Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win64/sirefef.m and Smart Fortress 2012

Started by guangtou , May 17 2012 07:43 AM

  • This topic is locked This topic is locked
13 replies to this topic

#1 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 17 May 2012 - 07:43 AM

I was infected by Smart Fortress 2012 yesterday. After removing it I still had problems with google redirecting to other sites. Ran MSE and it picked up win64/sirefef.m and quarantined. It also kept detecting a file in windows/installer that it said it didn't recognize. But WSE would then get stuck and keep inspecting the same files over and over. Need help removing this as Malwarebytes isn't detecting it. Thanks. GMER found nothing, so no log. win32/alureon.fp came up from mse while running it though

Attached Files


Edited by guangtou, 17 May 2012 - 08:55 AM.

 

  • BC Ads
  • BleepingComputer.com

#2 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 17 May 2012 - 09:03 PM

Hi,

Please do the following:


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#3 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 19 May 2012 - 07:02 AM

Thanks for your help.

Here is the log:
Scan result of Farbar Recovery Scan Tool Version: 18-05-2012 02
Ran by SYSTEM at 19-05-2012 06:56:26
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [167256 2011-04-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [391000 2011-04-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [418136 2011-04-07] (Intel Corporation)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [weset] rundll32.exe "C:\Users\Brian\AppData\Local\Temp\weset.dll",SteamAPI_UnregisterCallback [105984 2012-05-16] (DT Soft Ltd)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKU\Brian\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-02-14] (Google Inc.)
HKU\Brian\...\Run: [AdobeBridge] [x]
HKU\Brian\...\Run: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN21KAR0HW05KF:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1 [2676584 2011-09-09] (Hewlett-Packard Co.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ======

3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [206072 2010-10-12] (WildTangent, Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\diMaster.dll" /prefetch:1 [303544 2011-08-11] (Symantec Corporation)
2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe /s [123320 2011-07-19] (Symantec Corporation)
2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll" /prefetch:1 [132984 2011-07-19] (Symantec Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

3 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [1160824 2012-04-02] (Symantec Corporation)
3 ccSet_NIS; C:\Windows\System32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
3 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-03-24] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-03-27] (Symantec Corporation)
3 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120423.001\IDSvia64.sys [488568 2012-03-23] (Symantec Corporation)
3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [12262624 2011-04-04] (Intel Corporation)
3 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [33096 2012-05-19] ()
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-04-04] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120423.002\ENG64.SYS [117880 2012-04-23] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20120423.002\EX64.SYS [2048632 2012-04-23] (Symantec Corporation)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [243712 2010-10-08] (Realtek Semiconductor Corp.)
3 RTL8192Ce; C:\Windows\System32\Drivers\RTL8192Ce.sys [1109096 2011-01-05] (Realtek Semiconductor Corporation )
3 SRTSP; C:\Windows\System32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation)
3 SRTSPX; C:\Windows\System32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation)
3 SymDS; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)
3 SymEFA; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation)
3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-02-14] (Symantec Corporation)
3 SymIRON; C:\Windows\System32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation)
3 SymNetS; C:\Windows\System32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-19 06:55 - 2012-05-19 06:56 - 0000000 ____D C:\FRST
2012-05-19 02:25 - 2012-05-19 02:26 - 0000000 ____D C:\Users\Brian\AppData\Roaming\U3
2012-05-19 01:59 - 2012-05-19 02:00 - 0033096 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-05-17 05:40 - 2012-05-17 05:40 - 0294216 ____A C:\Users\Brian\Downloads\gmer.zip
2012-05-17 05:21 - 2012-05-17 05:21 - 0000000 ____A C:\Users\Brian\defogger_reenable
2012-05-17 02:35 - 2012-05-17 17:44 - 0002198 ____A C:\Windows\epplauncher.mif
2012-05-17 02:35 - 2012-05-17 02:35 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-05-17 02:35 - 2012-05-17 02:35 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-05-17 02:31 - 2012-05-17 02:34 - 12621696 ____A (Microsoft Corporation) C:\Users\Brian\Desktop\mseinstall.exe
2012-05-17 02:16 - 2012-05-17 02:17 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_05.16.28_log.txt
2012-05-17 01:51 - 2012-05-17 01:51 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_04.51.10_log.txt
2012-05-17 01:22 - 2012-05-17 01:22 - 0128288 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_04.22.07_log.txt
2012-05-17 00:50 - 2012-05-17 00:51 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_03.50.31_log.txt
2012-05-17 00:38 - 2012-05-17 00:38 - 0128288 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_03.38.11_log.txt
2012-05-17 00:36 - 2012-05-17 00:50 - 0000000 ___SD C:\32788R22FWJFW
2012-05-16 16:44 - 2012-05-16 16:45 - 0127364 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_19.44.16_log.txt
2012-05-16 16:37 - 2012-05-16 16:38 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_19.37.40_log.txt
2012-05-16 15:40 - 2012-05-16 15:45 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.40.49_log.txt
2012-05-16 15:31 - 2012-05-16 15:31 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.31.08_log.txt
2012-05-16 15:27 - 2012-05-16 15:27 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.27.12_log.txt
2012-05-16 15:21 - 2012-05-17 05:34 - 1253128 ____A C:\Windows\ntbtlog.txt
2012-05-16 15:17 - 2012-05-16 15:18 - 0127364 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.17.43_log.txt
2012-05-16 15:14 - 2012-05-16 15:14 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-05-16 15:10 - 2012-05-16 15:16 - 0377324 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.10.47_log.txt
2012-05-16 14:43 - 2012-05-16 14:44 - 0127722 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_17.43.25_log.txt
2012-05-16 14:42 - 2012-05-16 14:43 - 0127708 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_17.42.23_log.txt
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\Users\Brian\Documents\Corel DVD MovieFactory
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\Users\All Users\Ulead Systems
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\ProgramData\Ulead Systems
2012-05-16 14:05 - 2012-05-16 15:24 - 0000000 ____D C:\Users\Brian\AppData\Local\NPE
2012-05-16 14:01 - 2012-05-16 14:02 - 2804712 ____A (Symantec Corporation) C:\Users\Brian\Downloads\NPE.exe
2012-05-16 13:45 - 2012-05-17 02:39 - 0532480 ____A (Trend Micro Incorporated) C:\Users\Brian\Downloads\cwshredder.exe
2012-05-16 13:15 - 2012-05-16 13:15 - 0000000 ____D C:\Users\Brian\Documents\Remote Assistance Logs
2012-05-16 05:27 - 2012-05-16 05:27 - 0001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-16 05:27 - 2012-05-16 05:27 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Malwarebytes
2012-05-16 05:26 - 2012-05-16 05:27 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-16 05:26 - 2012-05-16 05:26 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-16 05:26 - 2012-05-16 05:26 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-05-16 05:26 - 2012-04-04 12:56 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-05-16 05:15 - 2012-05-17 04:01 - 0000361 ____A C:\rkill.log
2012-05-16 05:08 - 2012-05-16 05:08 - 0000000 ____D C:\Windows\System32\%LOCALAPPDATA%
2012-05-16 04:45 - 2012-05-16 04:45 - 0883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
2012-05-16 04:16 - 2012-05-16 04:16 - 0000000 ____D C:\Windows\system64
2012-05-15 03:35 - 2012-05-15 03:35 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-15 03:35 - 2012-05-15 03:35 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-13 03:42 - 2012-05-13 03:42 - 0000000 ____D C:\Users\Brian\Documents\files.iss
2012-05-10 03:36 - 2012-03-30 22:05 - 5559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-10 03:36 - 2012-03-30 20:39 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-10 03:36 - 2012-03-30 20:39 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-10 03:36 - 2012-03-30 19:10 - 3146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-10 03:36 - 2012-03-02 22:35 - 1544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-10 03:36 - 2012-03-02 21:31 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-05-10 03:34 - 2012-03-30 03:35 - 1918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-10 03:34 - 2012-03-16 23:58 - 0075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-06 18:29 - 2012-05-06 18:30 - 0000000 ____D C:\Users\Brian\Desktop\Printer
2012-05-06 18:27 - 2012-05-06 18:29 - 0000000 ____D C:\Users\Brian\Desktop\Canon Programs
2012-05-06 16:43 - 2012-05-06 17:13 - 0000000 ____D C:\Users\Brian\Documents\PicabooX
2012-05-04 13:55 - 2012-05-04 13:55 - 0109016 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-05-04 13:53 - 2012-05-04 13:53 - 0000000 ____D C:\Users\Brian\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-05-02 04:42 - 2012-05-02 04:42 - 0000162 ___AH C:\Users\Brian\Desktop\~$ian Hancock.docx
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{BD1EB98F-C333-4FC7-845B-649688A9CD94}
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{AA4B7A34-2221-44D8-AAC6-9904A881B6BC}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{FFFE0CA2-1DB9-4268-8FE1-264E9A49AE92}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{56EA1CA2-F0F2-4DD7-A7FE-11C61237C344}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{83B3C1DA-B690-489C-A609-AB90E0166B0E}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{69A96215-2B04-414F-B8F7-AC1F8D96FD60}
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{A41D3BB3-6616-40CF-94E7-7A5772CCFB8F}
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{561C5F63-135D-4F92-9ADB-8E65D0166D95}
2012-04-30 03:34 - 2012-04-30 04:19 - 0000000 ____D C:\Users\Brian\AppData\Local\CrashDumps
2012-04-29 16:15 - 2012-05-13 05:35 - 0009728 ____A C:\Users\Brian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-29 15:57 - 2012-05-13 05:36 - 0000304 ____A C:\Windows\MRU.ini
2012-04-29 15:31 - 2012-04-30 04:23 - 0000000 ____D C:\Program Files (x86)\eos_movrec
2012-04-29 15:30 - 2012-04-29 15:31 - 5759292 ____A (Chernov A.A. ) C:\Users\Brian\Downloads\eos_movrec-0.3.1.1_beta-setup.exe
2012-04-29 08:46 - 2012-04-29 08:46 - 0000000 ____D C:\Users\Brian\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2012-04-29 08:46 - 2012-04-29 08:46 - 0000000 ____D C:\Program Files (x86)\Picaboo X
2012-04-25 03:18 - 2012-04-25 03:18 - 0000000 ____D C:\Users\Brian\AppData\Local\{8EF2098D-4843-446E-813E-0D83B25F5CC9}
2012-04-25 03:17 - 2012-04-25 03:17 - 0000000 ____D C:\Users\Brian\AppData\Local\{F0BED1E8-5318-4D34-938A-3D0AC0C8260A}
2012-04-21 03:49 - 2012-04-21 03:49 - 0000000 ____D C:\Windows\Sun

============ 3 Months Modified Files and Folders =============

2012-05-19 06:56 - 2012-05-19 06:55 - 0000000 ____D C:\FRST
2012-05-19 03:50 - 2012-02-14 15:17 - 1244214 ____A C:\Windows\WindowsUpdate.log
2012-05-19 03:37 - 2012-02-14 15:52 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-19 03:37 - 2012-02-14 15:52 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-05-19 02:26 - 2012-05-19 02:25 - 0000000 ____D C:\Users\Brian\AppData\Roaming\U3
2012-05-19 02:08 - 2009-07-13 20:45 - 0024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-19 02:08 - 2009-07-13 20:45 - 0024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-19 02:00 - 2012-05-19 01:59 - 0033096 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-05-19 01:59 - 2012-04-17 10:55 - 0001926 ____A C:\Users\Brian\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
2012-05-19 01:59 - 2012-04-17 10:55 - 0001926 ____A C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
2012-05-19 01:59 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-19 01:59 - 2009-07-13 20:51 - 0040252 ____A C:\Windows\setupact.log
2012-05-19 01:58 - 2012-02-14 15:11 - 3180220416 __ASH C:\hiberfil.sys
2012-05-17 17:44 - 2012-05-17 02:35 - 0002198 ____A C:\Windows\epplauncher.mif
2012-05-17 05:40 - 2012-05-17 05:40 - 0294216 ____A C:\Users\Brian\Downloads\gmer.zip
2012-05-17 05:34 - 2012-05-16 15:21 - 1253128 ____A C:\Windows\ntbtlog.txt
2012-05-17 05:26 - 2009-07-13 21:13 - 0730554 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-17 05:21 - 2012-05-17 05:21 - 0000000 ____A C:\Users\Brian\defogger_reenable
2012-05-17 05:21 - 2012-03-24 03:44 - 0000000 ____D C:\users\Brian
2012-05-17 05:19 - 2012-03-25 03:40 - 0000000 __SHD C:\Users\Brian\AppData\Local\{56e02f73-c73e-341c-1909-583710acfd43}
2012-05-17 04:01 - 2012-05-16 05:15 - 0000361 ____A C:\rkill.log
2012-05-17 02:39 - 2012-05-16 13:45 - 0532480 ____A (Trend Micro Incorporated) C:\Users\Brian\Downloads\cwshredder.exe
2012-05-17 02:35 - 2012-05-17 02:35 - 0000000 ____D C:\Program Files\Microsoft Security Client
2012-05-17 02:35 - 2012-05-17 02:35 - 0000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-05-17 02:35 - 2012-04-04 07:45 - 0744400 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-05-17 02:34 - 2012-05-17 02:31 - 12621696 ____A (Microsoft Corporation) C:\Users\Brian\Desktop\mseinstall.exe
2012-05-17 02:17 - 2012-05-17 02:16 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_05.16.28_log.txt
2012-05-17 01:51 - 2012-05-17 01:51 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_04.51.10_log.txt
2012-05-17 01:42 - 2010-11-20 19:47 - 0012976 ____A C:\Windows\PFRO.log
2012-05-17 01:22 - 2012-05-17 01:22 - 0128288 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_04.22.07_log.txt
2012-05-17 00:51 - 2012-05-17 00:50 - 0128266 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_03.50.31_log.txt
2012-05-17 00:50 - 2012-05-17 00:36 - 0000000 ___SD C:\32788R22FWJFW
2012-05-17 00:38 - 2012-05-17 00:38 - 0128288 ____A C:\TDSSKiller.2.7.35.0_17.05.2012_03.38.11_log.txt
2012-05-16 16:45 - 2012-05-16 16:44 - 0127364 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_19.44.16_log.txt
2012-05-16 16:38 - 2012-05-16 16:37 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_19.37.40_log.txt
2012-05-16 15:45 - 2012-05-16 15:40 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.40.49_log.txt
2012-05-16 15:31 - 2012-05-16 15:31 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.31.08_log.txt
2012-05-16 15:27 - 2012-05-16 15:27 - 0127670 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.27.12_log.txt
2012-05-16 15:24 - 2012-05-16 14:05 - 0000000 ____D C:\Users\Brian\AppData\Local\NPE
2012-05-16 15:18 - 2012-05-16 15:17 - 0127364 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.17.43_log.txt
2012-05-16 15:16 - 2012-05-16 15:10 - 0377324 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_18.10.47_log.txt
2012-05-16 15:14 - 2012-05-16 15:14 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-05-16 14:44 - 2012-05-16 14:43 - 0127722 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_17.43.25_log.txt
2012-05-16 14:43 - 2012-05-16 14:42 - 0127708 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_17.42.23_log.txt
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\Users\Brian\Documents\Corel DVD MovieFactory
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\Users\All Users\Ulead Systems
2012-05-16 14:26 - 2012-05-16 14:26 - 0000000 ____D C:\ProgramData\Ulead Systems
2012-05-16 14:06 - 2012-02-14 15:58 - 0000000 ____D C:\Users\All Users\Norton
2012-05-16 14:06 - 2012-02-14 15:58 - 0000000 ____D C:\ProgramData\Norton
2012-05-16 14:02 - 2012-05-16 14:01 - 2804712 ____A (Symantec Corporation) C:\Users\Brian\Downloads\NPE.exe
2012-05-16 13:33 - 2012-03-24 04:02 - 0000000 ____D C:\Users\Brian\AppData\Local\Google
2012-05-16 13:15 - 2012-05-16 13:15 - 0000000 ____D C:\Users\Brian\Documents\Remote Assistance Logs
2012-05-16 05:27 - 2012-05-16 05:27 - 0001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-16 05:27 - 2012-05-16 05:27 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Malwarebytes
2012-05-16 05:27 - 2012-05-16 05:26 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-16 05:26 - 2012-05-16 05:26 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-16 05:26 - 2012-05-16 05:26 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-05-16 05:08 - 2012-05-16 05:08 - 0000000 ____D C:\Windows\System32\%LOCALAPPDATA%
2012-05-16 04:45 - 2012-05-16 04:45 - 0883616 ____A (Bleeping Computer, LLC) C:\FixExec.com
2012-05-16 04:16 - 2012-05-16 04:16 - 0000000 ____D C:\Windows\system64
2012-05-16 03:04 - 2009-07-13 18:34 - 0000886 __RAH C:\Windows\System32\Drivers\etc\hosts.bak
2012-05-15 03:35 - 2012-05-15 03:35 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-15 03:35 - 2012-05-15 03:35 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-05-13 05:40 - 2012-03-24 04:52 - 0000174 ____A C:\Windows\ESTIMATE-SETTING.INI
2012-05-13 05:40 - 2012-03-24 04:52 - 0000160 ____A C:\Windows\ALIGN-SETTING.INI
2012-05-13 05:40 - 2012-03-24 04:52 - 0000106 ____A C:\Windows\LIMIT-SETTING.INI
2012-05-13 05:36 - 2012-04-29 15:57 - 0000304 ____A C:\Windows\MRU.ini
2012-05-13 05:35 - 2012-04-29 16:15 - 0009728 ____A C:\Users\Brian\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-13 03:42 - 2012-05-13 03:42 - 0000000 ____D C:\Users\Brian\Documents\files.iss
2012-05-11 16:04 - 2009-07-13 20:45 - 4826928 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-11 16:02 - 2012-04-04 07:46 - 0000000 ____D C:\Users\Brian\AppData\Roaming\SoftGrid Client
2012-05-11 03:04 - 2010-11-20 23:17 - 0000000 ____D C:\Program Files\Windows Journal
2012-05-06 18:30 - 2012-05-06 18:29 - 0000000 ____D C:\Users\Brian\Desktop\Printer
2012-05-06 18:29 - 2012-05-06 18:27 - 0000000 ____D C:\Users\Brian\Desktop\Canon Programs
2012-05-06 17:13 - 2012-05-06 16:43 - 0000000 ____D C:\Users\Brian\Documents\PicabooX
2012-05-05 16:41 - 2012-03-24 04:49 - 0000000 ____D C:\Program Files (x86)\BackyardEOS
2012-05-04 13:55 - 2012-05-04 13:55 - 0109016 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-05-04 13:54 - 2011-10-30 18:33 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-05-04 13:53 - 2012-05-04 13:53 - 0000000 ____D C:\Users\Brian\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-05-02 04:42 - 2012-05-02 04:42 - 0000162 ___AH C:\Users\Brian\Desktop\~$ian Hancock.docx
2012-05-02 04:13 - 2012-04-16 17:38 - 0000000 ____D C:\Users\Brian\Downloads\MakeAVI-0.11
2012-05-02 04:11 - 2012-04-16 17:36 - 0306151 ____A C:\Users\Brian\Downloads\MakeAVI-0.11.zip
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{BD1EB98F-C333-4FC7-845B-649688A9CD94}
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{AA4B7A34-2221-44D8-AAC6-9904A881B6BC}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{FFFE0CA2-1DB9-4268-8FE1-264E9A49AE92}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{56EA1CA2-F0F2-4DD7-A7FE-11C61237C344}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{83B3C1DA-B690-489C-A609-AB90E0166B0E}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{69A96215-2B04-414F-B8F7-AC1F8D96FD60}
2012-04-30 04:23 - 2012-04-29 15:31 - 0000000 ____D C:\Program Files (x86)\eos_movrec
2012-04-30 04:19 - 2012-04-30 03:34 - 0000000 ____D C:\Users\Brian\AppData\Local\CrashDumps
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{A41D3BB3-6616-40CF-94E7-7A5772CCFB8F}
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{561C5F63-135D-4F92-9ADB-8E65D0166D95}
2012-04-29 15:31 - 2012-04-29 15:30 - 5759292 ____A (Chernov A.A. ) C:\Users\Brian\Downloads\eos_movrec-0.3.1.1_beta-setup.exe
2012-04-29 08:48 - 2012-03-24 04:21 - 0000000 ____D C:\Users\Brian\AppData\Local\Adobe
2012-04-29 08:46 - 2012-04-29 08:46 - 0000000 ____D C:\Users\Brian\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2012-04-29 08:46 - 2012-04-29 08:46 - 0000000 ____D C:\Program Files (x86)\Picaboo X
2012-04-25 03:18 - 2012-04-25 03:18 - 0000000 ____D C:\Users\Brian\AppData\Local\{8EF2098D-4843-446E-813E-0D83B25F5CC9}
2012-04-25 03:17 - 2012-04-25 03:17 - 0000000 ____D C:\Users\Brian\AppData\Local\{F0BED1E8-5318-4D34-938A-3D0AC0C8260A}
2012-04-21 03:49 - 2012-04-21 03:49 - 0000000 ____D C:\Windows\Sun
2012-04-17 11:02 - 2012-04-17 11:02 - 3654408 ____A C:\Users\Brian\Documents\Scan0001.pdf
2012-04-17 10:55 - 2012-04-17 10:40 - 0000000 ____D C:\Users\Brian\AppData\Local\HP
2012-04-17 10:42 - 2012-04-17 10:42 - 0000000 ____D C:\Users\All Users\HP
2012-04-17 10:42 - 2012-04-17 10:42 - 0000000 ____D C:\ProgramData\HP
2012-04-17 10:42 - 2012-04-17 10:42 - 0000000 ____D C:\Program Files (x86)\HP
2012-04-17 10:41 - 2012-04-17 10:41 - 0000000 ____D C:\Program Files\HP
2012-04-16 17:29 - 2012-04-16 17:29 - 0000000 ____D C:\Users\Brian\AppData\Local\{CC90E26E-AC4C-451A-94C2-69380E386B96}
2012-04-16 17:29 - 2012-04-16 17:13 - 0000000 ____D C:\Users\Brian\AppData\Local\Windows Live
2012-04-16 17:23 - 2012-04-16 17:23 - 0000000 ____D C:\Users\Brian\AppData\Local\{C7A25979-C71E-4C78-B5BA-1D38F990707C}
2012-04-16 17:13 - 2012-04-16 17:13 - 0000000 ____D C:\Users\Brian\AppData\Local\{D233FC26-3F59-40E0-841F-993AB07E2F86}
2012-04-16 17:11 - 2012-04-16 17:11 - 0000000 ____D C:\Users\Brian\AppData\Roaming\ZoomBrowser EX
2012-04-12 01:45 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-04-10 03:49 - 2012-04-10 03:49 - 0000000 ____D C:\Users\Brian\AppData\Local\{9AF917E5-F73C-40B5-A172-73853D02EA5E}
2012-04-08 11:18 - 2010-11-20 23:16 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-08 11:14 - 2012-04-08 11:14 - 0000000 ____D C:\Users\Brian\AppData\Local\{44BA74DE-EB9F-4526-8880-A75D40DE18C8}
2012-04-08 04:48 - 2012-04-08 04:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{33485C94-70BA-46A8-99D6-9D7C9F56660F}
2012-04-08 03:11 - 2012-03-24 04:02 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Adobe
2012-04-08 02:54 - 2012-03-24 03:46 - 0000000 ____D C:\Users\Brian\AppData\Local\VirtualStore
2012-04-07 04:05 - 2012-04-07 04:05 - 0000000 __RHD C:\MSOCache
2012-04-06 06:06 - 2012-04-04 14:28 - 0000000 ____D C:\Users\All Users\VirtualizedApplications
2012-04-06 06:06 - 2012-04-04 14:28 - 0000000 ____D C:\ProgramData\VirtualizedApplications
2012-04-06 05:38 - 2012-04-06 05:38 - 0000000 ____D C:\Users\Brian\AppData\Local\ElevatedDiagnostics
2012-04-06 03:40 - 2012-04-06 03:32 - 0000000 ____D C:\Users\Brian\AppData\Local\{8EC6DD43-42CE-47C4-8BB9-FBD2565BCAF4}
2012-04-06 03:33 - 2012-04-06 03:32 - 0000000 ____D C:\Users\Brian\AppData\Local\{5D0F4020-0F70-4572-9893-F25A195DB8A8}
2012-04-06 00:33 - 2012-04-04 07:45 - 0000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-04-04 12:56 - 2012-05-16 05:26 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-04 07:46 - 2012-04-04 07:46 - 0000000 ____D C:\Users\Brian\AppData\Local\SoftGrid Client
2012-04-04 07:46 - 2012-04-04 07:45 - 0000000 ____D C:\Users\Brian\AppData\Roaming\TP
2012-04-04 07:45 - 2012-04-04 07:45 - 0000000 ____D C:\Program Files\Microsoft Office
2012-04-04 07:45 - 2011-10-30 18:43 - 0000000 ____D C:\Program Files (x86)\Microsoft Office
2012-04-04 07:45 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-04-04 02:48 - 2012-04-04 02:48 - 0047672 ____A C:\Users\Brian\Downloads\Astronomy_Tools_v1_6.zip
2012-04-03 05:20 - 2012-04-03 05:20 - 1110476 ____A C:\Users\Brian\Downloads\7z920.exe
2012-04-03 05:20 - 2012-04-03 05:20 - 0000000 ____D C:\Program Files (x86)\7-Zip
2012-04-03 05:19 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-04-03 05:17 - 2012-04-03 05:24 - 3734674 ____A C:\Users\Brian\Documents\DeepSkyStacker333beta45.rar
2012-04-02 17:20 - 2012-04-02 17:20 - 0000000 ____D C:\Users\Brian\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-04-02 17:20 - 2012-04-02 17:20 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Adobe Mini Bridge CS5
2012-04-02 01:55 - 2012-04-02 01:50 - 54134088 ____A C:\Users\Brian\Downloads\winzip160.exe
2012-04-01 18:52 - 2012-04-01 18:51 - 0000000 ____D C:\Users\Brian\AppData\Local\{00A216CD-C777-4C22-861B-805B98961DCD}
2012-03-30 22:05 - 2012-05-10 03:36 - 5559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 20:39 - 2012-05-10 03:36 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-10 03:36 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-30 19:10 - 2012-05-10 03:36 - 3146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 04:30 - 2012-03-26 04:52 - 0000000 ____D C:\Users\Brian\AppData\Local\CANON_INC
2012-03-30 03:35 - 2012-05-10 03:34 - 1918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-28 05:20 - 2012-03-28 05:20 - 0000000 ____D C:\Users\Brian\AppData\Local\Microsoft Games
2012-03-28 04:27 - 2011-10-30 18:33 - 0000000 ____D C:\Users\All Users\Adobe
2012-03-28 04:27 - 2011-10-30 18:33 - 0000000 ____D C:\ProgramData\Adobe
2012-03-27 14:43 - 2012-03-24 03:47 - 0000174 ___SH C:\Users\Brian\Start Menu\Programs\Startup\desktop.ini
2012-03-27 14:43 - 2012-03-24 03:47 - 0000174 ___SH C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-03-27 14:26 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-03-27 04:22 - 2012-03-27 04:22 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Nebulosity3
2012-03-26 04:54 - 2012-03-26 04:54 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Canon
2012-03-26 04:51 - 2012-03-26 04:51 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-03-25 03:56 - 2012-03-24 03:45 - 0000000 ____D C:\Users\Brian\AppData\LocalLow
2012-03-24 05:27 - 2012-03-24 05:27 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Tific
2012-03-24 05:01 - 2012-03-24 04:59 - 0000000 ____D C:\Program Files (x86)\Canon
2012-03-24 05:00 - 2012-03-24 05:00 - 0000000 ____D C:\Users\All Users\ZoomBrowser
2012-03-24 05:00 - 2012-03-24 05:00 - 0000000 ____D C:\ProgramData\ZoomBrowser
2012-03-24 04:53 - 2012-03-24 04:53 - 1608732 ____A () C:\Users\Brian\Downloads\updateregistax6.exe
2012-03-24 04:53 - 2012-03-24 04:52 - 0000000 ____D C:\Program Files (x86)\RegiStax 6
2012-03-24 04:52 - 2012-03-24 04:51 - 3217092 ____A () C:\Users\Brian\Downloads\setupregistax6.exe
2012-03-24 04:49 - 2012-03-24 04:46 - 23525216 ____A (BinaryRivers Corporation ) C:\Users\Brian\Downloads\setup-BackyardEOS-v203-35516.exe
2012-03-24 04:45 - 2012-03-24 04:02 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Google
2012-03-24 04:43 - 2012-03-24 04:43 - 0000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
2012-03-24 04:43 - 2012-03-24 04:43 - 0000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2012-03-24 04:42 - 2012-03-24 04:42 - 0000000 ____D C:\Users\Brian\Documents\Adobe Scripts
2012-03-24 04:42 - 2012-03-24 03:49 - 0057560 ____A C:\Users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-24 04:41 - 2012-03-24 04:41 - 0000000 ____D C:\Program Files\Adobe
2012-03-24 04:41 - 2012-03-24 04:37 - 0000000 ____D C:\Program Files\Common Files\Adobe
2012-03-24 04:36 - 2012-03-24 04:36 - 0000000 ____D C:\Program Files (x86)\Adobe Media Player
2012-03-24 03:50 - 2012-03-24 03:50 - 0000000 ____D C:\Users\Brian\AppData\Roaming\Toshiba
2012-03-24 03:49 - 2012-03-24 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\TOSHIBA
2012-03-24 03:46 - 2012-03-24 03:46 - 0000013 __RSH C:\Windows\System32\Drivers\fbd.sys
2012-03-24 03:46 - 2011-10-31 10:48 - 0000000 ____D C:\Windows\Panther
2012-03-24 03:46 - 2010-11-20 23:06 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2012-03-24 03:46 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Sysprep
2012-03-24 03:45 - 2012-03-24 03:45 - 0000020 ___SH C:\Users\Brian\ntuser.ini
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\Templates
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\Start Menu
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\PrintHood
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\NetHood
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\My Documents
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\Documents\My Videos
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\Documents\My Pictures
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\Documents\My Music
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\AppData\Local\Temporary Internet Files
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 __SHD C:\Users\Brian\AppData\Local\History
2012-03-24 03:45 - 2012-03-24 03:45 - 0000000 ____D C:\Users\Brian\AppData\Roaming\WinBatch
2012-03-24 03:45 - 2011-10-30 18:33 - 0000000 ____D C:\Program Files (x86)\TOSHIBA
2012-03-24 03:45 - 2011-10-30 18:30 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-03-24 03:45 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\restore
2012-03-24 03:44 - 2009-07-13 19:20 - 0000000 __RHD C:\Users\Public\Libraries
2012-03-24 02:42 - 2009-07-13 21:01 - 0108227 ____A C:\Windows\SysWOW64\license.rtf
2012-03-24 02:42 - 2009-07-13 21:01 - 0108227 ____A C:\Windows\System32\license.rtf
2012-03-20 17:44 - 2012-03-20 17:44 - 0203888 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-20 17:44 - 2012-03-20 17:44 - 0098688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-16 23:58 - 2012-05-10 03:34 - 0075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-02 22:35 - 2012-05-10 03:36 - 1544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-02 21:31 - 2012-05-10 03:36 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-29 22:46 - 2012-04-12 01:43 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-12 01:43 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-12 01:43 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-12 01:43 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-12 01:43 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-12 01:43 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-12 01:43 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-12 01:44 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-12 01:44 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-12 01:44 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-12 01:44 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-12 01:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-12 01:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-12 01:44 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-12 01:44 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-12 01:44 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-12 01:44 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-12 01:44 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-12 01:44 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-12 01:44 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-12 01:44 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-12 01:44 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-12 01:44 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-12 01:44 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-12 01:44 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-12 01:44 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-12 01:44 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-12 01:44 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-12 01:44 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-12 01:44 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-12 01:44 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-12 01:44 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-12 01:44 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-10-30 18:20] - [2011-03-01 00:07] - 0027648 ____A (Microsoft Corporation) 6F68F63794097E54F36474ED4384B759

C:\Windows\SysWOW64\svchost.exe
[2011-10-30 18:20] - [2011-03-01 00:05] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-10-30 18:18] - [2011-02-24 22:25] - 0296320 ____A (Microsoft Corporation) DF8126BD41180351A093A3AD2FC8903B


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 4043.86 MB
Available physical RAM: 3508.27 MB
Total Pagefile: 4042.06 MB
Available Pagefile: 3491.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106321W0B) (Fixed) (Total:581.04 GB) (Free:513.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive f: () (Removable) (Total:7.47 GB) (Free:2.35 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 7667 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 581 GB 1501 MB
Partition 3 Primary 13 GB 582 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106321W0B NTFS Partition 581 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7655 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-10 19:36

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 19 May 2012 - 07:32 AM

Hi,

This will take several rounds with different tools to remove so please stay with me till I give the all clear.

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt 

Start
HKLM\...\Run: [] [x]
HKLM\...\Run: [weset] rundll32.exe "C:\Users\Brian\AppData\Local\Temp\weset.dll",SteamAPI_UnregisterCallback [105984 2012-05-16] (DT Soft Ltd)
HKU\Brian\...\Run: [AdobeBridge] [x]
2012-05-16 04:16 - 2012-05-16 04:16 - 0000000 ____D C:\Windows\system64
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{BD1EB98F-C333-4FC7-845B-649688A9CD94}
2012-05-02 04:06 - 2012-05-02 04:06 - 0000000 ____D C:\Users\Brian\AppData\Local\{AA4B7A34-2221-44D8-AAC6-9904A881B6BC}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{FFFE0CA2-1DB9-4268-8FE1-264E9A49AE92}
2012-05-02 03:53 - 2012-05-02 03:53 - 0000000 ____D C:\Users\Brian\AppData\Local\{56EA1CA2-F0F2-4DD7-A7FE-11C61237C344}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{83B3C1DA-B690-489C-A609-AB90E0166B0E}
2012-05-02 03:48 - 2012-05-02 03:48 - 0000000 ____D C:\Users\Brian\AppData\Local\{69A96215-2B04-414F-B8F7-AC1F8D96FD60}
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{A41D3BB3-6616-40CF-94E7-7A5772CCFB8F}
2012-04-30 03:37 - 2012-04-30 03:37 - 0000000 ____D C:\Users\Brian\AppData\Local\{561C5F63-135D-4F92-9ADB-8E65D0166D95}
2012-04-25 03:18 - 2012-04-25 03:18 - 0000000 ____D C:\Users\Brian\AppData\Local\{8EF2098D-4843-446E-813E-0D83B25F5CC9}
2012-04-25 03:17 - 2012-04-25 03:17 - 0000000 ____D C:\Users\Brian\AppData\Local\{F0BED1E8-5318-4D34-938A-3D0AC0C8260A}
2012-05-17 05:19 - 2012-03-25 03:40 - 0000000 __SHD C:\Users\Brian\AppData\Local\{56e02f73-c73e-341c-1909-583710acfd43}
2012-04-06 03:40 - 2012-04-06 03:32 - 0000000 ____D C:\Users\Brian\AppData\Local\{8EC6DD43-42CE-47C4-8BB9-FBD2565BCAF4}
2012-04-06 03:33 - 2012-04-06 03:32 - 0000000 ____D C:\Users\Brian\AppData\Local\{5D0F4020-0F70-4572-9893-F25A195DB8A8}
2012-04-01 18:52 - 2012-04-01 18:51 - 0000000 ____D C:\Users\Brian\AppData\Local\{00A216CD-C777-4C22-861B-805B98961DCD}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


please download Listparts64 and save it to your desktop

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it in the same directory ListParts is located (desk top) as fix.txt 


Disk=0 Partition=3 type=07

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run ListParts.
  • Press the Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#5 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 20 May 2012 - 08:35 AM

FRST64 results:

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 18-05-2012 02
Ran by SYSTEM at 2012-05-20 07:57:47 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\weset Value deleted successfully.
HKEY_USERS\Brian\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge Value deleted successfully.
C:\Windows\system64 moved successfully.
C:\Users\Brian\AppData\Local\{BD1EB98F-C333-4FC7-845B-649688A9CD94} moved successfully.
C:\Users\Brian\AppData\Local\{AA4B7A34-2221-44D8-AAC6-9904A881B6BC} moved successfully.
C:\Users\Brian\AppData\Local\{FFFE0CA2-1DB9-4268-8FE1-264E9A49AE92} moved successfully.
C:\Users\Brian\AppData\Local\{56EA1CA2-F0F2-4DD7-A7FE-11C61237C344} moved successfully.
C:\Users\Brian\AppData\Local\{83B3C1DA-B690-489C-A609-AB90E0166B0E} moved successfully.
C:\Users\Brian\AppData\Local\{69A96215-2B04-414F-B8F7-AC1F8D96FD60} moved successfully.
C:\Users\Brian\AppData\Local\{A41D3BB3-6616-40CF-94E7-7A5772CCFB8F} moved successfully.
C:\Users\Brian\AppData\Local\{561C5F63-135D-4F92-9ADB-8E65D0166D95} moved successfully.
C:\Users\Brian\AppData\Local\{8EF2098D-4843-446E-813E-0D83B25F5CC9} moved successfully.
C:\Users\Brian\AppData\Local\{F0BED1E8-5318-4D34-938A-3D0AC0C8260A} moved successfully.
C:\Users\Brian\AppData\Local\{56e02f73-c73e-341c-1909-583710acfd43} moved successfully.
C:\Users\Brian\AppData\Local\{8EC6DD43-42CE-47C4-8BB9-FBD2565BCAF4} moved successfully.
C:\Users\Brian\AppData\Local\{5D0F4020-0F70-4572-9893-F25A195DB8A8} moved successfully.
C:\Users\Brian\AppData\Local\{00A216CD-C777-4C22-861B-805B98961DCD} moved successfully.

==== End of Fixlog ====

Computer rebooted fine, but it has been rebooting normally. I just kept finding proxycheck.exe in notifications so knew I had something.

Listparts results:

ListParts by Farbar Version: 12-03-2012 03
Ran by Brian (administrator) on 20-05-2012 at 08:10:05
Windows 7 (X64)
Running From: C:\Users\Brian\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 39%
Total physical RAM: 4043.86 MB
Available physical RAM: 2443.66 MB
Total Pagefile: 8085.91 MB
Available Pagefile: 6385.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106321W0B) (Fixed) (Total:581.04 GB) (Free:513.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive f: () (Removable) (Total:7.47 GB) (Free:2.35 GB) FAT32
5 Drive g: (HDDRECOVERY) (Fixed) (Total:13.67 GB) (Free:0.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 7667 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 581 GB 1501 MB
Partition 3 Primary 13 GB 582 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C TI106321W0B NTFS Partition 581 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G HDDRECOVERY NTFS Partition 13 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F FAT32 Removable 7655 MB Healthy

======================================================================================================

****** End Of Log ******

Combofix results:

ComboFix 12-05-20.04 - Brian 05/20/2012 8:15.1.2 - x64
Running from: c:\users\Brian\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-04-20 to 2012-05-20 )))))))))))))))))))))))))))))))
.
.
2012-05-20 13:19 . 2012-05-20 13:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-20 13:09 . 2012-05-08 15:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D8EF947-E4F9-4C01-BBEA-EBB9F47B775C}\mpengine.dll
2012-05-19 14:55 . 2012-05-19 14:57 -------- d-----w- C:\FRST
2012-05-19 10:25 . 2012-05-19 10:26 -------- d-----w- c:\users\Brian\AppData\Roaming\U3
2012-05-19 09:59 . 2012-05-19 10:00 33096 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-05-17 10:48 . 2012-05-17 10:47 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{59E06D6F-3F3B-4BAF-8733-1D3AA171DDEF}\gapaengine.dll
2012-05-17 10:48 . 2012-05-08 15:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-17 10:35 . 2012-05-17 10:35 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-05-17 10:35 . 2012-05-17 10:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-16 23:14 . 2012-05-16 23:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-16 22:26 . 2012-05-16 22:26 -------- d-----w- c:\programdata\Ulead Systems
2012-05-16 22:05 . 2012-05-16 23:24 -------- d-----w- c:\users\Brian\AppData\Local\NPE
2012-05-16 13:27 . 2012-05-16 13:27 -------- d-----w- c:\users\Brian\AppData\Roaming\Malwarebytes
2012-05-16 13:26 . 2012-05-16 13:26 -------- d-----w- c:\programdata\Malwarebytes
2012-05-16 13:26 . 2012-05-16 13:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-16 13:26 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-16 13:08 . 2012-05-16 13:08 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-05-16 12:45 . 2012-05-16 12:45 883616 ----a-w- C:\FixExec.com
2012-05-15 11:37 . 2012-04-18 08:03 8917360 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E813F27B-4C79-4967-9602-039CCB02354B}\mpengine.dll
2012-05-15 11:35 . 2012-05-15 11:35 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-15 11:35 . 2012-05-15 11:35 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-10 11:36 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-10 11:36 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-10 11:36 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 11:36 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-10 11:36 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-10 11:36 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-10 11:34 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-10 11:34 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-10 11:34 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-10 11:34 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-10 11:34 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 11:34 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-10 11:34 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-04 21:53 . 2012-05-04 21:53 -------- d-----w- c:\users\Brian\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-04-30 11:34 . 2012-04-30 12:19 -------- d-----w- c:\users\Brian\AppData\Local\CrashDumps
2012-04-29 23:31 . 2012-04-30 12:23 -------- d-----w- c:\program files (x86)\eos_movrec
2012-04-29 16:46 . 2012-04-29 16:46 -------- d-----w- c:\users\Brian\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2012-04-29 16:46 . 2012-04-29 16:46 -------- d-----w- c:\program files (x86)\Picaboo X
2012-04-21 11:49 . 2012-04-21 11:49 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-24 11:45 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-21 01:44 . 2012-03-21 01:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 01:44 . 2012-03-21 01:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-01 06:46 . 2012-04-12 09:43 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-12 09:43 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-12 09:43 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-12 09:43 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-12 09:43 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-12 09:43 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 09:43 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:56 . 2012-04-12 09:44 2311168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-12 09:44 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-12 09:44 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-12 09:44 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 01:18 . 2012-04-12 09:44 1799168 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-02-28 01:11 . 2012-04-12 09:44 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 09:44 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 01:03 . 2012-04-12 09:44 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-23 15:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-14 39408]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk - c:\windows\system32\RunDll32.exe [2009-7-13 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 136176]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 136176]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [2011-08-10 138760]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-07-19 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [2012-04-02 1160824]
S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-27 138360]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120423.001\IDSvia64.sys [2012-03-23 488568]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [x]
S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [x]
S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [x]
S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 23:52]
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 23:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-21665909.sys
Toolbar-Locked - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-ISS Transit Prediction - c:\windows\system32\javaws.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-05-20 08:24:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-20 13:24
.
Pre-Run: 556,978,782,208 bytes free
Post-Run: 556,596,293,632 bytes free
.
- - End Of File - - B6B29533EBDA1F6DD54957F0DE7C0649

While Conbofix was running, this notification came up:

Illegal operation attempted on registry key that has been marked for deletion.

Thanks again.

#6 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 20 May 2012 - 09:02 AM

Hi,

Run the following with List Parts

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it in the same directory ListParts is located (desk top) as fix.txt

Disk=0 Partition=3 type=17

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run ListParts.
  • Press the Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#7 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 20 May 2012 - 10:41 AM

ListParts by Farbar Version: 12-03-2012 03
Ran by Brian (administrator) on 20-05-2012 at 09:10:15
Windows 7 (X64)
Running From: C:\Users\Brian\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 43%
Total physical RAM: 4043.86 MB
Available physical RAM: 2299.21 MB
Total Pagefile: 8085.91 MB
Available Pagefile: 6342.33 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106321W0B) (Fixed) (Total:581.04 GB) (Free:518.44 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive f: () (Removable) (Total:7.47 GB) (Free:2.35 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 7667 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 581 GB 1501 MB
Partition 3 Primary 13 GB 582 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C TI106321W0B NTFS Partition 581 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT32 Removable 7655 MB Healthy

======================================================================================================

****** End Of Log ******

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.20.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Brian :: BRIAN-PC [administrator]

Protection: Enabled

5/20/2012 9:11:53 AM
mbam-log-2012-05-20 (09-11-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202345
Time elapsed: 1 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


esetscan

C:\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\00000008.@ Win64/Agent.BA trojan
C:\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\80000000.@ Win64/Sirefef.AE trojan

#8 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 20 May 2012 - 11:00 AM

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic453930.html/page__pid__2705119#entry2705119

Collect::
C:\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\00000008.@ 
C:\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\80000000.@ 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



NEXT

Please advise if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#9 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 20 May 2012 - 08:03 PM

ComboFix 12-05-20.09 - Brian 05/20/2012 18:06:36.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4044.2719 [GMT -5:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\00000008.@
c:\windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\80000000.@
.
.
((((((((((((((((((((((((( Files Created from 2012-04-20 to 2012-05-20 )))))))))))))))))))))))))))))))
.
.
2012-05-20 23:10 . 2012-05-20 23:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-20 22:58 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C9AF0E77-653C-4108-ADC5-B618D22A6971}\mpengine.dll
2012-05-20 14:20 . 2012-05-08 15:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1F096492-3991-43D8-83A8-871F3996F7BA}\mpengine.dll
2012-05-20 14:18 . 2012-05-20 14:18 -------- d-----w- c:\program files (x86)\ESET
2012-05-19 14:55 . 2012-05-19 14:57 -------- d-----w- C:\FRST
2012-05-19 10:25 . 2012-05-19 10:26 -------- d-----w- c:\users\Brian\AppData\Roaming\U3
2012-05-19 09:59 . 2012-05-19 10:00 33096 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-05-17 10:48 . 2012-05-17 10:47 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{59E06D6F-3F3B-4BAF-8733-1D3AA171DDEF}\gapaengine.dll
2012-05-17 10:48 . 2012-05-08 15:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-17 10:35 . 2012-05-17 10:35 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-05-17 10:35 . 2012-05-17 10:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-16 23:14 . 2012-05-16 23:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-16 22:26 . 2012-05-16 22:26 -------- d-----w- c:\programdata\Ulead Systems
2012-05-16 22:05 . 2012-05-16 23:24 -------- d-----w- c:\users\Brian\AppData\Local\NPE
2012-05-16 13:27 . 2012-05-16 13:27 -------- d-----w- c:\users\Brian\AppData\Roaming\Malwarebytes
2012-05-16 13:26 . 2012-05-16 13:26 -------- d-----w- c:\programdata\Malwarebytes
2012-05-16 13:26 . 2012-05-16 13:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-16 13:26 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-16 13:08 . 2012-05-16 13:08 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2012-05-16 12:45 . 2012-05-16 12:45 883616 ----a-w- C:\FixExec.com
2012-05-15 11:35 . 2012-05-15 11:35 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-15 11:35 . 2012-05-15 11:35 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-10 11:36 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-10 11:36 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-10 11:36 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 11:36 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-10 11:36 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-10 11:36 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-10 11:34 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-10 11:34 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-10 11:34 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-10 11:34 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-10 11:34 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 11:34 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-10 11:34 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-04 21:53 . 2012-05-04 21:53 -------- d-----w- c:\users\Brian\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-04-30 11:34 . 2012-04-30 12:19 -------- d-----w- c:\users\Brian\AppData\Local\CrashDumps
2012-04-29 23:31 . 2012-04-30 12:23 -------- d-----w- c:\program files (x86)\eos_movrec
2012-04-29 16:46 . 2012-04-29 16:46 -------- d-----w- c:\users\Brian\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2012-04-29 16:46 . 2012-04-29 16:46 -------- d-----w- c:\program files (x86)\Picaboo X
2012-04-21 11:49 . 2012-04-21 11:49 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-24 11:45 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-21 01:44 . 2012-03-21 01:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 01:44 . 2012-03-21 01:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-01 06:46 . 2012-04-12 09:43 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-12 09:43 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-12 09:43 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-12 09:43 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-12 09:43 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-12 09:43 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 09:43 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:56 . 2012-04-12 09:44 2311168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-12 09:44 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-12 09:44 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-12 09:44 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 01:18 . 2012-04-12 09:44 1799168 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-02-28 01:11 . 2012-04-12 09:44 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 09:44 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 01:03 . 2012-04-12 09:44 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-23 15:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-20_13.21.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-05-20 13:22 39862 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-20 22:59 40666 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-24 12:03 . 2012-05-20 22:59 9170 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-998410792-225838082-3160020406-1001_UserData.bin
- 2012-05-20 13:20 . 2012-05-20 13:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-20 23:11 . 2012-05-20 23:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-20 23:11 . 2012-05-20 23:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-20 13:20 . 2012-05-20 13:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-24 20:09 . 2012-05-20 15:21 252616 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-05-20 23:02 626722 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-20 23:02 107708 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-05-20 13:19 312692 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-05-20 23:10 312692 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-03-27 22:28 . 2012-05-20 13:19 6439753 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-998410792-225838082-3160020406-1001-12288.dat
+ 2012-03-27 22:28 . 2012-05-20 23:10 6439753 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-998410792-225838082-3160020406-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-14 39408]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk - c:\windows\system32\RunDll32.exe [2009-7-13 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
2;2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 136176]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
R3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [2012-04-02 1160824]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-27 138360]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 136176]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [2011-08-10 138760]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120423.001\IDSvia64.sys [2012-03-23 488568]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [x]
S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [x]
S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [x]
S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 23:52]
.
2012-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-14 23:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.1.0.28\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-05-20 18:14:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-20 23:14
ComboFix2.txt 2012-05-20 13:24
.
Pre-Run: 555,039,285,248 bytes free
Post-Run: 554,749,403,136 bytes free
.
- - End Of File - - E1A1E84C782C46F1F16AC81E9502D2B8
Upload was successful


Also, I ran eset again and it found 3 things

C:\Qoobox\Quarantine\[4]-Submit_2012-05-20_18.06.19.zip multiple threats
C:\Qoobox\Quarantine\C\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\00000008.@.vir Win64/Agent.BA trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{56e02f73-c73e-341c-1909-583710acfd43}\U\80000000.@.vir Win64/Sirefef.AE trojan

#10 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 20 May 2012 - 08:25 PM

Hi,

Yes, those items are in ComboFix quarantine (we will be cleaning that up shortly)

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

you have two antivirus products installed

Having more than one causes system slow downs, conflicts and crashes, so please uninstall one

(it appears that Norton is outdated, so uninstall it and keep MSSE - use the Norton Removal tool to get rid of leftovers)

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#11 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 21 May 2012 - 05:56 AM

Everything seems fine!

#12 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 21 May 2012 - 09:52 AM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the FRST and List Parts logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#13 guangtou

guangtou

    New Member

  • Members
  • Pip
  • 7 posts

Posted 21 May 2012 - 08:56 PM

Thank you so much for your help- I'd be in a heap of virus without you.

#14 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,569 posts
  • Gender:Not Telling
  • Location:Canada

Posted 22 May 2012 - 05:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·