CPUID\PC Wizard 2010\pcwizard.dll G:\Program Files (x86)\NoVirusThanks\Hijack Hunter\HijackHunter.exe G:\Program Files (x86)\Internet Explorer\iexplore.exe G:\Program Files (x86)\Trend Micro\HiJackThis\snipper.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 74.208.10.249 gs.apple.com O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\COMMON Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - G:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [avast5] "G:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe ARM] "G:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "G:\Users\Administrator\AppData\Local\NVIDIA Corporation\nTune\Profiles\sysdflt.nsu" O4 - HKCU\..\Run: [Sidebar] G:\Program Files\Windows Sidebar\sidebar.exe /autoRun O8 - Extra context menu item: E&AMP;xport to Microsoft Excel - res://G:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O15 - Trusted Zone: http://www.cnet.com O15 - Trusted Zone: http://www.crymod.com O15 - Trusted Zone: http://www.youtube.com O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: %SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - G:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: avast! Antivirus - AVAST Software - G:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: %SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - G:\Windows\System32\lsass.exe (file missing) O23 - Service: %systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - G:\Windows\system32\fxssvc.exe (file missing) O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - G:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe O23 - Service: keyiso.dll,-100 (KeyIso) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: comres.dll,-2797 (MSDTC) - Unknown owner - G:\Windows\System32\msdtc.exe (file missing) O23 - Service: %SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %windir%\system32\nfsrc.dll,-5001 (NfsClnt) - Unknown owner - G:\Windows\system32\nfsclnt.exe (file missing) O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - G:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: %systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - G:\Windows\system32\locator.exe (file missing) O23 - Service: %SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - G:\Windows\System32\snmptrap.exe (file missing) O23 - Service: %systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - G:\Windows\System32\spoolsv.exe (file missing) O23 - Service: %SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - G:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Audio Service (STacSV) - IDT, Inc. - g:\program files\idt\wdm\STacSV64.exe O23 - Service: %SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - G:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: %SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - G:\Windows\System32\vds.exe (file missing) O23 - Service: %systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - G:\Windows\system32\vssvc.exe (file missing) O23 - Service: %SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - G:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: %systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - G:\Windows\system32\wbengine.exe (file missing) O23 - Service: %Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - G:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - G:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8399 bytes I finished the OTL fix, it rebooted my PC... Though the desktop was unresponsive for what appeared to be a minute or two, I hit Ctrl+Alt+Delete and got task manager up, Runonce.exe was running and it might have been the OTL still running, so I ignored that, didn't seem too suspicious. I ran the OTL fix, all there is to it. If I'm correct, this is the OTL log file I found generated today: All processes killed ========== OTL ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher\|:gopher:// /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher\|:gopher:// /E : value set successfully! Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cnet.com\www\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crymod.com\www\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\documents%20and%20settings\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\driver_g\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com\www\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localsvr\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\users\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\youtube.com\www\ not found. ========== COMMANDS ========== G:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: All Users User: AppData User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Public User: Administrator ->Temp folder emptied: 48867464 bytes ->Temporary Internet Files folder emptied: 1036711 bytes ->Java cache emptied: 30985 bytes ->FireFox cache emptied: 60868747 bytes ->Flash cache emptied: 814 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 308422 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 106.00 mb OTL by OldTimer - Version 3.2.20.6 log created on 02042011_170457 No, you did not follow the directions for HJT.* I want you to fix the items listed. Quote from: SuperDave on February 04, 2011, 04:52:01 PM No, you did not follow the directions for HJT. I want you to fix the items listed. Yes, but they don't show up in the list to fix... * EDIT:** Nvm, I just didn't update the log... sorry, my mistake Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:15:47 PM, on 2/4/2011 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16700) Boot mode: Normal Running processes: G:\Program Files\Alwil Software\Avast5\AvastUI.exe G:\Program Files (x86)\Internet Explorer\iexplore.exe G:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe G:\Program Files (x86)\Internet Explorer\iexplore.exe G:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\1_0_0_0\RGSC.exe G:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe G:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\GTAIV.exe G:\Program Files (x86)\Trend Micro\HiJackThis\snipper.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ÿþ127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - G:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - G:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - G:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [avast5] "G:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\RunOnce: [OTL] "G:\Users\Administrator\Downloads\OTL.exe" O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "G:\Users\Administrator\AppData\Local\NVIDIA Corporation\nTune\Profiles\sysdflt.nsu" O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - G:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe O23 - Service: %SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - G:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: avast! Antivirus - AVAST Software - G:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: %SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - G:\Windows\System32\lsass.exe (file missing) O23 - Service: %systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - G:\Windows\system32\fxssvc.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - G:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe O23 - Service: keyiso.dll,-100 (KeyIso) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: comres.dll,-2797 (MSDTC) - Unknown owner - G:\Windows\System32\msdtc.exe (file missing) O23 - Service: %SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %windir%\system32\nfsrc.dll,-5001 (NfsClnt) - Unknown owner - G:\Windows\system32\nfsclnt.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - G:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: %systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - G:\Windows\system32\locator.exe (file missing) O23 - Service: %SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - G:\Windows\System32\snmptrap.exe (file missing) O23 - Service: %systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - G:\Windows\System32\spoolsv.exe (file missing) O23 - Service: %SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - G:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Audio Service (STacSV) - IDT, Inc. - g:\program files\idt\wdm\STacSV64.exe O23 - Service: %SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - G:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: %SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - G:\Windows\system32\lsass.exe (file missing) O23 - Service: %SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - G:\Windows\System32\vds.exe (file missing) O23 - Service: %systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - G:\Windows\system32\vssvc.exe (file missing) O23 - Service: %SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - G:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: %systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - G:\Windows\system32\wbengine.exe (file missing) O23 - Service: %Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - G:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - G:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8331 bytes Anything else I need to do? And for some reason, not sure if I mentioned this or not, but running a search on Windows start menu and clicking 'see more resulsts' brings up an explorer window that should automatically search, but promptly disappears. An attempt to try again does nothing... What now?Alright I've ran SFC and now I'm officially stumped. What the Thread closed and your warning level is being increased to moderated posts.

Answer»

Ok. Let's try to get it running this way.

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now Quote from: SuperDave on January 31, 2011, 04:36:50 PM

Ok. Let's try to get it running this way.

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

Edit/Update:

Oh yeah, nice job back there, OTL froze solid, ie would not run, task manager got royaly screwed and Explorer got dumped solid. Fortunetly restarting resulted in a blue screen of death, though it froze and gotstuck on the desktop before displaying it it seems, a hard; ACPI reboot purged these issues quickly...

Pentium D 2.52Ghz processor, 4 GB RAM

Windows 7 x64 bit Ultimate

I don't know if there's another virus or something on my PC doing this or Combofix truly is Rogue and nobody has yet found this out yet.

I have just ran combofix and now that I've install Photoshop Pro on my PC now, now IT'S corrupted, and gives the same error message when trying to run. Seriously WT*?

Double edit: And now apparently Opening any window or link in Explorer opens double... Interesting.

Superdave: I had to restart, apparently, so where would the combofix log be stored at? I checked the temp folder to no avail.I need to see the ComboFix log.Unfortunately Superdave, I was unable to get the Combofix log because Windows failed to boot recently...

Yes, I know, I should've been trying to re-run the scan when I had the time, but my harddrive has been giving me weird clicks and whirs, and attempting to boot Windows 7 today...failed...

It got stuck on the loading screen: 'Starting Windows' But no animation, it just got stuck like that...
Data is still ACCESSIBLE and readable, though who knows for how long... I'm not sure, it also could be a rootkit attempting to run on my system at boot... how would I tell? Please help me, Avast only does scans to 32 bit OSes, so x64 bit I do not think is a possibility yet, and with my luck the rootkit already executed

Plus I feel I cannot trust Combofix to run on Windows 7... god forbid it does something to my payed, and loved program Photoshop, I won't be getting a refund, my PC will, except where it'll go is in the parking lot.

I'm not trying to be paranoid or something of this program, but I just cannot trust it because it was the last program I ran before noticing problems... Or.... Maybe Paint.NET is the virus...-D Quote

4. Please DO NOT run any other tools or scans while I am helping you.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Here are two things I quoted you in my original reply. Yet, you went ahead and installed PhotoShop Pro.

To Run the SFC /SCANNOW Command in Windows 7
1. Open an elevated command prompt.

2. To Scan and Repair System Files
NOTE: Scans the integrity of all protected system files and repairs the system files if needed.
A) In the elevated command prompt, type sfc /scannow and press Enter. (see screenshot below)
NOTE: This may take some time to finish.

B) Go to step 4.

3. To Only Verify if the System Files are Corrupted
NOTE: Scans and only verifies the integrity of all proteced system files only.
A) In the elevated command prompt, type sfc /verifyonly and press Enter.

4. When the scan is complete, hopefully you will see all is ok like the screenshot below.
NOTE: If not, then you can attempt to run a System Restore using a restore point dated before the bad file occured to fix it. You may need to repeat doing a System Restore until you find a older restore point that may work.

5. When done, close the elevated command prompt.

The ComboFix log should be here: C:\Combo-Fix folder Quote from: SuperDave on February 03, 2011, 12:46:10 PM

Here are two things I quoted you in my original reply. Yet, you went ahead and installed PhotoShop Pro.

To Run the SFC /SCANNOW Command in Windows 7
1. Open an elevated command prompt.

2. To Scan and Repair System Files
NOTE: Scans the integrity of all protected system files and repairs the system files if needed.
A) In the elevated command prompt, type sfc /scannow and press Enter. (see screenshot below)
NOTE: This may take some time to finish.

B) Go to step 4.

3. To Only Verify if the System Files are Corrupted
NOTE: Scans and only verifies the integrity of all proteced system files only.
A) In the elevated command prompt, type sfc /verifyonly and press Enter.

4. When the scan is complete, hopefully you will see all is ok like the screenshot below.
NOTE: If not, then you can attempt to run a System Restore using a restore point dated before the bad file occured to fix it. You may need to repeat doing a System Restore until you find a older restore point that may work.

5. When done, close the elevated command prompt.

The ComboFix log should be here: C:\Combo-Fix folder

This was on Windows Xp, my other harddrive, seen as C: whilst my windows 7 drive remains untouched. anyways, The Combofix folder apparently just links to the "My Computer" folder...

Also, just wanted to add this: If I cannot boot from Windows 7, how would I run SFC on it? SFC from Xp on a 7 system will just heavily damage and may corrupt the OS, so I suppose you mean the Windows 7 repair disk correct? Ok.

Will attempt to retrieve the combofix log from the drive anyways...You did not do as I asked in Reply # 3 for the HJT fix. Please do it now and post the new log.
Also, you did not do as I asked in Reply # 9 for the OTL fix. Unless you do as I ask, I will discontinue my help.Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:46:13 PM, on 1/22/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
G:\Program Files\Alwil Software\Avast5\AvastUI.exe
G:\Program Files (x86)\Mozilla Firefox\firefox.exe
G:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\CPUID\PC Wizard 2010\pcwizard.dll
G:\Program Files (x86)\NoVirusThanks\Hijack Hunter\HijackHunter.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Trend Micro\HiJackThis\snipper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 74.208.10.249 gs.apple.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\COMMON Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - G:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] "G:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "G:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "G:\Users\Administrator\AppData\Local\NVIDIA Corporation\nTune\Profiles\sysdflt.nsu"
O4 - HKCU\..\Run: [Sidebar] G:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&AMP;xport to Microsoft Excel - res://G:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: http://www.cnet.com
O15 - Trusted Zone: http://www.crymod.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: %SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - G:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - G:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: %SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - G:\Windows\System32\lsass.exe (file missing)
O23 - Service: %systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - G:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - G:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe
O23 - Service: keyiso.dll,-100 (KeyIso) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: comres.dll,-2797 (MSDTC) - Unknown owner - G:\Windows\System32\msdtc.exe (file missing)
O23 - Service: %SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %windir%\system32\nfsrc.dll,-5001 (NfsClnt) - Unknown owner - G:\Windows\system32\nfsclnt.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - G:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: %systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - G:\Windows\system32\locator.exe (file missing)
O23 - Service: %SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - G:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: %systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - G:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: %SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - G:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - g:\program files\idt\wdm\STacSV64.exe
O23 - Service: %SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - G:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: %SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - G:\Windows\System32\vds.exe (file missing)
O23 - Service: %systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - G:\Windows\system32\vssvc.exe (file missing)
O23 - Service: %SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - G:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: %systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - G:\Windows\system32\wbengine.exe (file missing)
O23 - Service: %Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - G:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - G:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8399 bytes
I finished the OTL fix, it rebooted my PC...

Though the desktop was unresponsive for what appeared to be a minute or two, I hit Ctrl+Alt+Delete and got task manager up, Runonce.exe was running and it might have been the OTL still running, so I ignored that, didn't seem too suspicious.

I ran the OTL fix, all there is to it. If I'm correct, this is the OTL log file I found generated today:

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cnet.com\www\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crymod.com\www\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\documents%20and%20settings\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\driver_g\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com\www\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localsvr\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\users\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\youtube.com\www\ not found.
========== COMMANDS ==========
G:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: AppData

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Administrator
->Temp folder emptied: 48867464 bytes
->Temporary Internet Files folder emptied: 1036711 bytes
->Java cache emptied: 30985 bytes
->FireFox cache emptied: 60868747 bytes
->Flash cache emptied: 814 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 308422 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 106.00 mb

OTL by OldTimer - Version 3.2.20.6 log created on 02042011_170457

No, you did not follow the directions for HJT. I want you to fix the items listed. Quote from: SuperDave on February 04, 2011, 04:52:01 PM

No, you did not follow the directions for HJT. I want you to fix the items listed.

Yes, but they don't show up in the list to fix...

*** EDIT: Nvm, I just didn't update the log... sorry, my mistake

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:15:47 PM, on 2/4/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
G:\Program Files\Alwil Software\Avast5\AvastUI.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
G:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\1_0_0_0\RGSC.exe
G:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe
G:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\GTAIV.exe
G:\Program Files (x86)\Trend Micro\HiJackThis\snipper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - G:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - G:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - G:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [avast5] "G:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [OTL] "G:\Users\Administrator\Downloads\OTL.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "G:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" boot "G:\Users\Administrator\AppData\Local\NVIDIA Corporation\nTune\Profiles\sysdflt.nsu"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - G:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: g:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - G:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: %SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - G:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - G:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: %SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - G:\Windows\System32\lsass.exe (file missing)
O23 - Service: %systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - G:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Media Center Support Service (Jasmio.MediaCenter.Service) - Unknown owner - G:\Program Files\Jasmio\Media Center Support Service\Jasmio.MediaCenter.Service.exe
O23 - Service: keyiso.dll,-100 (KeyIso) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: comres.dll,-2797 (MSDTC) - Unknown owner - G:\Windows\System32\msdtc.exe (file missing)
O23 - Service: %SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %windir%\system32\nfsrc.dll,-5001 (NfsClnt) - Unknown owner - G:\Windows\system32\nfsclnt.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - G:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: %systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - G:\Windows\system32\locator.exe (file missing)
O23 - Service: %SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - G:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: %systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - G:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: %SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - G:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - g:\program files\idt\wdm\STacSV64.exe
O23 - Service: %SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - G:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: %SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: %SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - G:\Windows\System32\vds.exe (file missing)
O23 - Service: %systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - G:\Windows\system32\vssvc.exe (file missing)
O23 - Service: %SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - G:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: %systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - G:\Windows\system32\wbengine.exe (file missing)
O23 - Service: %Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - G:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - G:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8331 bytes

Anything else I need to do?

And for some reason, not sure if I mentioned this or not, but running a search on Windows start menu and clicking 'see more resulsts' brings up an explorer window that should automatically search, but promptly disappears. An attempt to try again does nothing...

What now?Alright I've ran SFC and now I'm officially stumped.

What the Thread closed and your warning level is being increased to moderated posts.

Solve : Weird virus issue-I think I'm infected!!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment