Computer crashing...

Hello,

since yesterday, my computer is extremely slow, many programs crash or don't open at all, and when I try to go on sites (when not in safe mode) I get a message that those sites have been moved.

I've attached the sas, malwarebytes and root repeal logs. I could extract combofix but it wouldn't open after that. MGtools also extracted itself, but didn't run the bat files automatically. I can run hijackthis independently though.

Thanks in advance!

 

Welcome to Major Geeks, Vinici

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %systemdrive%\mgtools\*.*
  %windir%\system32\MPK\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

hey,

now when I try to log on to windows in safe mode , I get a message saying I need to activate windows with microsoft, and since it can't be done in safe mode I should log on to my normal user. It sounds strange so I thought I should ask first, what should I do?

thanks

 

anyway, I found out that I CAN log on to my user, as long as I'm in safe made without networking

Thanks again!

 

Hello,

http://img196.imageshack.us/img196/3557/tdsskiller.gif What happened with TDSSKiller?

Do you have a valid Windows XP product key? Sometimes malware will retrigger the activation but ultimately you should reactive Windows once you are clean.

 

seems I forgot to upload it..
there it is

 

That's good. Sinowal / Mebroot was found.

Just to be safe, can you scan with TDSSKiller and aswMBR once more. Then attach both of the latest logs.

 

Here are the next steps once you have finished with the above.

http://img10.imageshack.us/img10/3213/avguninstall.gif Please download and run AVG Remover

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below if they are present:

• Ask Toolbar
• Download Accelerator Plus
• HyperCam Toolbar
• IObit Toolbar
• Java 6 SE Update 26
• KMPlayer Toolbar
• Microsoft Security Essentials
• SearchPredict
• Skype Toolbar
• Soluto
• SUPERAntiSpyware
• uTorrent Toolbar

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] --  -- (SolutoService)
SRV - File not found [On_Demand | Stopped] --  -- (npggsvc)
SRV - File not found [On_Demand | Stopped] --  -- (NMIndexingService)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (EagleNT)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Asaf\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (2uy2xb9n.sys)
DRV - [2012/05/19 16:59:11 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA42C7BC-3C6F-42ED-9CC8-CC4CE26328EC}\MpKsl95edb61c.sys -- (MpKsl95edb61c)
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.autocompletepro.com/?si=7981&bi=400
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.autocompletepro.com/?si=7981&bi=400
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://search.autocompletepro.com/?si=7981&bi=400
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\URLSearchHook: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - SOFTWARE\Classes\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}\InprocServer32 File not found
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.autocompletepro.com/?si=7981&bi=400&q={searchTerms}
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\SearchScopes\{D1900123-B012-44a6-8506-D5F60F3C2503}: "URL" = http://search.speedbit.com/searchresults.asp?src=default&q={searchTerms}
IE - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://tbsearch.ask.com/redirect?client=ie&tb=PTV&o=15184&src=crm&q={searchTerms}&locale=en_US
FF - prefs.js..extensions.enabledItems: searchpredict@speedbit.com:1.0.1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}: C:\Program Files\SpeedBit Video Downloader\SPFireFox [2012/02/10 12:18:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\searchpredict@speedbit.com: C:\Program Files\SearchPredict\PRFireFox [2012/02/10 12:18:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\
[2012/04/02 21:18:33 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Asaf\Application Data\Mozilla\Firefox\Profiles\5ykdfj9i.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/04/30 09:42:22 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Documents and Settings\Asaf\Application Data\Mozilla\Firefox\Profiles\5ykdfj9i.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2010/05/14 23:16:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asaf\Application Data\Mozilla\Firefox\Profiles\5ykdfj9i.default\extensions\{eebc5c3f-ec4b-4ad4-b5d1-fa51b3c42c58}-trash
[2012/04/23 11:51:46 | 000,000,000 | ---D | M] (KMPlayer Toolbar) -- C:\Documents and Settings\Asaf\Application Data\Mozilla\Firefox\Profiles\5ykdfj9i.default\extensions\toolbar@ask.com
[2010/05/14 15:23:09 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Asaf\Application Data\Mozilla\Firefox\Profiles\5ykdfj9i.default\searchplugins\askcom.xml
[2012/05/19 11:17:26 | 000,003,659 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
CHR - Extension: SpeedBit Search Predict = C:\Documents and Settings\Asaf\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ledcpigomgblcmofccnacobhmcdkpiea\2.0.2\
CHR - plugin: Unity Player (Disabled) = C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - Extension: YouTube to MP3 = C:\Documents and Settings\Asaf\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dajdnhmdgikmjbcggoihnbmnnkbmljlg\0.0.3\
O2 - BHO: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\5.6\iobitToolbarIE.dll File not found
O2 - BHO: (SBCONVERT Class) - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()
O2 - BHO: (SearchPredictObj Class) - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll (Speedbit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SBCONVERT Class) - {92A9ACF4-9333-43AE-9698-DB283326F87F} - C:\Program Files\SpeedBit Video Downloader\TBUA0\tbcore3.dll ()
O2 - BHO: (no name) - {A1056498-D09A-41E4-864B-505EDD640D9E} - No CLSID value found.
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\HyperCam Toolbar\tbcore3.dll ()
O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
O2 - BHO: (GrabberObj Class) - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\SpeedBit Video Downloader\TBUA0\Grabber.dll (SpeedBit)
O3 - HKLM\..\Toolbar: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\TBUA0\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\5.6\iobitToolbarIE.dll File not found
O3 - HKLM\..\Toolbar: (HyperCam Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\HyperCam Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKLM\..\Toolbar: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\Toolbar\WebBrowser: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\TBUA0\tbcore3.dll ()
O3 - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\Toolbar\WebBrowser: (HyperCam Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\HyperCam Toolbar\tbcore3.dll ()
O3 - HKU\S-1-5-21-1454471165-57989841-1177238915-1004\..\Toolbar\WebBrowser: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 File not found
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 File not found
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 File not found
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 File not found
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: Download with Mipony - C:\Program Files\MiPony\Browser\IEContext.htm ()
O8 - Extra context menu item: Free YouTube to Mp3 Converter - Reg Error: Value error. File not found
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} http://www.tapuz.co.il/irc/main/launcher.cab (LauncherV1 Class)
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} http://chat-basic.nana.co.il/Cabs/launcher.cab (LauncherV1 Class)
O33 - MountPoints2\{63cc677d-0072-11e1-a7d4-0016b65d7bd8}\Shell - "" = AutoRun
O33 - MountPoints2\{63cc677d-0072-11e1-a7d4-0016b65d7bd8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{63cc677d-0072-11e1-a7d4-0016b65d7bd8}\Shell\AutoRun\command - "" = I:\SamsungKiesInstaller.exe
[2012/05/22 08:36:09 | 000,098,992 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\28742017.sys
[2012/05/22 08:29:08 | 000,098,992 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\74165474.sys
[2012/05/20 08:55:30 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/05/19 11:16:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/05/19 10:12:27 | 001,580,080 | ---- | C] (Soluto Inc) -- C:\Documents and Settings\Asaf\My Documents\solutoinstaller-Be90Xtm7H5.exe
[2012/04/27 12:42:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\MPK
[2012/04/27 12:42:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MPK
[2012/04/23 11:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[21 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
[2012/05/20 09:11:00 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2012/05/19 10:18:42 | 000,152,809 | ---- | M] () -- C:\Documents and Settings\Asaf\My Documents\Thank you for downloading Soluto from CNET Download.com.htm
[2012/05/19 10:12:35 | 001,580,080 | ---- | M] (Soluto Inc) -- C:\Documents and Settings\Asaf\My Documents\solutoinstaller-Be90Xtm7H5.exe
[2012/05/17 10:55:52 | 000,011,838 | ---- | M] () -- C:\Documents and Settings\Asaf\My Documents\F04716E2E37D88330B3207F3A7C781518DE72070.torrent
[2012/05/14 20:02:01 | 000,025,379 | ---- | M] () -- C:\Documents and Settings\Asaf\My Documents\58A3E8CCFFFCAFD82C7799D716E0B6342C623BB9.torrent
[2012/04/24 17:13:24 | 000,051,144 | ---- | M] (Soluto LTD.) -- C:\WINDOWS\System32\drivers\Soluto.sys
[2012/05/09 12:27:11 | 000,000,000 | ---D | M](C:\Documents and Settings\Asaf\Desktop\??????) -- C:\Documents and Settings\Asaf\Desktop\מאמרים
[2012/05/08 13:54:54 | 000,000,000 | ---D | C](C:\Documents and Settings\Asaf\Desktop\??????) -- C:\Documents and Settings\Asaf\Desktop\מאמרים
[2012/04/23 16:19:32 | 000,039,036 | ---- | M] ()(C:\Documents and Settings\Asaf\My Documents\?????.odt) -- C:\Documents and Settings\Asaf\My Documents\מילים.odt
[2012/04/07 13:43:26 | 000,009,710 | ---- | M] ()(C:\Documents and Settings\Asaf\My Documents\????? ?????????.odt) -- C:\Documents and Settings\Asaf\My Documents\הגיון פסיכומטרי.odt
[2012/04/07 13:43:26 | 000,009,710 | ---- | C] ()(C:\Documents and Settings\Asaf\My Documents\????? ?????????.odt) -- C:\Documents and Settings\Asaf\My Documents\הגיון פסיכומטרי.odt
[2012/04/07 01:13:25 | 000,017,970 | ---- | M] ()(C:\Documents and Settings\Asaf\My Documents\????? ?????????.odt) -- C:\Documents and Settings\Asaf\My Documents\שאלות פסיכומטרי.odt
[2012/03/31 15:32:45 | 000,017,970 | ---- | C] ()(C:\Documents and Settings\Asaf\My Documents\????? ?????????.odt) -- C:\Documents and Settings\Asaf\My Documents\שאלות פסיכומטרי.odt
[2012/03/20 20:30:54 | 000,039,036 | ---- | C] ()(C:\Documents and Settings\Asaf\My Documents\?????.odt) -- C:\Documents and Settings\Asaf\My Documents\מילים.odt
[2012/03/03 10:02:43 | 000,000,000 | ---D | M](C:\Documents and Settings\Asaf\Desktop\?????????) -- C:\Documents and Settings\Asaf\Desktop\פסיכומטרי
[2011/11/05 19:07:30 | 000,000,000 | ---D | C](C:\Documents and Settings\Asaf\Desktop\?????????) -- C:\Documents and Settings\Asaf\Desktop\פסיכומטרי
[2011/11/05 19:02:51 | 000,040,960 | ---- | C] ()(C:\Documents and Settings\Asaf\Desktop\???? ????? ???? ?????? ????? ??????.doc) -- C:\Documents and Settings\Asaf\Desktop\צריך למחוק הרבה דפוקים ואולי להוסיף.doc
[2010/11/21 17:07:43 | 000,286,720 | ---- | C] ()(C:\Documents and Settings\All Users\Documents\????? ???? ????? ?.doc) -- C:\Documents and Settings\All Users\Documents\עבודה בתנך לשכבת ט.doc
[2010/11/21 17:07:42 | 000,034,742 | ---- | C] ()(C:\Documents and Settings\All Users\Documents\?????2.docx) -- C:\Documents and Settings\All Users\Documents\חשבון2.docx
[2010/10/06 07:18:08 | 000,034,742 | ---- | M] ()(C:\Documents and Settings\All Users\Documents\?????2.docx) -- C:\Documents and Settings\All Users\Documents\חשבון2.docx
[2010/10/04 22:53:54 | 000,286,720 | ---- | M] ()(C:\Documents and Settings\All Users\Documents\????? ???? ????? ?.doc) -- C:\Documents and Settings\All Users\Documents\עבודה בתנך לשכבת ט.doc
[2007/05/25 02:34:40 | 000,040,960 | ---- | M] ()(C:\Documents and Settings\Asaf\Desktop\???? ????? ???? ?????? ????? ??????.doc) -- C:\Documents and Settings\Asaf\Desktop\צריך למחוק הרבה דפוקים ואולי להוסיף.doc
(C:\Documents and Settings\All Users\Start Menu\Programs\????10) -- C:\Documents and Settings\All Users\Start Menu\Programs\נענע10
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C658D91
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D1FEB5D
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:553CA6CA
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:010ADD2C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:862BDB1A
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C1F4198F
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ED3F622D
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D74B6CF5
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3553E6B8
[COLOR="DarkRed"]:files[/COLOR]
c:\MGtools /d
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Click the Start button.
• Create a System Restore point if prompted.
• In the Repair Options window, select the following repair option:
  • Repair WMI
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

here are the scans. Anyway, the computer's seems to be running as usual now. Thanks! you've helped me alot

 

everything went smooth, except I couldn't uninstall IObit toolbar and Soluto (the problem with Soluto is I manually deleted its files earlier when I thought that it had something to do with the malware).

Also, can I reinstall download accelerator plus later? I usually use it a lot.

 

http://img684.imageshack.us/img684/6489/aswmbr.gif Fix items with aswMBR.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• After the scan is complete, if the [Fix] button is available, press it just once.
• On completion of the fix, press the [Save log], save it to your desktop and attach this log to your next message. (How to attach)

The rest of your logs are fairly clean, there's a few suspicious items in: C:\Documents and Settings\Asaf\My Documents
For example:

• MovieSubtitlesSearcher.exe
• va33_affad.exe

Can you upload this file for analysis: c:\windows\system32\drivers\mqewoat.sys to here?

Yes

 

I uploaded the file and attached the log. The files in C:\Documents and Settings\Asaf\My Documents are (I believe...) legit programs I downloaded. Is there still a chance that they contain malware?

 

Latest aswMBR log looks good.

Thanks, it's clean. Part of Malwarebytes.

There's a chance. They just looked suspicious to me.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Finally, the computer is running as usual, thank you so much!

There this one thing though...for some reason every time I log on to my user I get a
message saying windows has found new hardware, which it lists as "unknown", and tries unsuccessfully to find drivers to it. Do you know what this might mean?

 

You're welcome

Most likely SAS didn't properly uninstall itself.
You can open a Command Prompt window (Start -> Run -> cmd) and type in each of these commands

• sc stop SASDIFSV
• sc stop SASKUTIL
• sc stop !SASCORE
• sc delete SASDIFSV
• sc delete SASKUTIL
• sc delete !SASCORE