Virus on USB makes a folder icon with sparkles

Hi I'm a newbie here.

I recently experienced opening of spam web tabs in my internet browser.
I'm not sure if this is caused by this virus. I'm not sure what it is.


Whenever I plug any USB drive, there it is, the folder icon with confetti sparkles.
I also cannot format the USB drive. Everytime I try to, this pops up:


I really am new to this. I'd really appreciate it if you could help me with this.
I am currently using McAfee and it doesn't do anything about it. Should I install a new antivirus?

Thank you very much.

Hi dippindotz and Welcome to GeekPolice!

Let's work on your PC and see if we can fix your USB drive.



We need to look at some information about what is going on in your computer:

Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  
  
  • DDS.scr
    
  • DDS.pif
    
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.
  
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
  
• Save both reports to your desktop.
  
• The instructions here ask you to attach the Attach.txt.
  
  
  
• Instead of attaching, please copy/past both logs into your Thread
  
  
• Close the program window, and delete the program from your desktop.
  

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Thank you very much Kenny94 for the quick response. I really appreciate it.
I was at the office PC awhile ago. This time, on my home PC, the virus simply won't be detected by the antivirus program. I will also run the scan again as soon as I get back to the office. I hope you still have the time.

I followed your instructions on my home PC and here are the logs:

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 22:34:18.01 on Wed 04/20/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2092 [GMT -7]
.
.
============== Running Processes ===============
.
D:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\WINDOWS.0\system32\igfxtray.exe
D:\WINDOWS.0\system32\igfxpers.exe
D:\WINDOWS.0\RTHDCPL.EXE
D:\WINDOWS.0\system32\igfxsrvc.exe
D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
D:\Program Files\BitTorrent\bittorrent.exe
C:\backup 12-29-2009\Softwares\portable software\TheSage.3.0.16.1718.RC1\TheSage.exe
D:\Program Files\Opera\opera.exe
svchost.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Alias\Maya7.0\docs\wrapper.exe
D:\WINDOWS.0\system32\svchost.exe -k imgsvc
D:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS.0\explorer.exe
D:\Program Files\Java\jre6\bin\jucheck.exe
D:\Documents and Settings\Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: kikin Plugin: {e601996f-e400-41ca-804b-cd6373a7eee2} - d:\program files\kikin\ie_kikin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [EA Core] "d:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Messenger (Yahoo!)] "d:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "d:\program files\bittorrent_dna\dna.exe"
uRun: [ctfmon.exe] d:\windows.0\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IgfxTray] d:\windows.0\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows.0\system32\hkcmd.exe
mRun: [Persistence] d:\windows.0\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [EPSON Stylus C45 Series] d:\windows.0\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
mRun: [egui] "d:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [AdobeCS4ServiceManager] "d:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [CanonSolutionMenu] d:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [STICKYNOTES] d:\program files\morpheusweb.it\stickynotes\StickyNotes.exe
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UnlockerAssistant] "d:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - d:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\thesag~1.lnk - c:\backup 12-29-2009\softwares\portable software\thesage.3.0.16.1718.rc1\TheSage.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - d:\program files\kikin\ie_kikin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6q3u0bnm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
FF - prefs.js: keyword.URL - hxxp://eis.esnips.com/page/search_provider/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d&q=
FF - plugin: d:\program files\bittorrent_dna\npbtdna.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;d:\windows.0\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;d:\windows.0\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R2 ekrn;ESET Service;d:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
S3 Ambfilt;Ambfilt;d:\windows.0\system32\drivers\Ambfilt.sys [2009-12-31 1684736]
.
=============== Created Last 30 ================
.
2011-04-17 21:22:51 -------- d-----w- D:\Portrait Professional Studio 9.0.14 Portable
2011-04-17 20:08:58 -------- d-----w- d:\docume~1\admini~1\applic~1\Anthropics
2011-04-17 20:07:39 -------- d-----w- d:\program files\Portrait Professional 9 Trial
2011-04-17 20:01:35 -------- d-----w- d:\docume~1\admini~1\applic~1\kikin
2011-04-17 20:01:34 -------- d-----w- d:\program files\kikin
2011-04-17 20:01:16 -------- d-----w- d:\program files\JDownloader
2011-04-09 19:11:01 -------- d-----w- D:\Where The Wild Things Are {2009} DVDRIP. Jaybob
2011-04-09 18:58:11 -------- d-----w- d:\program files\ConvertHelper
2011-04-04 06:35:06 -------- d-----w- d:\documents and settings\administrator\dwhelper
2011-03-28 03:46:04 -------- d-----w- D:\Le Ballon Rouge - The Red Balloon (1956)
2011-03-26 07:04:20 -------- d-----w- d:\docume~1\admini~1\locals~1\applic~1\Adobe
.
==================== Find3M ====================
.
.
============= FINISH: 22:34:30.17 ===============







Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/31/2009 1:37:17 AM
System Uptime: 4/20/2011 10:20:28 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5KPL-AM SE
Processor: Intel Pentium III Xeon processor | Socket 775 | 2600/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 3.516 GiB free.
D: is FIXED (NTFS) - 51 GiB total, 4.444 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP115: 3/31/2011 12:40:42 AM - System Checkpoint
RP116: 4/2/2011 6:36:45 PM - System Checkpoint
RP117: 4/9/2011 11:46:03 AM - System Checkpoint
RP118: 4/10/2011 5:57:22 PM - Removed Disney-Pixar WALL-E
RP119: 4/13/2011 8:58:46 PM - Removed Opera 11.01.
RP120: 4/17/2011 10:50:41 AM - System Checkpoint
RP121: 4/18/2011 11:37:04 PM - System Checkpoint
.
==== Installed Programs ======================
.
AAC Decoder
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Alias DirectConnect 2.0
AoADVDCreator
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Audacity 1.3.3
AutoUpdate
BitTorrent
BitTorrent 6.0
BitTorrent DNA
Bonjour
Canon MP Navigator EX 2.0
Canon Utilities Solution Menu
CanoScan LiDE 200 Scanner Driver
CDisplay 1.8
Chikka Messenger
Chikka TXT Messenger (3.0.19)
Connect
ConvertHelper 2.2
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
doPDF 6.2 printer
Dropbox
e-Sword
EA Download Manager
EPSON Printer Software
ESET NOD32 Antivirus
GOM Player
H.264 Decoder
HashCheck Shell Extension (x86-32)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 16
JDownloader
kikin plugin 2.4
kuler
LAME v3.98.3 for Audacity
Maya 7.0
Microsoft .NET Framework 2.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
MKV Splitter
Mozilla Firefox (3.6.16)
NativeBoxDVD
Open Command Prompt Shell Extension (x86-32)
OpenAL
Opera 11.10
PDF Settings CS4
Photoshop Camera Raw
PicaView32
Pixel Bender Toolkit
Portrait Professional 9.5 Trial
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Sentinel System Driver
Suite Shared Configuration CS4
The KMPlayer (remove only)
The Sims 2
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 World Adventures
Total Video Converter 3.12 080330
Update for Windows XP (KB955839)
VC80CRTRedist - 8.0.50727.762
VistaBootPRO 3.3
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
4/17/2011 9:54:52 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
.
==== End Of File ===========================


Thank again.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   
   Combofix download
   
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
   
3. Double click on combofix.exe & follow the prompts.
   
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

Thanks again and I will stay with you until everything's okay.

Here is the log from combofix. Just one question though. Do I need to connect my infected USB drive everytime I run these wares? I plugged it in before running combofix. Is it necessary?

=====================================================

ComboFix 11-04-20.03 - Administrator 04/21/2011 12:00:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2546 [GMT -7:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\Administrator\Application Data\Desktopicon
d:\documents and settings\Administrator\Application Data\Desktopicon\eBayShortcuts.exe
d:\documents and settings\Administrator\WINDOWS
d:\documents and settings\rivo\Local Settings\Application Data\Install.exe
d:\windows.0\system32\msconfig.exe
d:\windows.0\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 05:43 . 2011-04-21 05:44 -------- d-----w- D:\may fraxiFA
2011-04-17 21:22 . 2011-04-17 21:22 -------- d-----w- D:\Portrait Professional Studio 9.0.14 Portable
2011-04-17 20:08 . 2011-04-17 20:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Anthropics
2011-04-17 20:07 . 2011-04-17 20:57 -------- d-----w- d:\program files\Portrait Professional 9 Trial
2011-04-17 20:01 . 2011-04-17 20:01 -------- d-----w- d:\documents and settings\Administrator\Application Data\kikin
2011-04-17 20:01 . 2011-04-20 03:30 -------- d-----w- d:\program files\kikin
2011-04-17 20:01 . 2011-04-21 06:35 -------- d-----w- d:\program files\JDownloader
2011-04-09 19:11 . 2011-04-09 19:11 -------- d-----w- D:\Where The Wild Things Are {2009} DVDRIP. Jaybob
2011-04-09 18:58 . 2011-04-09 18:58 -------- d-----w- d:\program files\ConvertHelper
2011-04-04 06:35 . 2011-04-04 06:39 -------- d-----w- d:\documents and settings\Administrator\dwhelper
2011-03-28 03:46 . 2011-03-28 03:46 -------- d-----w- D:\Le Ballon Rouge - The Red Balloon (1956)
2011-03-26 07:04 . 2011-04-18 08:25 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
------- Sigcheck -------
.
[-] 2009-07-14 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . d:\windows.0\system32\drivers\tcpip.sys
.
.
.
d:\windows.0\System32\wscntfy.exe ... is missing !!
d:\windows.0\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E601996F-E400-41CA-804B-CD6373A7EEE2}]
2010-08-16 19:35 799472 ----a-w- d:\program files\kikin\ie_kikin.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- d:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- d:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- d:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-09-25 5145912]
"BitTorrent DNA"="d:\program files\BitTorrent_DNA\dna.exe" [2011-04-09 323392]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows.0\system32\igfxtray.exe" [2008-03-24 141848]
"HotKeysCmds"="d:\windows.0\system32\hkcmd.exe" [2008-03-24 166424]
"Persistence"="d:\windows.0\system32\igfxpers.exe" [2008-03-24 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"EPSON Stylus C45 Series"="d:\windows.0\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2010-03-27 149280]
"CanonSolutionMenu"="d:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
d:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - d:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
TheSage 3.0 RC1.lnk - c:\backup 12-29-2009\Softwares\portable software\TheSage.3.0.16.1718.RC1\TheSage.exe [2009-12-29 268800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 sptd;sptd;d:\windows.0\system32\drivers\sptd.sys [1/1/2010 7:27 PM 691696]
R1 ehdrv;ehdrv;d:\windows.0\system32\drivers\ehdrv.sys [3/19/2009 12:44 PM 107256]
R1 epfwtdir;epfwtdir;d:\windows.0\system32\drivers\epfwtdir.sys [3/19/2009 12:45 PM 93848]
R2 ekrn;ESET Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/19/2009 12:44 PM 731840]
S3 Ambfilt;Ambfilt;d:\windows.0\system32\drivers\Ambfilt.sys [12/31/2009 2:51 AM 1684736]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - d:\program files\kikin\ie_kikin.dll
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6q3u0bnm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
FF - prefs.js: keyword.URL - hxxp://eis.esnips.com/page/search_provider/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - d:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-AdobeCS4ServiceManager - d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
HKLM-Run-STICKYNOTES - d:\program files\Morpheusweb.it\StickyNotes\StickyNotes.exe
HKLM-Run-UnlockerAssistant - d:\program files\Unlocker\UnlockerAssistant.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 12:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"91A14B995DF7C0B42ABAA16065968F3A"="d:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
Completion time: 2011-04-21 12:03:50
ComboFix-quarantined-files.txt 2011-04-21 19:03
.
Pre-Run: 4,266,328,064 bytes free
Post-Run: 8,188,260,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
.
- - End Of File - - DA541A10E5B42B07C9F384FEAE5A3792

Please do not use your flash drive. We do not want to spread the infection into your PC.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  
  

  Code:

  :filefind
*wscntfy.exe*
*regsvc.dll*
  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next



Please run the MGA Diagnostic Tool and post back the report it creates:

• Download MGADiag to your desktop.
  
• Double-click on MGADiag.exe to launch the program
  
• Click "Continue"
  
• Ensure that the "Windows" tab is selected (it should be by default).
  
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  
• Paste the MGA Diagnostic Report back here in your next reply.

Here's the systemlook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 07:57 on 23/04/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*wscntfy.exe*"
No files found.

Searching for "*regsvc.dll*"
No files found.

-= EOF =-



Here's the MGADiag:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-M6PX2-V96BF-8CKBJ
Windows Product Key Hash: n3MqC4LOVOQQgQUf4VrjJV6OaXI=
Windows Product ID: 55274-640-5536995-23729
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {08399C87-C737-4B47-8A05-97B5EDE4130F}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: D:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: ~[Filtered]~

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 15560:ASUSTeK Computer Inc|16C65:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A



May I ask what these are for? As I will also run these procedures on my other PC at work. Thanks.

Here's the MGADiag:

Well this report is bad news. Unfortunately, this operating system are Blocked Volume Licences it's not genuine. Because of that, I can no longer assist as we don't support using pirated software that is in this PC. On this forum.

I see. Thank you very much for your time Kenny94.