Need help with virus

Viruses and worms
1

I seem to have encountered a virus and need help taking care of it

I’m fairly sure it’s also one of those virus that try to fool you into thinking it’s an Anti-Virus.
some names it’s using
AV Anti Virus (green icon with a white check)
AV Security Suite

Threats:
Spyware - 34
BankerFox.A
Win32/Nuqel.F (maybe Nugel.F)

Avast’s On-Access Scanner Detected 3 Virus (last infected C:/…/syssvc.exe@antispy.progtool.com.tmp
wscntfy.exe is also supposivley infected. (but I can’t seem to adress the infected locations from this menu)

I have some noted attacked ports if needed.

The pop up menu from the “Anti-Virus Virus”

Antivirus Software Alert:
Attention! Spyware Alert
Vulnerabilities found.

Your computer is infected by spyware - 34 serious threats have been found while scanning your files and registry. It is strongly reccomended that you disinfect your computer and activate realtime secure protection against future intrusions.

Why do you need realtime spyware protection?

Upgrade to full version of antivirus software to clean your computer and prevent new secutiry and privacy attacks. You will be able to download daily updates and get online protection against internet attacks.

(two clickable boxes)

Activate your antivirus software ----- stay unprotected.

This to me sounds like a way to get even more infections as I know this is not the anti virus I use (I use Avast) and have heard of and seen similar viruses.

I tried to delete it and move it to the chest when Avast initialy detected it, but that didn’t work.
It’s preventing me from accessing Malwarebytes Anti-Malware, Spy-Bot Search & Destroy etc so I can’t figure out how to use those to get rid of the culprit

preventing me from using just about every other program too, except Avast.

On the infected computer it’ll occasionaly pop up Internext Explorer with much unwanted pop ups >.<

I tried using Mozila Firefox on the infected pc but it blocks me from accessing anything in order to visit helpful websites such as Avast, AVG forums etc.

I also can’t open TASK MANAGER for more than 2 seconds or it automaticaly closes, so I can’t figure out how to terminate the unwanted anti-virus virus program.

I’ve tried doing a full scan and a quick scan using Avast but the program locked up as soon as it finished scanning preventing me from seeing what is infected and fixing whatever is infected.

Any help would be appreciated.

2

It definitely sounds like a rogue fake antivirus. If Avast! can’t remove it, download and install the free version of Malwarebytes, make sure it’s fully updated, and run a scan with that and allow it to delete anything it finds. It’s an amazing program and best of all, free.

3

One of the problems I am encountering is that it is keeping me from running and accessing Malwarebytes.
Everytime I try to open malwarebytes it does not open and a small text cloud above the fake AntiVirus pops up saying can’t acess mbam.exe etc because it is infected, which I highly doubt it is.

I’m also having trouble accessing any helpful websites on that PC, say in order to download something to fix the issue

4

does this fake / rogue software have a name ?
sorry, i think i need glasses

5

http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

rkill will allow you to get malwarebytes running

http://www.technibble.com/rkill-repair-tool-of-the-week/

6
I'm fairly sure it's also one of those virus that try to fool you into thinking it's an Anti-Virus. some names it's using AV Anti Virus (green icon with a white check) AV Security Suite
7

Try booting into safe mode and running Malwarebytes from there.

8

Yep thats one of them Scythe and it seems the fake anti virus decided to take a break o.O?
I am going to look at what you linked on that PC (Stopzilla, Rkill) and run Malwarebytes meanwhile before it tries to pop back up again and prevent me from accessing anything.

9

No problem, I’ve been known to skip over pertinent information before. :wink:

10

Thanks for the support, after Rogue-AV took a break o.O I was able to access MBAM and remove the Rogue-AV

My computer still seems a little sluggish though however. If there is anyone available to look at this OTL log real quick and see if there is any undetected malware or problems etc that I should address, it would be much appreciated. :slight_smile:

BTW here are the pc performance, anti-virus, and anti-malware/spyare programs I currently use
(Incase there are some I should re-think about using, replace, or others I should look into getting.)

Mozilla Firefox (web browser)
Orca (web browser)
Malwarebytes Anti-Malware
Spybot Search & Destory
SUPERAntiSpyware
Avast! Antivirus
OTL
Auslogics Disk Defrag
Auslogics Boostspeed
CCleaner
ATF-Cleaner

Programs I have uninstalled but noticed they are listed in the OTL log
(old pc performance programs)
Iobit
Glarysoft
SmartDefrag
Auslogics Regristry Defrag

YuLeech (iirc this was a downloader program for a game)
GetRightToGo (IIRC was a reccomended downloader program)
Should I do anything with these?

posting the OTL log in segments

11

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/09 19:36:10 | 000,572,416 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Owner\desktop\OTL.exe
PRC - [2010/05/31 17:09:24 | 000,714,408 | ---- | M] (Auslogics) – C:\Program Files\Auslogics\Auslogics BoostSpeed\boostspeed.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) – C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\explorer.exe
PRC - [2005/08/11 15:30:30 | 000,081,920 | ---- | M] (Macrovision Corporation) – C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/08/20 12:56:14 | 000,045,056 | ---- | M] (S3 Graphics, Inc.) – C:\WINDOWS\system32\VTTimer.exe
PRC - [2001/08/17 17:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) – C:\WINDOWS\system32\devldr32.exe

========== Modules (SafeList) ==========

MOD - [2010/06/09 19:36:10 | 000,572,416 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Owner\desktop\OTL.exe
MOD - [2008/05/13 10:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) – C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] – C:\Program Files\Alwil Software\Avast4\ashServ.exe – (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe – (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe – (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe – (aswUpdSv)

========== Driver Services (SafeList) ==========

DRV - [2010/02/11 02:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\ati2mtag.sys – (ati2mtag)
DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] – C:\WINDOWS\system32\drivers\aswTdi.sys – (aswTdi)
DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\aswRdr.sys – (aswRdr)
DRV - [2009/11/24 18:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] – C:\WINDOWS\system32\drivers\aavmker4.sys – (Aavmker4)
DRV - [2009/09/15 05:56:14 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] – C:\WINDOWS\system32\drivers\aswmon2.sys – (aswMon2)
DRV - [2009/09/15 05:55:30 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] – C:\WINDOWS\system32\drivers\aswSP.sys – (aswSP)
DRV - [2009/09/15 05:55:19 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] – C:\WINDOWS\system32\drivers\aswFsBlk.sys – (aswFsBlk)
DRV - [2009/04/07 12:19:58 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] – C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS – (SASDIFSV)
DRV - [2009/02/21 21:27:21 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] – C:\WINDOWS\system32\drivers\atksgt.sys – (atksgt)
DRV - [2009/02/21 21:27:20 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] – C:\WINDOWS\system32\drivers\lirsgt.sys – (lirsgt)
DRV - [2009/01/21 08:49:40 | 000,118,656 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\Rtnicxp.sys – (RTL8023xp)
DRV - [2008/12/22 12:06:02 | 000,007,408 | R— | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] – C:\Program Files\SUPERAntiSpyware\SASENUM.SYS – (SASENUM)
DRV - [2008/12/22 12:05:58 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] – C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS – (SASKUTIL)
DRV - [2008/04/13 13:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\gameenum.sys – (gameenum)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] – C:\WINDOWS\system32\drivers\USBAUDIO.sys – (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] – C:\WINDOWS\System32\Drivers\BANTExt.sys – (BANTExt)
DRV - [2007/12/05 01:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] – C:\WINDOWS\system32\drivers\nv4_mini.sys – (nv)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] – C:\WINDOWS\system32\drivers\AmdPPM.sys – (AmdPPM)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] – C:\WINDOWS\system32\speedfan.sys – (speedfan)
DRV - [2006/08/18 13:52:00 | 004,017,536 | R— | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\alcxwdm.sys – (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] – C:\WINDOWS\system32\drivers\RTL8139.sys – (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/12/12 19:03:10 | 000,652,689 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\ltmdmnt.sys – (ltmodem5)
DRV - [2003/07/02 04:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] – C:\WINDOWS\system32\DRIVERS\viaagp1.sys – (viaagp1)
DRV - [2002/06/24 10:00:00 | 000,053,412 | ---- | M] (GEAR Software) [Kernel | System | Running] – C:\WINDOWS\system32\drivers\GEARASPISYS.SYS – (GearAspiSys)
DRV - [2001/08/17 07:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\sfmanm.sys – (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\ctlfacem.sys – (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 07:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] – C:\WINDOWS\system32\drivers\emu10k1m.sys – (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] – C:\WINDOWS\system32\drivers\ctljystk.sys – (ctljystk)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] – C:\WINDOWS\system32\giveio.sys – (giveio)

12

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyServer” = http=127.0.0.1:1031

========== FireFox ==========

FF - prefs.js…browser.search.defaultenginename: “Yahoo”
FF - prefs.js…browser.search.defaulturl: “http://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js…browser.search.param.yahoo-fr: “moz2-ytff-”
FF - prefs.js…browser.search.param.yahoo-fr-cjkt: “moz2-ytff-”
FF - prefs.js…browser.search.selectedEngine: “Yahoo”
FF - prefs.js…browser.search.selectedengine: “Yahoo”
FF - prefs.js…browser.startup.homepage: “http://www.yahoo.com/
FF - prefs.js…extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js…extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js…keyword.URL: “http://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js…network.proxy.http: “127.0.0.1”
FF - prefs.js…network.proxy.http_port: 1031

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\Components: C:\Program Files\Mozilla Firefox\components [2010/06/09 19:27:26 | 000,000,000 | —D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/09 19:27:21 | 000,000,000 | —D | M]

[2008/07/13 17:31:51 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/06/08 20:57:41 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2jje8li5.default\extensions
[2009/09/18 13:43:27 | 000,000,000 | —D | M] (Microsoft .NET Framework Assistant) – C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2jje8li5.default\extensions{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/21 13:35:36 | 000,000,000 | —D | M] (Yahoo! Toolbar) – C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2jje8li5.default\extensions{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/08 20:57:41 | 000,000,000 | —D | M] – C:\Program Files\Mozilla Firefox\extensions
[2008/12/31 16:28:58 | 000,072,960 | ---- | M] (Foxit Software Company) – C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2009/03/31 14:42:06 | 000,303,844 | R— | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10468 more lines…
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM…\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM…\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM…\Run: [KernelFaultCheck] File not found
O4 - HKLM…\Run: [nutnumoqjp] c:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh\surcigd.exe ()
O4 - HKLM…\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM…\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM…\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM…\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKCU…\Run: [nutnumoqjp] c:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh\surcigd.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O9 - Extra ‘Tools’ menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra ‘Tools’ menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211140610312 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/18 14:21:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT – [ NTFS ]
O32 - AutoRun File - [2005/12/13 14:36:57 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT – [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk ) - File not found
O35 - HKLM..comfile [open] – “%1” %
O35 - HKLM..exefile [open] – “%1” %*
O37 - HKLM.…com [@ = comfile] – “%1” %*
O37 - HKLM.…exe [@ = exefile] – “%1” %*

13

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/17 13:17:05 | 000,000,000 | —D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/09 19:38:41 | 000,572,416 | ---- | C] (OldTimer Tools) – C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/06/09 19:36:08 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\My Documents\Downloads
[2010/06/09 19:21:37 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Application Data\Orca Profiles
[2010/06/09 19:21:15 | 000,000,000 | —D | C] – C:\Program Files\Orca Browser
[2010/06/09 19:05:50 | 000,000,000 | RH-D | C] – C:\Documents and Settings\Owner\Recent
[2010/06/09 12:34:39 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh
[2010/06/01 13:30:30 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Application Data\AusLogics
[2010/04/21 11:49:32 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Desktop\ProvidedShaders
[2010/04/21 11:49:32 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Desktop\NewCombinations
[2010/04/18 22:30:01 | 000,000,000 | —D | C] – C:\Documents and Settings\All Users\Application Data\ATI
[2010/04/18 20:27:17 | 000,000,000 | —D | C] – C:\Program Files\TeamSpeak 3 Client
[2010/03/29 21:51:02 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Local Settings\Application Data\Joshua Camara
[13 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]

========== Files - Modified Within 90 Days ==========

[2010/06/09 19:36:10 | 000,572,416 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/06/09 19:27:31 | 000,001,602 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/09 19:21:25 | 000,000,686 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\Orca Browser.lnk
[2010/06/09 19:06:15 | 008,650,752 | ---- | M] () – C:\Documents and Settings\Owner\NTUSER.DAT
[2010/06/09 14:00:00 | 000,000,310 | ---- | M] () – C:\WINDOWS\tasks\ydthjdmd.job
[2010/06/09 13:39:11 | 000,000,006 | -H-- | M] () – C:\WINDOWS\tasks\SA.DAT
[2010/06/09 13:38:41 | 000,002,048 | --S- | M] () – C:\WINDOWS\bootstat.dat
[2010/06/09 02:20:38 | 000,000,178 | -HS- | M] () – C:\Documents and Settings\Owner\ntuser.ini
[2010/06/07 20:34:13 | 000,013,646 | ---- | M] () – C:\WINDOWS\System32\wpa.dbl
[2010/06/05 20:23:11 | 000,000,284 | ---- | M] () – C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/01 13:24:05 | 000,000,796 | ---- | M] () – C:\Documents and Settings\Owner\Desktop\Auslogics BoostSpeed.lnk
[2010/06/01 13:12:23 | 000,002,626 | ---- | M] () – C:\WINDOWS\System32\CONFIG.NT
[2010/06/01 12:59:31 | 000,001,548 | ---- | M] () – C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2010/05/31 00:15:47 | 000,000,384 | ---- | M] () – C:\WINDOWS\tasks\SmartDefrag.job
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) – C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) – C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/18 22:36:46 | 000,000,420 | ---- | M] () – C:\WINDOWS\wininit.ini
[2010/04/18 20:27:29 | 000,000,837 | ---- | M] () – C:\Documents and Settings\All Users\Desktop\TeamSpeak 3 Client.lnk
[2010/03/26 14:00:50 | 000,041,872 | ---- | M] () – C:\WINDOWS\System32\xfcodec.dll
[2010/03/14 13:53:02 | 000,490,958 | ---- | M] () – C:\WINDOWS\System32\perfh009.dat
[2010/03/14 13:53:02 | 000,084,318 | ---- | M] () – C:\WINDOWS\System32\perfc009.dat
[2010/03/14 13:53:01 | 000,585,824 | ---- | M] () – C:\WINDOWS\System32\PerfStringBackup.INI
[13 C:\WINDOWS*.tmp files → C:\WINDOWS*.tmp → ]

========== Files Created - No Company Name ==========

[2010/06/09 19:21:25 | 000,000,686 | ---- | C] () – C:\Documents and Settings\All Users\Desktop\Orca Browser.lnk
[2010/06/01 13:24:05 | 000,000,796 | ---- | C] () – C:\Documents and Settings\Owner\Desktop\Auslogics BoostSpeed.lnk
[2010/04/18 20:27:29 | 000,000,837 | ---- | C] () – C:\Documents and Settings\All Users\Desktop\TeamSpeak 3 Client.lnk
[2010/03/26 14:00:50 | 000,041,872 | ---- | C] () – C:\WINDOWS\System32\xfcodec.dll
[2009/06/03 23:34:03 | 000,000,138 | ---- | C] () – C:\WINDOWS\mp3towav.ini
[2009/02/23 13:06:55 | 000,003,888 | ---- | C] () – C:\WINDOWS\System32\drivers\NTHANDLE.SYS
[2009/02/21 21:27:21 | 000,271,360 | ---- | C] () – C:\WINDOWS\System32\drivers\atksgt.sys
[2009/02/21 21:27:20 | 000,018,048 | ---- | C] () – C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/02/15 15:24:14 | 000,000,011 | ---- | C] () – C:\WINDOWS\System32\atiicdxx.ini
[2009/01/26 11:38:35 | 000,000,169 | ---- | C] () – C:\WINDOWS\RtlRack.ini
[2009/01/14 09:50:36 | 000,003,840 | ---- | C] () – C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/12/26 12:20:41 | 000,000,420 | ---- | C] () – C:\WINDOWS\wininit.ini
[2008/10/21 18:27:17 | 000,000,025 | ---- | C] () – C:\WINDOWS\TDH_Launcher.ini
[2008/07/13 17:07:24 | 000,000,754 | ---- | C] () – C:\WINDOWS\WORDPAD.INI
[2008/05/18 17:56:35 | 000,000,164 | ---- | C] () – C:\WINDOWS\avrack.ini
[2008/05/18 17:56:24 | 000,143,360 | ---- | C] () – C:\WINDOWS\System32\RtlCPAPI.dll
[2007/12/05 01:41:00 | 001,703,936 | ---- | C] () – C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 01:41:00 | 001,474,560 | ---- | C] () – C:\WINDOWS\System32\nview.dll
[2007/12/05 01:41:00 | 001,019,904 | ---- | C] () – C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 01:41:00 | 000,466,944 | ---- | C] () – C:\WINDOWS\System32\nvshell.dll
[2007/12/05 01:41:00 | 000,286,720 | ---- | C] () – C:\WINDOWS\System32\nvnt4cpl.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () – C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () – C:\WINDOWS\System32\Iyvu9_32.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () – C:\WINDOWS\System32\giveio.sys

14

========== LOP Check ==========

[2010/06/09 20:01:05 | 000,000,000 | —D | M] – C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/01 14:25:17 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\AusLogics
[2008/06/04 15:56:47 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\Cakewalk
[2008/12/31 16:29:43 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\Foxit
[2009/03/18 14:55:02 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2009/03/10 10:34:04 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\GlarySoft
[2010/05/17 14:15:16 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\ICQ
[2009/03/06 13:23:22 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\IObit
[2010/06/09 19:21:37 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\Orca Profiles
[2009/02/17 13:16:30 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\uTorrent
[2009/01/15 09:59:57 | 000,000,000 | —D | M] – C:\Documents and Settings\Owner\Application Data\YuLeech
[2010/05/31 00:15:47 | 000,000,384 | ---- | M] () – C:\WINDOWS\Tasks\SmartDefrag.job
[2010/06/09 14:00:00 | 000,000,310 | ---- | M] () – C:\WINDOWS\Tasks\ydthjdmd.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%*.* >
[2008/05/18 14:21:25 | 000,000,000 | ---- | M] () – C:\AUTOEXEC.BAT
[2009/02/09 10:38:10 | 000,000,211 | -HS- | M] () – C:\boot.ini
[2008/05/18 14:21:25 | 000,000,000 | ---- | M] () – C:\CONFIG.SYS
[2008/05/18 14:21:25 | 000,000,000 | RHS- | M] () – C:\IO.SYS
[2010/06/01 13:19:48 | 000,000,109 | ---- | M] () – C:\mbam-error.txt
[2008/05/18 14:21:25 | 000,000,000 | RHS- | M] () – C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () – C:\NTDETECT.COM
[2008/05/18 15:31:03 | 000,250,048 | RHS- | M] () – C:\ntldr
[2010/06/09 13:38:37 | 2145,386,496 | -HS- | M] () – C:\pagefile.sys
[2008/05/29 08:15:05 | 000,000,232 | -H-- | M] () – C:\sqmdata00.sqm
[2008/05/29 09:30:51 | 000,000,232 | -H-- | M] () – C:\sqmdata01.sqm
[2008/05/29 08:15:05 | 000,000,244 | -H-- | M] () – C:\sqmnoopt00.sqm
[2008/05/29 09:30:51 | 000,000,244 | -H-- | M] () – C:\sqmnoopt01.sqm

< MD5 for: AGP440.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file – C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/18 15:27:36 | 023,852,652 | ---- | M] () .cab file – C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/05/18 15:27:36 | 023,852,652 | ---- | M] () .cab file – C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 – C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 – C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 07:00:00 | 018,738,937 | ---- | M] () .cab file – C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/18 15:27:36 | 023,852,652 | ---- | M] () .cab file – C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/05/18 15:27:36 | 023,852,652 | ---- | M] () .cab file – C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 – C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 – C:\WINDOWS$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 – C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 – C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 – C:\WINDOWS$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 – C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 – C:\WINDOWS\system32\netlogon.dll
[2006/02/28 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A – C:\WINDOWS$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A – C:\WINDOWS$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 – C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 – C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2005/04/26 11:22:40 | 000,060,928 | ---- | M] (VIA Technologies inc,.ltd) MD5=0363E216E4EB5052969C96608934DBDE – C:\WINDOWS\system32\drivers\viamraid.sys

< c:\windows\system32*.dll /lockedfiles >
[2010/02/10 23:46:14 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 – C:\WINDOWS\system32\ATIDEMGX.dll

< c:\windows\system32\drivers*.sys /lockedfiles >

< %systemroot%*. /mp /s >

< %systemroot%\system32\drivers*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) – C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) – C:\WINDOWS\system32\drivers\mbamswissarmy.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 498 bytes → C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 134 bytes → C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
@Alternate Data Stream - 120 bytes → C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
@Alternate Data Stream - 104 bytes → C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

15

I see some stuff in there that does not look good, such as a few bad website links
and sorry I think I was supposed to post the logs in an attachment :\

16

Yeah, there are still some things to get rid of. I’m not an expert on removal with OTL, but I can help point out some of the bad stuff so you can get rid of them manually.

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyServer” = http=127.0.0.1:1031

You probably don’t want a proxy server, and it’s probably part of a malware attack.

You should go into control panel, open “Internet Options” applet, go to the connections tab, and click on “LAN Settings”. Uncheck the proxy server, and check “Automatically detect Settings”.

I don’t know what this is: [2010/06/09 14:00:00 | 000,000,310 | ---- | M] () – C:\WINDOWS\Tasks\ydthjdmd.job
If you don’t either, you should probably delete it.

This looks bad:
[2010/06/09 12:34:39 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh

And this too:

O4 - HKLM…\Run: [nutnumoqjp] c:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh\surcigd.exe ()

I’d wait until someone comes by and helps you further with OTL.

In the meantime, you should run another Malwarebytes scan (full) and make sure you update it first!
Spybot really isn’t all that great anymore, and I’d suggest removing it.

17

Right now, I’m reading the OTL Tutorial to try to learn, but I don’t think I can really learn how to use it well until I do a few days of reading, testing, and learning. http://www.smokey-services.eu/forums/index.php?PHPSESSID=2frosic96siqf4a7vb6ag7mu94&topic=68251.0

It’s a bit in-depth, and my brain is already full of other I.T. crap.