Lots of problems

Carolyn · 22 May 2011

Click on the Start orb, then type DDS.txt

If the file shows up in the list above3 the orb, click on it once and it should open. Copy and paste the contents of the file here.

Repeat that process for Attach.txt and CBS.log

iRaiseTheDead · 22 May 2011

DDS.txt -

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Run by Customer at 14:28:37 on 2011-05-22
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [4StoryPrePatch] c:\program files\zemi interactive\4story_us\PrePatch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\customer\appdata\roaming\mozilla\firefox\profiles\ng4xgien.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npEModelPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-05-22 18:19:49 -------- d-----w- c:\users\customer\appdata\roaming\Malwarebytes
2011-05-22 18:19:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-22 18:19:33 -------- d-----w- c:\programdata\Malwarebytes
2011-05-22 18:19:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-22 18:19:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-22 17:26:41 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{feab5dac-dfdb-4afe-a99e-7702c25fdf2f}\MpKsl3da09f50.sys
2011-05-22 14:21:23 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-05-22 14:21:04 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{feab5dac-dfdb-4afe-a99e-7702c25fdf2f}\mpengine.dll
2011-05-21 17:49:47 -------- d-----w- c:\users\customer\appdata\local\ElevatedDiagnostics
2011-05-21 17:36:14 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-21 17:35:15 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0ff4edf3-1747-4423-a6cc-8a639e1a0f93}\gapaengine.dll
2011-05-21 17:19:28 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-21 17:18:54 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-05-21 01:18:31 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f2976ccc-05cf-461f-9443-ada85ff3da60}\mpengine.dll
2011-05-19 03:50:39 -------- d-----w- c:\users\customer\Samples
2011-05-17 22:32:21 -------- d-----w- c:\program files\VST DRUM PACKS
2011-05-17 19:23:15 -------- d-----w- c:\users\customer\appdata\local\Downloaded Installations
2011-05-16 02:08:40 -------- d-----w- c:\users\customer\appdata\local\PackageAware
2011-05-16 02:02:23 -------- d-----w- c:\programdata\Premium
2011-05-16 02:02:23 -------- d-----w- c:\programdata\InstallMate
2011-05-16 01:04:22 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-05-16 00:59:54 -------- d-----w- c:\windows\system32\appmgmt
2011-05-16 00:52:28 -------- d-----w- c:\users\customer\appdata\roaming\Randy Brown
2011-05-15 18:51:56 -------- d-----w- c:\program files\ME25_Win7_32
2011-05-15 00:57:01 -------- d-----w- c:\users\customer\appdata\roaming\PACE Anti-Piracy
2011-05-15 00:57:01 -------- d-----w- c:\users\customer\appdata\local\PACE Anti-Piracy
2011-05-15 00:54:09 -------- d-----w- c:\programdata\Line 6
2011-05-14 23:57:41 -------- d-----w- c:\program files\common files\DigiDesign
2011-05-14 03:11:35 -------- d-----w- c:\users\customer\appdata\local\Adobe
2011-05-11 19:56:46 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 19:56:46 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 19:56:45 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 19:56:45 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 19:56:44 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 19:56:44 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 19:56:44 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 19:56:33 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 19:56:32 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-08 13:30:25 -------- d-----w- c:\program files\REAPER
2011-05-07 18:26:00 -------- d-----w- c:\users\customer\appdata\roaming\REAPER
2011-04-23 21:13:45 159080 ----a-w- c:\programdata\microsoft\windows\sqm\manifest\Sqm10138.bin
.
==================== Find3M ====================
.
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-27 17:26:00 4010312 ----a-w- c:\windows\system32\GameMon.des
2011-02-26 05:33:07 2614784 ----a-w- c:\windows\explorer.exe
2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-23 05:06:11 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-23 05:05:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-23 05:05:48 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-02-23 05:05:41 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-23 05:05:35 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-23 05:05:31 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-23 05:05:25 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
============= FINISH: 14:31:42.60 ===============

iRaiseTheDead · 22 May 2011

and here is attach -

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Adobe Reader X (10.0.1)
Antares Autotune Evo VST RTAS v6.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.12 (Unicode)
avast! Free Antivirus
Bonjour
EpicBot
GIMP 2.6.11
Google Chrome
Google Update Helper
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java DB 10.6.2.1
Java(TM) 6 Update 25
Java(TM) SE Development Kit 6 Update 24
LAME v3.98.3 for Audacity
LogMeIn Hamachi
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
QuickTime
REAPER
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Skype Toolbars
Skype™ 5.1
SolidWorks eDrawings 2011
TuxGuitar
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
VST Bridge 1.1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Movie Maker 2.6
WinRAR 4.00 (32-bit)
.
==== End Of File ===========================

Carolyn · 22 May 2011

Can you post CBS.log?

iRaiseTheDead · 22 May 2011

it never came up with one =[

iRaiseTheDead · 22 May 2011

I found it, but when I tried to open it it said "access denied"

Carolyn · 22 May 2011

Before we continue: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose now.

==============================================

Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs installed:
Avast!
Microsoft Security Essentials
Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

==============================================

Defogger
CD Emulator Software (Daemon Tools, Alcohol, etc) use drivers that can interfere with rootkit scans, so we'll temporarily disable them.
Disable Drivers
Please download DeFogger... by jpshortstuff. Save it to your desktop.

Double click DeFogger.exe to run the tool. The application window will appear.
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue. A 'Finished!' message will appear. Click OK.
Click OK when DeFogger asks to reboot the machine.

Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

==============================================

GMER

Please download GMER Rootkit Scanner from Here.

Right-click the .exe file and select "Run as Administrator" If asked to allow .sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All << (don't miss this one)
See image below, Click the image to enlarge it
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

If GMER crashes, then restart your computer and try again, this time also uncheck Devices. You can also try the scan in safe mode if necessary. You might want to save these instructions with notepad or print them because there's no internet in safe mode:

Restart your computer
During startup, but before the Windows logo appears, tap the F5/F8 key continually or hold down the Shift key;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
When asked to proceed to safe mode, click Yes.
Make sure Trend Micro Antivirus is disabled, then follow the GMER instructions.
When finished reboot the computer.

==============================================

Please post the contents of GMER.txt

iRaiseTheDead · 22 May 2011

This is what I get when I click the windows update thing.