PDA

View Full Version : My Computer is going nuts please help



Neon3001
2012-08-06, 07:48
Hi,

I am usually very careful about malware etc but I think I have something on the system. When it boots, it halts for 5 to 10 mins at the desktop wallpaper before loading the desktop, also every program takes a long time to load and the whole compute is generally running quite slow.

System Specs:

AMD Athlon dual core 3ghz 4G ram (Windows XP uses only 2)
Nvidia 9600 GT vid card with 2g vram, and 300gb hdd and 500gb
usb hdd. System is running Windows XP SP3. In the last 6 weeks
I have reformatted and rebuilt 3 times, once because of a malware
problem. The current problem started about 3 weeks ago. Today
the system got caught in a loop in task manager, loading Update.exe
and GSV.exe then unloading them and repeating until I rebooted.

Spybot and Antivirus (Zone Alarm free) find no issues, I see nothing in HiJackthis or Cleaner.

I have run ERUNT and backed up the registry.

I ran aswMBR full scan overnight and when I came back next day the screen
was black, the mouse was active so I was not able to get the aswMBR
logs. I have now done a quick scan (as suggested in "Before you post...")
aswMBR log is under the DDS log.

I'll now run Spybot n disable TeaTimer after updating, n will check in here every day until the problem is resolved.

Thankyou for this service, I'm sure everyone appreciates the help.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.6.2
Run by Neon at 13:32:46 on 2012-08-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2265 [GMT 9.5:30]
.
AV: ZoneAlarm Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=ac138ca9000000000000001fd0286b8b
mSearchAssistant = ${SEARCH_URL_IE7}
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Zonealarm Helper Object: {2a841f7a-a014-4da5-b6d9-8b913dfb7a8c} - c:\program files\check point software technologies ltd\zonealarm\1.5.24.4\bh\zonealarm.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Toolbar: {438fae3e-bdef-44d3-ab8b-0c7c8350df59} - c:\program files\check point software technologies ltd\zonealarm\1.5.24.4\zonealarmTlbr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] m‘|\ü
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
StartupFolder: c:\docume~1\neon\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341765315843
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{35FCFEF3-5FF7-4D61-B321-5017B008FD19} : DhcpNameServer = 10.1.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
LSA: Notification Packages = scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\neon\application data\mozilla\firefox\profiles\055x4kf3.default\
FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm
FF - prefs.js: browser.startup.homepage - hxxp://apod.nasa.gov/apod/astropix.html
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=ac138ca9000000000000001fd0286b8b&q={searchTerms}
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=ac138ca9000000000000001fd0286b8b
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=ac138ca9000000000000001fd0286b8b&q={searchTerms}
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=ac138ca9000000000000001fd0286b8b
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN27867823447900-1001&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=ac138ca9000000000000001fd0286b8b&q=
FF - user.js: extensions.zonealarm.id - ac138ca9000000000000001fd0286b8b
FF - user.js: extensions.zonealarm.instlDay - 15533
FF - user.js: extensions.zonealarm.vrsn - 1.5.24.4
FF - user.js: extensions.zonealarm.vrsni - 1.5.24.4
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.24.418:43:42
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN27867823447900-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2012-7-12 133208]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2012-7-12 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-7-12 485808]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-6-21 526640]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-5-1 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-5-1 497280]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-7-9 1262400]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2012-7-8 24944]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-7-27 116648]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-7-27 116648]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-06 03:46:09 -------- d-----w- c:\documents and settings\neon\local settings\application data\PCHealth
2012-08-06 03:25:06 -------- d-----w- C:\3cd1c5311552eb3b9d14456440
2012-08-06 03:23:50 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-08-06 02:47:14 -------- d-----w- c:\windows\system32\LogFiles
2012-08-05 11:16:11 -------- d-----w- C:\637570fee2d8f02a61c8d107
2012-08-05 01:24:41 -------- d-----w- c:\documents and settings\neon\application data\PriceGong
2012-08-05 01:24:26 -------- d-----w- c:\documents and settings\neon\application data\Check Point Software Technologies LTD
2012-08-04 19:03:45 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-08-04 19:03:18 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-08-04 19:02:55 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-08-04 19:01:53 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-08-04 18:49:32 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-08-04 18:48:50 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-08-04 18:41:44 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-08-04 18:37:23 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2012-08-04 18:36:57 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-08-04 18:36:55 2148352 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-08-04 18:36:54 2192640 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-08-04 18:36:52 2026496 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-08-04 18:36:51 2069120 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-08-04 18:36:31 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2012-08-04 18:36:15 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-08-04 18:35:51 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-08-04 18:35:51 3072 ------w- c:\windows\system32\iacenc.dll
2012-08-04 18:31:29 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-08-04 18:31:17 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-08-04 18:31:17 5120 ------w- c:\windows\system32\xpsp4res.dll
2012-08-04 18:30:39 -------- d-----w- c:\windows\system32\PreInstall
2012-08-04 18:30:36 -------- d--h--w- c:\windows\$hf_mig$
2012-07-28 01:29:44 -------- d-----w- c:\program files\FS Water Configurator
2012-07-27 12:24:49 -------- d-----w- c:\documents and settings\neon\local settings\application data\Google
2012-07-27 12:23:34 -------- d-----w- c:\documents and settings\neon\local settings\application data\IsolatedStorage
2012-07-27 12:20:45 -------- d-----w- C:\TA Software
2012-07-27 03:18:42 -------- d-----w- C:\Your Folder FS2004
2012-07-25 01:22:03 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-07-25 01:22:03 214256 ----a-w- c:\windows\system32\muweb.dll
2012-07-25 01:22:03 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-07-24 03:08:03 -------- d-----w- c:\documents and settings\neon\local settings\application data\Adobe
2012-07-23 17:26:25 -------- d-----w- c:\documents and settings\neon\.swt
2012-07-22 03:06:24 -------- d-----w- c:\documents and settings\neon\local settings\application data\Real_Environment_Simulati
2012-07-22 02:58:13 -------- d-----w- c:\program files\Real Environment Xtreme 2.0
2012-07-21 12:08:12 -------- d-----r- c:\program files\Skype
2012-07-20 03:10:55 -------- d-----w- c:\documents and settings\neon\local settings\application data\VAFinancials
2012-07-17 17:45:27 -------- d-----w- c:\documents and settings\neon\local settings\application data\Black_Tree_Gaming
2012-07-17 17:45:20 -------- d-----w- c:\program files\Nexus Mod Manager
2012-07-14 18:13:20 -------- d-----w- c:\documents and settings\neon\local settings\application data\Ilivid Player
2012-07-12 09:14:41 -------- d-----w- c:\windows\Internet Logs
2012-07-12 09:14:19 133208 ----a-w- c:\windows\system32\drivers\kl1.sys
2012-07-12 09:14:19 11352 ----a-w- c:\windows\system32\drivers\kl2.sys
2012-07-12 09:13:41 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2012-07-11 22:35:21 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-07-11 09:03:50 188866 ----a-w- c:\documents and settings\all users\application data\1341997380.bdinstall.bin
2012-07-09 15:40:04 78336 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\modules\rxpGnsDriver.dll
2012-07-09 15:38:17 -------- d-----w- C:\RealityXP
2012-07-09 14:24:03 61 --sh--w- c:\windows\cnerolf.bin
2012-07-09 14:15:33 34064 ----a-w- c:\windows\system32\lhacm.acm
2012-07-09 14:15:29 -------- d-----w- c:\program files\Teamspeak2_RC2
2012-07-09 14:14:51 -------- d--h--w- c:\program files\InstallJammer Registry
2012-07-09 14:14:46 -------- d-----w- c:\program files\VAFS5
2012-07-09 14:14:30 -------- d-----w- c:\program files\Pilot Assistant
2012-07-09 14:14:09 -------- d-----w- c:\program files\Open Clouds
2012-07-09 14:12:22 414744 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\modules\FSUIPC4.DLL
2012-07-09 14:04:21 599552 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\modules\A2A_Feel.dll
2012-07-09 14:04:21 135168 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\modules\AccuFeelMenu.dll
2012-07-09 14:04:20 153088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\feel\UNWISE.EXE
2012-07-09 14:00:57 -------- d-----w- c:\windows\Flight1 Citation Mustang
2012-07-09 13:59:07 -------- d-----w- c:\program files\IconA5
2012-07-09 13:50:55 -------- d-----w- c:\program files\Wings of POWER II WWII FIGHTERS
2012-07-09 13:46:16 45568 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\spitfire\tools\Spitfire Input Configurator.exe
2012-07-09 13:46:04 697344 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\wop3_spitfire\panel\A2A_Spit.dll
2012-07-09 13:46:02 153088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\spitfire\UNWISE.EXE
2012-07-09 13:42:53 217088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\a2a_piperj3\panel\A2A_PiperJ3s.dll
2012-07-09 13:42:53 139264 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\a2a_piperj3\panel\A2A_PiperSound.dll
2012-07-09 13:42:52 153088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\piperj3\UNWISE.EXE
2012-07-09 13:41:08 41472 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\b377\tools\B377 Input Configurator.exe
2012-07-09 13:40:46 617984 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\wos_b377\panel\b377sv2.dll
2012-07-09 13:36:28 204800 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\wos_b377\panel\B377s.dll
2012-07-09 13:36:27 153088 ----a-w- c:\windows\UNWISE.EXE
2012-07-09 13:35:10 57344 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\shared\A2A_Service.dll
2012-07-09 13:35:10 47104 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\b17\tools\B-17 Input Configurator.exe
2012-07-09 13:35:10 144384 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\shared\A2AserviceInstaller.exe
2012-07-09 13:34:54 397312 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\wop2_b17g\panel\A2A_B17Sound.dll
2012-07-09 13:34:54 303616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\wop2_b17g\panel\WoP3_B17s.dll
2012-07-09 13:34:46 153088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\a2a\b17\UNWISE.EXE
2012-07-09 13:34:23 153088 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\UNWISE.EXE
2012-07-09 13:34:22 -------- d-----w- c:\program files\Wings of POWER II
2012-07-09 13:27:40 82590 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal Carenado C208B Super Cargomaster Expansion Pack HD.exe
2012-07-09 13:26:38 54311 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\uninstall_C90B.exe
2012-07-09 13:19:58 53555 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\uninstallC337.exe
2012-07-09 13:18:40 54272 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\uninstallT210M.exe
2012-07-09 13:11:55 580608 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\uk2000 scenery\uk2000 vfr scenery volume3\uninstall.exe
2012-07-09 13:10:21 286720 ----a-w- c:\windows\iun506.exe
2012-07-09 12:45:08 47616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\orbx\scripts\ftxcentral\work\FTXConfigurator.exe
2012-07-09 12:43:18 83373 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\addon scenery\scenery\Uninstal.exe
2012-07-09 11:18:01 77139 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal.exe
2012-07-09 11:10:53 1212928 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\rxpGNS.dll
2012-07-09 11:10:52 929792 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\rxpDrop.dll
2012-07-09 11:10:50 -------- d-----w- c:\program files\Reality XP
2012-07-09 11:10:35 -------- d-----w- c:\documents and settings\all users\application data\Reality XP
2012-07-09 11:09:17 -------- d-----w- c:\program files\Garmin
2012-07-09 11:08:28 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-07-09 11:08:28 225280 ----a-w- c:\program files\common files\installshield\iscript\IScript.dll
2012-07-09 11:08:28 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-07-09 11:08:27 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-07-09 11:08:27 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-07-09 06:26:27 -------- d-----w- c:\program files\MSXML 4.0
2012-07-09 05:46:01 -------- d-----w- c:\program files\Microsoft Games
.
==================== Find3M ====================
.
2012-08-06 03:42:09 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-08-06 03:41:51 17488 ----a-w- c:\windows\gdrv.sys
2012-07-15 13:25:04 1074676 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-07-15 13:25:04 1074676 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-07-15 13:25:04 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-07-08 21:05:57 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2012-07-08 21:05:57 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2012-07-08 18:21:11 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-07-08 18:21:10 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-08 18:21:09 811968 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-08 18:21:09 737208 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-08 17:45:52 693268 ----a-w- c:\documents and settings\all users\application data\1341767658.bdinstall.bin
2012-07-08 15:22:58 315392 ----a-w- c:\windows\HideWin.exe
2012-07-08 14:52:25 81920 ----a-w- c:\windows\DUMP2f6c.tmp
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 05:49:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:49:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:49:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:49:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:49:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 10:18:00 883008 ----a-w- c:\windows\system32\nvgenco32.dll
2012-05-15 10:18:00 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:18:00 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:18:00 4373248 ----a-w- c:\windows\system32\nv4_disp.dll
2012-05-15 10:18:00 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:18:00 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:18:00 2359808 ----a-w- c:\windows\system32\nvapi.dll
2012-05-15 10:18:00 18771968 ----a-w- c:\windows\system32\nvoglnt.dll
2012-05-15 10:18:00 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:18:00 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-15 10:18:00 1000768 ----a-w- c:\windows\system32\nvdispco32.dll
2012-05-15 09:40:26 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-05-15 09:40:02 15504192 ----a-w- c:\windows\system32\nvcpl.dll
2012-05-15 09:40:02 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-05-15 09:40:01 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-05-15 09:40:01 108352 ----a-w- c:\windows\system32\nvmctray.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8B057030]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006c[0x8B0D1410]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Ide\IdeDeviceP2T0L0-16[0x8B0983C8]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 13:36:28.62 ===============

Here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-06 13:53:51
-----------------------------
13:53:51.437 OS Version: Windows 5.1.2600 Service Pack 3
13:53:51.437 Number of processors: 2 586 0x170A
13:53:51.437 ComputerName: PLATOSCAVE UserName: Neon
13:53:54.921 Initialize success
13:54:33.328 AVAST engine defs: 12080500
13:54:48.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16
13:54:48.921 Disk 0 Vendor: Size: 0MB BusType: 0
13:54:48.921 Disk 1 \Device\Harddisk1\DR2 -> \Device\0000007a
13:54:48.921 Disk 1 Vendor: Size: 0MB BusType: 0
13:54:48.968 Disk 0 MBR read successfully
13:54:48.968 Disk 0 MBR scan
13:54:49.062 Disk 0 Windows XP default MBR code
13:54:49.062 Disk 0 MBR hidden
13:54:49.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
13:54:49.125 Disk 0 scanning C:\WINDOWS\system32\drivers
13:55:09.468 Service scanning
13:55:42.015 Modules scanning
13:55:54.000 Disk 0 trace - called modules:
13:55:54.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
13:55:54.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b057030]
13:55:54.343 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8b0d1410]
13:55:54.343 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-16[0x8b0983c8]
13:55:57.734 AVAST engine scan C:\WINDOWS
13:56:12.125 AVAST engine scan C:\WINDOWS\system32
14:01:45.203 AVAST engine scan C:\WINDOWS\system32\drivers
14:02:05.984 AVAST engine scan C:\Documents and Settings\Neon
14:03:03.015 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Neon\Desktop\MBR.dat"
14:03:03.015 The log file has been saved successfully to "C:\Documents and Settings\Neon\Desktop\aswMBR.txt"
14:06:04.609 AVAST engine scan C:\Documents and Settings\All Users
14:08:28.218 Scan finished successfully
14:11:36.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Neon\Desktop\MBR.dat"
14:11:36.609 The log file has been saved successfully to "C:\Documents and Settings\Neon\Desktop\aswMBR.txt"

jeffce
2012-08-09, 00:55
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Having said that....Let's get going!! :thumbup:
----------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
----------

jeffce
2012-08-10, 22:47
Do you still need help?? :)

jeffce
2012-08-12, 05:05
Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.

-------------------