Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse in Windows/installer/.........8000000cb


  • This topic is locked This topic is locked
27 replies to this topic

#1 ppxrare

ppxrare

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 June 2012 - 03:30 PM

I have a trojan which is messing up my internet, I tried Norton antivirus and it says I have a Trojan Gen 2, in windows/installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\u\80000000.@

I've got several of them, it says it keeps blocking them, some of them quarantined but I guess it keeps coming back, so I went into safe mode and scanned with malwarebytes and it found Trojan small and others in the same folder, also says it removed them but my internet is still messed up and Norton also keeps saying that there is a trojan security attempt and also keeps blocking it.

A weird thing is, that I cannot see the installer folder, I have windows 7 on my F partition and I cant find any F\Windows\installer folder.


The gmer thing stopped scanning by itself and this is the only log it created which i attached.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0
Run by Defrawy at 22:53:31 on 2012-06-06
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2114 [GMT 3:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
F:\Windows\system32\wininit.exe
F:\Windows\system32\lsm.exe
F:\Windows\system32\svchost.exe -k DcomLaunch
F:\Windows\system32\svchost.exe -k RPCSS
F:\Windows\system32\atiesrxx.exe
F:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
F:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
F:\Windows\system32\svchost.exe -k netsvcs
F:\Windows\system32\svchost.exe -k LocalService
F:\Windows\system32\svchost.exe -k NetworkService
F:\Windows\system32\atieclxx.exe
F:\Windows\System32\spoolsv.exe
F:\Windows\system32\Dwm.exe
F:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
F:\Windows\Explorer.EXE
F:\Windows\system32\taskhost.exe
F:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
D:\norton\Engine\19.1.0.28\ccSvcHst.exe
D:\norton\Engine\19.1.0.28\ccSvcHst.exe
F:\Windows\system32\PnkBstrA.exe
F:\Windows\system32\sppsvc.exe
F:\Windows\system32\svchost.exe -k imgsvc
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
F:\Windows\system32\SearchIndexer.exe
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
F:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
D:\CCC\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Internet Download Manager\IDMan.exe
F:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
F:\Program Files\Windows Sidebar\sidebar.exe
F:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
F:\Program Files\Windows Media Player\wmpnetwk.exe
D:\CCC\ATI.ACE\Core-Static\CCC.exe
F:\Program Files\PC Connectivity Solution\ServiceLayer.exe
F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
F:\Program Files\Internet Download Manager\IEMonitor.exe
F:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
F:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
F:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
D:\Malwarebytes' Anti-Malware\mbamservice.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Windows\system32\wbem\wmiprvse.exe
F:\Windows\system32\conhost.exe
F:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=15161&l=dis
uURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - f:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - f:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - d:\norton\engine\19.1.0.28\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - f:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre7\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [uTorrent] "f:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [IDMan] f:\program files\internet download manager\IDMan.exe /onboot
uRun: [<NO NAME>]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [NokiaOviSuite2] f:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
uRun: [Google Update] "f:\users\defrawy\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] f:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [CanonMyPrinter] f:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "d:\ccc\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [DivXUpdate] "f:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [PWRISOVM.EXE] f:\program files\poweriso\PWRISOVM.EXE
mRun: [Malwarebytes' Anti-Malware] "d:\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [FlashPlayerUpdate] f:\windows\system32\macromed\flash\FlashUtil11g_ActiveX.exe -update activex
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - f:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - f:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - f:\program files\internet download manager\IEExt.htm
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.68
TCP: Interfaces\{C3E2414F-3A07-4AC6-9917-87BDC94FA77F} : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{E948A59A-8795-4085-AED7-A01564B67DE5} : DhcpNameServer = 192.168.1.68
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - f:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SecurityProviders:
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\users\defrawy\appdata\roaming\mozilla\firefox\profiles\739ibg03.default\
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\gamespy\npcomrade.dll
FF - plugin: f:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: f:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: f:\program files\battlelog web plugins\1.116.0\npesnlaunch.dll
FF - plugin: f:\program files\battlelog web plugins\1.118.0\npesnlaunch.dll
FF - plugin: f:\program files\battlelog web plugins\sonar\0.70.4\npesnsonar.dll
FF - plugin: f:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: f:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: f:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: f:\program files\veetle\player\npvlc.dll
FF - plugin: f:\program files\veetle\plugins\npVeetle.dll
FF - plugin: f:\users\defrawy\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: f:\users\defrawy\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;f:\windows\system32\drivers\nav\1301000.01c\SymDS.sys [2012-6-5 340088]
R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\nav\1301000.01c\SymEFA.sys [2012-6-5 897656]
R1 BHDrvx86;BHDrvx86;f:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\bashdefs\20120517.001\BHDrvx86.sys [2012-5-17 821880]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;f:\windows\system32\drivers\nav\1301000.01c\ccSetx86.sys [2012-6-5 132744]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;f:\windows\system32\drivers\dtsoftbus01.sys [2011-12-22 232512]
R1 IDSVix86;IDSVix86;f:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.0.28\definitions\ipsdefs\20120602.001\IDSvix86.sys [2012-6-2 368248]
R1 SymIRON;Symantec Iron Driver;f:\windows\system32\drivers\nav\1301000.01c\Ironx86.sys [2012-6-5 149624]
R1 SymNetS;Symantec Network Security WFP Driver;f:\windows\system32\drivers\nav\1301000.01c\symnets.sys [2012-6-5 314488]
R2 AdobeARMservice;Adobe Acrobat Update Service;f:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;f:\windows\system32\atiesrxx.exe [2011-12-6 163328]
R2 cpuz135;cpuz135;f:\windows\system32\drivers\cpuz135_x32.sys [2012-2-10 21992]
R2 GEST Service;GEST Service for program management.;f:\program files\gigabyte\energysaver\GSvr.exe [2012-2-9 68136]
R2 MBAMService;MBAMService;d:\malwarebytes' anti-malware\mbamservice.exe [2012-6-6 654408]
R2 NAV;Norton AntiVirus;d:\norton\engine\19.1.0.28\ccSvcHst.exe [2012-6-5 138760]
R3 amdkmdag;amdkmdag;f:\windows\system32\drivers\atikmdag.sys [2011-12-6 9067008]
R3 amdkmdap;amdkmdap;f:\windows\system32\drivers\atikmpag.sys [2011-12-6 264192]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;f:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-6 106656]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [2012-6-6 22344]
R3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
S2 IDMWFP;IDMWFP;f:\windows\system32\drivers\idmwfp.sys [2011-3-15 85768]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;f:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;f:\windows\system32\drivers\MijXfilt.sys [2012-3-12 95304]
S3 MozillaMaintenance;Mozilla Maintenance Service;f:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-8 129976]
S3 osppsvc;Office Software Protection Platform;f:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
.
=============== Created Last 30 ================
.
2012-06-06 10:56:18 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-06-05 23:22:36 -------- d-----w- f:\users\defrawy\appdata\local\NPE
2012-06-05 20:43:23 -------- d-----w- f:\program files\NortonInstaller
2012-06-04 18:48:29 -------- d-----w- f:\programdata\PC Tools
2012-05-31 08:32:40 221439 ----a-w- f:\programdata\1338453003.bdinstall.bin
2012-05-31 08:32:39 -------- d-----w- f:\program files\Bitdefender
2012-05-30 23:46:59 22320 ----a-w- f:\programdata\1338421617.bdinstall.bin
2012-05-30 22:29:07 7324 ----a-w- f:\programdata\1338416944.6480.bin
2012-05-30 22:29:05 5674 ----a-w- f:\programdata\1338416944.8068.bin
2012-05-30 22:29:05 2326 ----a-w- f:\programdata\1338416944.7100.bin
2012-05-30 22:29:04 39789 ----a-w- f:\programdata\1338416944.3244.bin
2012-05-30 17:19:37 731517 ----a-w- f:\programdata\1338392486.bdinstall.bin
2012-05-30 10:09:23 -------- d-----w- f:\users\defrawy\appdata\roaming\Malwarebytes
2012-05-30 10:09:20 -------- d-----w- f:\programdata\Malwarebytes
2012-05-30 10:08:59 22486 ----a-w- f:\programdata\1338372537.bdinstall.bin
2012-05-30 10:08:01 157283 ----a-w- f:\programdata\1338372435.bdinstall.bin
2012-05-29 16:53:03 -------- d-----w- f:\program files\NVIDIA Corporation
2012-05-08 11:30:26 -------- d-----w- f:\program files\Mozilla Maintenance Service
2012-05-08 11:30:23 157352 ----a-w- f:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-08 11:30:23 129976 ----a-w- f:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-06-06 19:29:37 16608 ----a-w- f:\windows\gdrv.sys
2012-06-05 20:44:33 127096 ----a-w- f:\windows\system32\drivers\SYMEVENT.SYS
2012-06-02 21:09:55 140800 ----a-w- f:\windows\system32\drivers\PnkBstrK.sys
2012-06-02 21:09:44 283304 ----a-w- f:\windows\system32\PnkBstrB.xtr
2012-06-02 21:09:44 283304 ----a-w- f:\windows\system32\PnkBstrB.exe
2012-06-02 21:09:20 280904 ----a-w- f:\windows\system32\PnkBstrB.ex0
2012-04-13 15:09:00 104714 ----a-w- f:\programdata\1334329591.bdinstall.bin
2012-04-12 10:59:04 309320 ----a-w- f:\windows\system32\drivers\TrufosAlt.sys
2012-04-11 23:01:05 693891 ----a-w- f:\programdata\1334181671.bdinstall.bin
2012-04-07 20:01:03 177923 ----a-w- f:\programdata\1333828600.bdinstall.bin
2012-04-06 21:57:41 21442 ----a-w- f:\programdata\1333749458.bdinstall.bin
2012-04-06 21:57:29 171399 ----a-w- f:\programdata\1333749355.bdinstall.bin
.
============= FINISH: 22:59:08.38 ===============

Attached Files


Edited by ppxrare, 06 June 2012 - 03:33 PM.


BC AdBot (Login to Remove)

 


#2 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 06 June 2012 - 07:06 PM

bump?

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 AM

Posted 07 June 2012 - 02:27 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 04:52 AM

thank you Gringo for replying, but I cannot find the repair your computer option when in Advanced boot options , all I have is

Safe mode
Safe mode with networking
safe mode with command prompt

Enable boot logging
Enable low res video
Last known good configuration
Directory services restore mode
debugging mode
Disable auto restrat
disable driver sign
start windows normally

I tried directory services restore mode but it was just like going into safe mode.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 AM

Posted 07 June 2012 - 07:24 AM

do you have the windows install disk for win 7?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 08:00 AM

No but I have an ISO for it, but if you need a disk I still need to buy an empty DVD to burn it on, or is it possible to just mount the iso with daemon tools or something?

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 AM

Posted 07 June 2012 - 08:18 AM

you might be able to make one also


http://windows.microsoft.com/en-us/windows7/Create-a-system-repair-disc?SignedIn=1


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 09:36 AM

Done, but I think there is a problem, I think it scanned my C partition which has windows vista, while I'm mainly on the F partition which has windows 7. I don't know how to change this, as when I boot the repair disc and it says windows is loading files, then its like its booting Vista and then the repair disc options appear.

So basically I feel as if it its scanning the C drive, but when I am in system recover options the background is the windows 7 picture.

EDIT:Hmm nvm, I think its the correct scan, it has the correct desktop files, I think it just has different names, it has C for the windows 7 OS although its actually the F partition

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 06-06-2012 04
Ran by SYSTEM at 07-06-2012 17:29:46
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [CanonMyPrinter] F:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [1603152 2007-04-03] (CANON INC.)
HKLM\...\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [StartCCC] "D:\CCC\ATI.ACE\Core-Static\CLIStart.exe" MSRun [x]
HKLM\...\Run: [DivXUpdate] "F:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM\...\Run: [PWRISOVM.EXE] F:\Program Files\PowerISO\PWRISOVM.EXE [180224 2009-11-08] (PowerISO Computing, Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "D:\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [x]
HKU\Defrawy\...\Run: [uTorrent] "F:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED [641400 2011-10-28] (BitTorrent, Inc.)
HKU\Defrawy\...\Run: [IDMan] F:\Program Files\Internet Download Manager\IDMan.exe /onboot [3278232 2011-03-15] (Tonec Inc.)
HKU\Defrawy\...\Run: [] [x]
HKU\Defrawy\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [x]
HKU\Defrawy\...\Run: [NokiaOviSuite2] F:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray [966712 2011-09-01] (Nokia)
HKU\Defrawy\...\Run: [Google Update] "F:\Users\Defrawy\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-12] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.68

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [163328 2011-12-05] (AMD)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 GEST Service; "C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe" [68136 2008-09-24] ()
3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [129976 2012-05-08] (Mozilla Foundation)
3 OpenVPNService; "C:\Program Files\OpenVPN\bin\openvpnserv.exe" [14848 2011-12-15] ()
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-02-14] ()
2 MBAMService; "C:\Malwarebytes' Anti-Malware\mbamservice.exe" [x]
2 NAV; "C:\norton\Engine\19.1.0.28\ccSvcHst.exe" /s "NAV" /m "C:\norton\Engine\19.1.0.28\diMaster.dll" /prefetch:1 [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [9067008 2011-12-05] (Advanced Micro Devices, Inc.)
3 atikmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [9067008 2011-12-05] (Advanced Micro Devices, Inc.)
1 ccSet_NAV; C:\Windows\system32\drivers\NAV\1301000.01C\ccSetx86.sys [132744 2011-08-08] (Symantec Corporation)
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [232512 2011-12-22] (DT Soft Ltd)
2 IDMWFP; C:\Windows\System32\DRIVERS\idmwfp.sys [85768 2011-01-25] (Tonec Inc.)
3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [95304 2011-11-10] (MotioninJoy)
3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfd.sys [18816 2008-08-25] (Nokia)
3 SRTSP; C:\Windows\system32\drivers\NAV\1301000.01C\SRTSP.SYS [566904 2011-08-02] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NAV\1301000.01C\SRTSPX.SYS [31864 2011-08-02] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NAV\1301000.01C\SYMDS.SYS [340088 2011-07-25] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NAV\1301000.01C\SYMEFA.SYS [897656 2011-07-28] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NAV\1301000.01C\Ironx86.SYS [149624 2011-07-25] (Symantec Corporation)
1 SymNetS; C:\Windows\system32\drivers\NAV\1301000.01C\SYMNETS.SYS [314488 2011-07-25] (Symantec Corporation)
3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26624 2011-12-15] (The OpenVPN Project)
3 usbser; C:\Windows\System32\DRIVERS\usbser.sys [27648 2009-07-13] (Microsoft Corporation)
3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [61984 2010-08-19] (Microsoft Corporation)
1 BHDrvx86; \??\F:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120517.001\BHDrvx86.sys [x]
2 cpuz135; \??\F:\Windows\system32\drivers\cpuz135_x32.sys [x]
1 eeCtrl; \??\F:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [x]
3 EraserUtilRebootDrv; \??\F:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
3 gdrv; \??\F:\Windows\gdrv.sys [x]
1 IDSVix86; \??\F:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120602.001\IDSvix86.sys [x]
3 MBAMProtector; \??\F:\Windows\system32\drivers\mbam.sys [x]
3 NAVENG; \??\F:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120605.002\NAVENG.SYS [x]
3 NAVEX15; \??\F:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120605.002\NAVEX15.SYS [x]
3 SymEvent; \??\F:\Windows\system32\Drivers\SYMEVENT.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-07 17:29 - 2012-06-07 17:29 - 00000000 ____D C:\FRST
2012-06-07 02:11 - 2012-06-07 02:11 - 00493820 ____A C:\Users\Defrawy\Desktop\DSC02293.jpg
2012-06-06 12:27 - 2012-06-06 12:27 - 00028160 ____A C:\Users\Defrawy\Desktop\ark.log
2012-06-06 12:01 - 2012-06-06 12:01 - 00013048 ____A C:\Users\Defrawy\Desktop\DDS.txt
2012-06-06 12:01 - 2012-06-06 12:01 - 00012657 ____A C:\Users\Defrawy\Desktop\Attach.txt
2012-06-06 11:39 - 2012-06-06 11:51 - 00126154 ____A C:\TDSSKiller.2.7.36.0_06.06.2012_22.39.36_log.txt
2012-06-06 03:02 - 2012-06-06 11:28 - 00502408 ____A C:\Windows\ntbtlog.txt
2012-06-06 02:56 - 2012-06-06 02:56 - 00000618 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-06 02:56 - 2012-04-04 04:56 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-05 15:22 - 2012-06-05 15:47 - 00000000 ____D C:\Users\Defrawy\AppData\Local\NPE
2012-06-05 12:44 - 2012-06-05 13:28 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-06-05 12:44 - 2012-06-05 12:44 - 00127096 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-06-05 12:44 - 2012-06-05 12:44 - 00007510 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-06-05 12:44 - 2012-06-05 12:44 - 00000988 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-06-05 12:44 - 2012-06-05 12:44 - 00000806 ____A C:\Windows\System32\Drivers\SYMEVENT.INF
2012-06-05 12:44 - 2012-06-05 12:44 - 00000000 ____D C:\Windows\System32\Drivers\NAV
2012-06-05 12:44 - 2012-06-05 12:44 - 00000000 ____D C:\Program Files\Symantec
2012-06-05 12:43 - 2012-06-05 12:43 - 00000000 ____D C:\Program Files\NortonInstaller
2012-06-04 12:26 - 2012-06-04 12:26 - 00017408 ____A C:\Users\Defrawy\AppData\Local\WebpageIcons.db
2012-06-04 10:59 - 2012-06-04 11:33 - 00913032 ____A C:\Windows\System32\Drivers\Cat.DB
2012-06-04 10:48 - 2012-06-04 10:48 - 00512992 ____A C:\Users\Defrawy\Desktop\sdsetup.exe
2012-05-31 00:32 - 2012-05-31 00:32 - 00000000 ____D C:\Program Files\Bitdefender
2012-05-30 02:09 - 2012-05-30 02:09 - 00000000 ____D C:\Users\Defrawy\AppData\Roaming\Malwarebytes
2012-05-29 09:21 - 2012-05-29 09:21 - 00001346 ____A C:\Users\Defrawy\Desktop\MassEffect3.exe - Shortcut.lnk
2012-05-29 08:53 - 2012-05-29 08:53 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2012-05-21 09:15 - 2012-05-22 00:31 - 00017118 ____A C:\Users\Defrawy\Desktop\Improving Education in Egypt.docx
2012-05-21 08:51 - 2012-05-21 08:58 - 00013217 ____A C:\Users\Defrawy\Desktop\Arab societ.docx
2012-05-15 00:33 - 2012-05-15 00:33 - 00029663 ____A C:\Users\Defrawy\Desktop\mech resume.docx
2012-05-08 09:30 - 2012-05-14 08:49 - 00030069 ____A C:\Users\Defrawy\Desktop\Resume.docx
2012-05-08 09:30 - 2012-05-09 10:17 - 00028957 ____H C:\Users\Defrawy\Desktop\~WRL1736.tmp
2012-05-08 09:30 - 2012-05-08 09:42 - 00018486 ____H C:\Users\Defrawy\Desktop\~WRL2158.tmp
2012-05-08 09:30 - 2012-05-08 09:30 - 00000162 ___AH C:\Users\Defrawy\Desktop\~$Resume.docx
2012-05-08 03:30 - 2012-05-08 03:30 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

============ 3 Months Modified Files and Folders ===============

2012-06-07 06:24 - 2011-06-16 05:37 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\DMCache
2012-06-07 06:24 - 2009-11-25 15:14 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\uTorrent
2012-06-07 06:24 - 2009-07-13 20:34 - 0016624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-07 06:24 - 2009-07-13 20:34 - 0016624 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-07 06:23 - 2012-02-09 02:11 - 0016608 ____A (Windows ® 2000 DDK provider) C:\Windows\gdrv.sys
2012-06-07 06:23 - 2011-10-23 15:25 - 0012171 ____A C:\Windows\setupact.log
2012-06-07 06:23 - 2010-04-11 12:38 - 0000000 ____D C:\Users\Defrawy\Tracing
2012-06-07 06:23 - 2009-07-13 20:53 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-07 06:23 - 2009-06-03 14:31 - 2616057856 __ASH C:\hiberfil.sys
2012-06-07 06:18 - 2010-03-28 06:25 - 1426157 ____A C:\Windows\WindowsUpdate.log
2012-06-07 06:06 - 2012-04-12 15:01 - 0000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001UA.job
2012-06-07 05:16 - 2011-08-28 20:11 - 0000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001UA.job
2012-06-07 03:40 - 2011-09-13 05:45 - 0000000 ____D C:\Users\Defrawy\Documents\FIFA 12
2012-06-07 02:11 - 2012-06-07 02:11 - 0493820 ____A C:\Users\Defrawy\Desktop\DSC02293.jpg
2012-06-07 02:04 - 2009-11-25 15:01 - 0004526 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-07 01:59 - 2012-04-12 04:46 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-06-06 14:06 - 2012-04-12 15:01 - 0000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001Core.job
2012-06-06 12:27 - 2012-06-06 12:27 - 0028160 ____A C:\Users\Defrawy\Desktop\ark.log
2012-06-06 12:08 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\NDF
2012-06-06 12:01 - 2012-06-06 12:01 - 0013048 ____A C:\Users\Defrawy\Desktop\DDS.txt
2012-06-06 12:01 - 2012-06-06 12:01 - 0012657 ____A C:\Users\Defrawy\Desktop\Attach.txt
2012-06-06 11:51 - 2012-06-06 11:39 - 0126154 ____A C:\TDSSKiller.2.7.36.0_06.06.2012_22.39.36_log.txt
2012-06-06 11:29 - 2009-11-28 06:34 - 0753498 ____A C:\Windows\PFRO.log
2012-06-06 11:29 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Microsoft.NET
2012-06-06 11:28 - 2012-06-06 03:02 - 0502408 ____A C:\Windows\ntbtlog.txt
2012-06-06 04:13 - 2009-07-13 20:52 - 0000000 ____D C:\Windows\Performance
2012-06-06 02:56 - 2012-06-06 02:56 - 0000618 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-06 02:39 - 2010-04-11 06:37 - 0000000 ____D C:\Users\Defrawy\AppData\Local\ElevatedDiagnostics
2012-06-06 02:34 - 2009-07-13 15:11 - 0000000 __SHD C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}
2012-06-05 20:16 - 2011-08-28 20:11 - 0000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001Core.job
2012-06-05 15:47 - 2012-06-05 15:22 - 0000000 ____D C:\Users\Defrawy\AppData\Local\NPE
2012-06-05 13:28 - 2012-06-05 12:44 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-06-05 12:44 - 2012-06-05 12:44 - 0127096 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-06-05 12:44 - 2012-06-05 12:44 - 0007510 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-06-05 12:44 - 2012-06-05 12:44 - 0000988 ____A C:\Users\Public\Desktop\Norton AntiVirus.lnk
2012-06-05 12:44 - 2012-06-05 12:44 - 0000806 ____A C:\Windows\System32\Drivers\SYMEVENT.INF
2012-06-05 12:44 - 2012-06-05 12:44 - 0000000 ____D C:\Windows\System32\Drivers\NAV
2012-06-05 12:44 - 2012-06-05 12:44 - 0000000 ____D C:\Program Files\Symantec
2012-06-05 12:43 - 2012-06-05 12:43 - 0000000 ____D C:\Program Files\NortonInstaller
2012-06-05 04:23 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\DriverStore
2012-06-04 12:26 - 2012-06-04 12:26 - 0017408 ____A C:\Users\Defrawy\AppData\Local\WebpageIcons.db
2012-06-04 11:33 - 2012-06-04 10:59 - 0913032 ____A C:\Windows\System32\Drivers\Cat.DB
2012-06-04 10:48 - 2012-06-04 10:48 - 0512992 ____A C:\Users\Defrawy\Desktop\sdsetup.exe
2012-06-02 13:09 - 2012-02-09 13:01 - 0283304 ____A C:\Windows\System32\PnkBstrB.xtr
2012-06-02 13:09 - 2012-02-09 12:54 - 0140800 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-06-02 13:09 - 2011-12-27 01:30 - 0283304 ____A C:\Windows\System32\PnkBstrB.exe
2012-06-02 13:09 - 2011-12-27 01:30 - 0280904 ____A C:\Windows\System32\PnkBstrB.ex0
2012-05-31 00:32 - 2012-05-31 00:32 - 0000000 ____D C:\Program Files\Bitdefender
2012-05-31 00:32 - 2012-04-06 13:52 - 0000000 ____D C:\Program Files\Common Files\Bitdefender
2012-05-30 07:37 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Registration
2012-05-30 02:09 - 2012-05-30 02:09 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\Malwarebytes
2012-05-29 11:16 - 2012-02-20 12:34 - 0000000 ____D C:\Users\Defrawy\Documents\BioWare
2012-05-29 09:21 - 2012-05-29 09:21 - 0001346 ____A C:\Users\Defrawy\Desktop\MassEffect3.exe - Shortcut.lnk
2012-05-29 08:53 - 2012-05-29 08:53 - 0000000 ____D C:\Program Files\NVIDIA Corporation
2012-05-29 08:53 - 2011-12-22 22:14 - 0000000 ___HD C:\Program Files\Common Files\EAInstaller
2012-05-26 11:40 - 2010-12-11 06:09 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\Skype
2012-05-23 14:20 - 2012-04-12 15:05 - 0002421 ____A C:\Users\Defrawy\Desktop\Google Chrome.lnk
2012-05-22 00:31 - 2012-05-21 09:15 - 0017118 ____A C:\Users\Defrawy\Desktop\Improving Education in Egypt.docx
2012-05-21 08:58 - 2012-05-21 08:51 - 0013217 ____A C:\Users\Defrawy\Desktop\Arab societ.docx
2012-05-15 00:33 - 2012-05-15 00:33 - 0029663 ____A C:\Users\Defrawy\Desktop\mech resume.docx
2012-05-14 08:49 - 2012-05-08 09:30 - 0030069 ____A C:\Users\Defrawy\Desktop\Resume.docx
2012-05-10 09:25 - 2010-12-11 06:13 - 0000000 ____D C:\Users\Defrawy\AppData\Local\CrashDumps
2012-05-09 10:17 - 2012-05-08 09:30 - 0028957 ____H C:\Users\Defrawy\Desktop\~WRL1736.tmp
2012-05-09 09:42 - 2009-11-25 14:57 - 0000000 ____D C:\users\Defrawy
2012-05-08 09:42 - 2012-05-08 09:30 - 0018486 ____H C:\Users\Defrawy\Desktop\~WRL2158.tmp
2012-05-08 09:30 - 2012-05-08 09:30 - 0000162 ___AH C:\Users\Defrawy\Desktop\~$Resume.docx
2012-05-08 03:30 - 2012-05-08 03:30 - 0000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-05-04 07:56 - 2009-11-25 15:04 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\vlc
2012-05-04 02:17 - 2012-05-04 02:17 - 0001096 ____A C:\Users\Public\Desktop\OpenVPN GUI.lnk
2012-05-04 02:17 - 2012-05-04 02:16 - 0000000 ____D C:\Program Files\OpenVPN
2012-05-01 12:55 - 2012-05-01 12:28 - 0017948 ____A C:\Users\Defrawy\Desktop\research.docx
2012-05-01 12:26 - 2012-05-01 10:44 - 0452406 ____A C:\Users\Defrawy\Desktop\NDT lab report.docx
2012-05-01 11:01 - 2011-06-16 05:37 - 0000000 ____D C:\Users\Defrawy\Downloads\Compressed
2012-04-29 21:42 - 2012-04-29 21:39 - 1723852 ____A C:\Users\Defrawy\Desktop\Flo Rida feat Sia - Wild Ones Lyrics [Keep-Mp3.com].mp3
2012-04-29 21:40 - 2012-04-29 21:39 - 1799902 ____A C:\Users\Defrawy\Desktop\2pac-Aint Nuthin But A Gangsta Party [Keep-Mp3.com].mp3
2012-04-27 08:07 - 2012-04-27 08:07 - 3646470 ____A C:\Users\Defrawy\Desktop\di-OJS2.gif
2012-04-27 01:06 - 2012-04-27 01:06 - 0000755 ____A C:\Users\Public\Desktop\FIFA 12.lnk
2012-04-23 13:40 - 2012-04-23 13:40 - 0314508 ____A C:\Users\Defrawy\Desktop\Solution of HW 4.pdf
2012-04-23 13:23 - 2012-04-22 15:55 - 0000000 ____D C:\Users\Defrawy\Desktop\2012_04_23
2012-04-22 04:51 - 2012-04-22 04:51 - 0000000 __SHD C:\Windows\System32\%APPDATA%
2012-04-21 11:05 - 2012-04-21 11:05 - 0000000 ____D C:\Program Files\Veetle
2012-04-20 04:59 - 2012-04-17 09:11 - 0012768 ____A C:\Users\Defrawy\Desktop\1500.xlsx
2012-04-20 04:58 - 2012-04-20 04:41 - 0013788 ____A C:\Users\Defrawy\Desktop\creep discussion.docx
2012-04-20 04:27 - 2012-04-17 03:50 - 0018373 ____A C:\Users\Defrawy\Desktop\1300g.xlsx
2012-04-20 04:22 - 2012-04-17 03:30 - 0019124 ____A C:\Users\Defrawy\Desktop\1400g.xlsx
2012-04-18 00:47 - 2012-04-18 00:45 - 1313018 ____A C:\Users\Defrawy\Desktop\GLEE - Full Performance of Somebody That I Used To Know airing TUE 410 [Keep-Mp3.com].mp3
2012-04-18 00:12 - 2012-04-18 00:11 - 1513221 ____A C:\Users\Defrawy\Desktop\Justin Bieber - Boyfriend (Official Song Complet) [Keep-Mp3.com].mp3
2012-04-16 04:42 - 2012-04-16 04:42 - 0001037 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-04-16 04:41 - 2012-04-16 04:41 - 0000000 ____D C:\Program Files\VideoLAN
2012-04-12 15:01 - 2011-10-28 11:41 - 0000000 ____D C:\Users\Defrawy\AppData\Local\Google
2012-04-12 04:46 - 2011-11-19 10:43 - 0001020 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-12 02:59 - 2012-04-12 02:59 - 0309320 ____A (BitDefender S.R.L.) C:\Windows\System32\Drivers\TrufosAlt.sys
2012-04-11 14:37 - 2012-04-11 14:37 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_avchv_01009.Wdf
2012-04-09 14:15 - 2012-02-09 12:57 - 0000000 ____D C:\Program Files\Battlelog Web Plugins
2012-04-08 08:31 - 2012-04-08 08:31 - 0143328 ____A C:\Windows\Minidump\040812-21325-01.dmp
2012-04-08 08:31 - 2012-02-10 08:01 - 0000000 ____D C:\Windows\Minidump
2012-04-07 11:58 - 2012-04-07 11:58 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\QuickScan
2012-04-06 07:21 - 2012-01-06 06:43 - 0000000 ____D C:\Windows\System32\Drivers\N360
2012-04-04 04:56 - 2012-06-06 02:56 - 0022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-01 09:02 - 2012-04-01 09:02 - 0143328 ____A C:\Windows\Minidump\040112-32963-01.dmp
2012-04-01 00:56 - 2012-04-01 00:56 - 0182806 ____A C:\Users\Defrawy\Desktop\impact test.docx
2012-03-31 06:08 - 2012-03-31 06:08 - 0143232 ____A C:\Windows\Minidump\033112-27456-01.dmp
2012-03-29 09:14 - 2012-03-29 09:14 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\Tific
2012-03-29 09:10 - 2012-03-29 09:10 - 0000000 ____A C:\Windows\Minidump\032912-27939-01.dmp
2012-03-28 23:59 - 2012-03-28 23:59 - 0131072 ____A C:\Windows\Minidump\032912-31028-01.dmp
2012-03-28 23:59 - 2009-07-13 20:53 - 0032618 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-26 07:35 - 2012-03-26 07:35 - 0143232 ____A C:\Windows\Minidump\032612-27331-01.dmp
2012-03-24 04:33 - 2012-03-23 11:19 - 0012983 ____A C:\Users\Defrawy\Desktop\229 lab questions.docx
2012-03-23 12:03 - 2012-03-23 12:03 - 0143232 ____A C:\Windows\Minidump\032312-24570-01.dmp
2012-03-23 11:19 - 2012-03-23 11:19 - 0000162 ___AH C:\Users\Defrawy\Desktop\~$9 lab questions.docx
2012-03-20 05:11 - 2012-03-20 05:11 - 0000000 __SHD C:\found.000
2012-03-19 11:52 - 2012-03-17 04:51 - 0012624 ____A C:\Users\Defrawy\Desktop\229ask.docx
2012-03-17 11:16 - 2012-03-17 11:16 - 0143328 ____A C:\Windows\Minidump\031712-20826-01.dmp
2012-03-17 04:51 - 2012-03-17 04:51 - 0000162 ___AH C:\Users\Defrawy\Desktop\~$229ask.docx
2012-03-14 09:13 - 2012-03-14 09:13 - 0012610 ____A C:\Users\Defrawy\Desktop\2ndcrisis.docx
2012-03-14 09:13 - 2012-03-14 09:13 - 0000162 ___AH C:\Users\Defrawy\Desktop\~$dcrisis.docx
2012-03-14 09:12 - 2012-03-14 08:59 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\dvdcss
2012-03-12 21:40 - 2012-03-12 21:40 - 0181528 ____A C:\Windows\Minidump\031312-21278-01.dmp
2012-03-12 06:45 - 2012-03-12 06:45 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_xusb21_01009.Wdf
2012-03-12 06:45 - 2012-03-12 06:45 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_MijXfilt_01009.Wdf
2012-03-12 06:44 - 2012-03-12 06:44 - 0001089 ____A C:\Users\Public\Desktop\DS3 Tool.lnk
2012-03-12 06:44 - 2012-03-12 06:44 - 0000000 ____D C:\Users\Defrawy\AppData\Roaming\MotioninJoy
2012-03-12 06:44 - 2012-03-12 06:44 - 0000000 ____D C:\Program Files\MotioninJoy
2012-03-11 11:16 - 2012-03-11 11:04 - 0015828 ____A C:\Users\Defrawy\Desktop\code of ethics.docx
2012-03-10 13:35 - 2012-03-12 13:04 - 0400197 ____A C:\Users\Defrawy\Desktop\IMG-20120310-00156.jpg
2012-03-10 13:33 - 2012-03-12 13:04 - 0530099 ____A C:\Users\Defrawy\Desktop\IMG-20120310-00155.jpg
2012-03-10 10:00 - 2012-03-10 10:00 - 0131072 ____A C:\Windows\Minidump\031012-19468-01.dmp


C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\00000001.@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\80000000.@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\800000cb.@

C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-07-13 15:41] - [2009-07-13 17:14] - 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F

C:\Windows\System32\winlogon.exe
[2009-07-13 15:37] - [2009-07-13 17:14] - 0285696 ____A (Microsoft Corporation) 8EC6A4AB12B8F3759E21F8E3A388F2CF

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4094.49 MB
Available physical RAM: 3611 MB
Total Pagefile: 4092.77 MB
Available Pagefile: 3615.76 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.31 MB

======================= Partitions =========================

2 Drive c: (Windows 7) (Fixed) (Total:24.41 GB) (Free:1.6 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: () (Fixed) (Total:97.66 GB) (Free:8.73 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive e: () (Fixed) (Total:343.69 GB) (Free:235.74 GB) NTFS
5 Drive f: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
6 Drive g: (KINGSTON) (Removable) (Total:0.93 GB) (Free:0.93 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 954 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 97 GB 1024 KB
Partition 2 Primary 343 GB 97 GB
Partition 3 Primary 24 GB 441 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D NTFS Partition 97 GB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E NTFS Partition 343 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C Windows 7 NTFS Partition 24 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 954 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G KINGSTON FAT Removable 954 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-29 03:30

======================= End Of Log ==========================

Edited by ppxrare, 07 June 2012 - 09:47 AM.


#9 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 09:45 AM

cant delete this post, just ignore it

Edited by ppxrare, 07 June 2012 - 09:47 AM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 AM

Posted 07 June 2012 - 12:59 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\00000001.@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\80000000.@
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\800000cb.@
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 07:28 PM

isnt FRST64 for a 64 bit system? even though im a 32 bit system

#12 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 07:41 PM

Anyways I don't know where to get the frst64.exe so I assumed you meant frst.exe, and here is the fixlog


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 06-06-2012 04
Ran by SYSTEM at 2012-06-08 03:35:53 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584} moved successfully.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@ not found.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L not found.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U not found.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\00000001.@ not found.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\80000000.@ not found.
C:\Windows\Installer\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U\800000cb.@ not found.
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584} moved successfully.
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\@ not found.
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\L not found.
C:\Users\Defrawy\AppData\Local\{d6ee78cd-ae7e-1deb-74aa-d48c58ad2584}\U not found.

==== End of Fixlog ====

#13 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 June 2012 - 08:44 PM

My internet is back to normal, Thanks so much, I really appreciate your time and effort, you should be compensated for the time you put helping people.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:47 AM

Posted 07 June 2012 - 09:37 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ppxrare

ppxrare
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 08 June 2012 - 08:22 AM

There you go, thanks a lot!

I was wondering though, whats the point of these expensive anti-viruses such as Norton,Kaspersky,Bitdefender if they can't manage to disinfect these trojans.


EDIT: my internet is screwed up again ever since i ran combofix, I'm not sure if its because of a virus or a problem from my side, but it was fine before I ran combofix. my issue is i try and open a website and it doesnt open, i have to keep refreshing several times for a site to start loading.

EDIT 2: Internet back to normal again, thanks a lot for your time and effort :D

EDIT 3: internet definitely weird, on and off again but norton no longer says there is any trojans so thats great.


ComboFix 12-06-08.01 - Defrawy 06/08/2012 15:06:52.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2593 [GMT 3:00]
Running from: f:\users\Defrawy\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\programdata\1333749355.bdinstall.bin
f:\programdata\1333749458.bdinstall.bin
f:\programdata\1333828600.bdinstall.bin
f:\programdata\1334181671.bdinstall.bin
f:\programdata\1334329591.bdinstall.bin
f:\programdata\1338372435.bdinstall.bin
f:\programdata\1338372537.bdinstall.bin
f:\programdata\1338392486.bdinstall.bin
f:\programdata\1338416944.3244.bin
f:\programdata\1338416944.6480.bin
f:\programdata\1338416944.7100.bin
f:\programdata\1338416944.8068.bin
f:\programdata\1338421617.bdinstall.bin
f:\programdata\1338453003.bdinstall.bin
F:\readme.txt
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper.js
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\idmhelper2.js
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc.dll
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\idmmzcc64.dll
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper.xpt
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\iIDMHelper2.xpt
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\components2\iIDMMzCC.xpt
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\install.js
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\install.rdf
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
f:\users\Defrawy\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
f:\windows\7Loader.TAG
.
Infected copy of f:\windows\system32\services.exe was found and disinfected
Restored copy from - f:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 12:11 . 2012-06-08 12:11 -------- d-----w- f:\users\Default\AppData\Local\temp
2012-06-08 01:29 . 2012-06-08 01:46 -------- d-----w- F:\FRST
2012-06-07 14:52 . 2012-06-07 14:52 770384 ----a-w- f:\program files\Mozilla Firefox\msvcr100.dll
2012-06-07 14:52 . 2012-06-07 14:52 421200 ----a-w- f:\program files\Mozilla Firefox\msvcp100.dll
2012-06-06 10:56 . 2012-04-04 12:56 22344 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-06-05 23:22 . 2012-06-05 23:47 -------- d-----w- f:\users\Defrawy\AppData\Local\NPE
2012-06-05 20:44 . 2012-06-05 20:44 127096 ----a-w- f:\windows\system32\drivers\SYMEVENT.SYS
2012-06-05 20:44 . 2012-06-05 21:28 -------- d-----w- f:\program files\Common Files\Symantec Shared
2012-06-05 20:44 . 2012-06-05 20:44 -------- d-----w- f:\program files\Symantec
2012-06-05 20:44 . 2012-06-05 20:44 -------- d-----w- f:\windows\system32\drivers\NAV
2012-06-05 20:43 . 2012-06-05 20:43 -------- d-----w- f:\program files\NortonInstaller
2012-06-04 18:48 . 2012-06-04 19:05 -------- d-----w- f:\programdata\PC Tools
2012-05-31 08:32 . 2012-05-31 08:32 -------- d-----w- f:\program files\Bitdefender
2012-05-30 10:09 . 2012-05-30 10:09 -------- d-----w- f:\users\Defrawy\AppData\Roaming\Malwarebytes
2012-05-30 10:09 . 2012-05-30 10:09 -------- d-----w- f:\programdata\Malwarebytes
2012-05-29 16:53 . 2012-05-29 16:53 -------- d-----w- f:\program files\NVIDIA Corporation
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-08 12:12 . 2012-02-09 10:11 16608 ----a-w- f:\windows\gdrv.sys
2012-06-02 21:09 . 2012-02-09 20:54 140800 ----a-w- f:\windows\system32\drivers\PnkBstrK.sys
2012-06-02 21:09 . 2012-02-09 21:01 283304 ----a-w- f:\windows\system32\PnkBstrB.xtr
2012-06-02 21:09 . 2011-12-27 09:30 283304 ----a-w- f:\windows\system32\PnkBstrB.exe
2012-06-02 21:09 . 2011-12-27 09:30 280904 ----a-w- f:\windows\system32\PnkBstrB.ex0
2012-04-12 10:59 . 2012-04-12 10:59 309320 ----a-w- f:\windows\system32\drivers\TrufosAlt.sys
2012-06-07 14:52 . 2012-04-12 12:46 85472 ----a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-03-02 15:23 68216 ----a-w- f:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2011-10-28 641400]
"IDMan"="f:\program files\Internet Download Manager\IDMan.exe" [2011-03-15 3278232]
"NokiaOviSuite2"="f:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2011-09-01 966712]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="f:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"StartCCC"="d:\ccc\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"PWRISOVM.EXE"="f:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Malwarebytes' Anti-Malware"="d:\malwarebytes' anti-malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="f:\windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe" [2012-03-05 250528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders
.
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;f:\windows\system32\DRIVERS\MijXfilt.sys [2011-11-10 95304]
R3 MozillaMaintenance;Mozilla Maintenance Service;f:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-07 113120]
R3 osppsvc;Office Software Protection Platform;f:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
S0 SymDS;Symantec Data Store;f:\windows\system32\drivers\NAV\1301000.01C\SYMDS.SYS [2011-07-26 340088]
S0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\NAV\1301000.01C\SYMEFA.SYS [2011-07-29 897656]
S1 BHDrvx86;BHDrvx86;f:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120517.001\BHDrvx86.sys [2012-05-17 821880]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;f:\windows\system32\drivers\NAV\1301000.01C\ccSetx86.sys [2011-08-08 132744]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;f:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-12-22 232512]
S1 IDSVix86;IDSVix86;f:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120602.001\IDSvix86.sys [2012-06-01 368248]
S1 SymIRON;Symantec Iron Driver;f:\windows\system32\drivers\NAV\1301000.01C\Ironx86.SYS [2011-07-26 149624]
S1 SymNetS;Symantec Network Security WFP Driver;f:\windows\system32\drivers\NAV\1301000.01C\SYMNETS.SYS [2011-07-26 314488]
S2 AdobeARMservice;Adobe Acrobat Update Service;f:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;f:\windows\system32\atiesrxx.exe [2011-12-06 163328]
S2 cpuz135;cpuz135;f:\windows\system32\drivers\cpuz135_x32.sys [2011-09-21 21992]
S2 GEST Service;GEST Service for program management.;f:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-09-24 68136]
S2 IDMWFP;IDMWFP;f:\windows\system32\DRIVERS\idmwfp.sys [2011-01-25 85768]
S2 MBAMService;MBAMService;d:\malwarebytes' anti-malware\mbamservice.exe [2012-04-04 654408]
S2 NAV;Norton AntiVirus;d:\norton\Engine\19.1.0.28\ccSvcHst.exe [2011-08-10 138760]
S3 amdkmdag;amdkmdag;f:\windows\system32\DRIVERS\atikmdag.sys [2011-12-06 9067008]
S3 amdkmdap;amdkmdap;f:\windows\system32\DRIVERS\atikmpag.sys [2011-12-06 264192]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;f:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-05 106656]
S3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-06 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001Core.job
- f:\users\Defrawy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-12 23:01]
.
2012-06-08 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2309810965-1210264114-1568991275-1001UA.job
- f:\users\Defrawy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-12 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15161&l=dis
IE: Download all links with IDM - f:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - f:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - f:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.1.68
FF - ProfilePath - f:\users\Defrawy\AppData\Roaming\Mozilla\Firefox\Profiles\739ibg03.default\
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
AddRemove-DAEMON Tools Pro - d:\daemon tools\DAEMON Tools Pro\uninst.exe
AddRemove-Nokia Ovi Suite - f:\programdata\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\{07D77970-B205-460C-84E4-263F30455597}\Installer.exe
AddRemove-{675DD1E6-637A-4F0E-B6DE-26F45CC26092}_is1 - d:\f__xxx_assassin's creed ii clonedvd-multi9-ali213\Assassin's Creed II\unins000.exe
AddRemove-{B531E735-8ED5-4270-ACCE-3809086FBD02}_is1 - d:\batman arkham city\Batman Arkham City\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]
"ImagePath"="\"d:\norton\Engine\19.1.0.28\ccSvcHst.exe\" /s \"NAV\" /m \"d:\norton\Engine\19.1.0.28\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{0055C089-8582-441B-A0BF-17B458C2A3A8}"=hex:51,66,7a,6c,4c,1d,38,12,e7,c3,46,
04,b0,cb,75,01,df,a9,54,f4,5d,9c,e7,bc
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{326E768D-4182-46FD-9C16-1449A49795F4}"=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,
36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d1,15,5b,04,53,eb,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,c8,bf,ab,c3,84,d3,46,a7,0f,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,c8,bf,ab,c3,84,d3,46,a7,0f,a0,\
.
[HKEY_USERS\S-1-5-21-2309810965-1210264114-1568991275-1001_Classes\CLSID\{76af2469-c965-4dbc-a34a-9dce528cd2e7}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000012a
"Therad"=dword:0000001c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-2309810965-1210264114-1568991275-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):8f,60,8f,fa,5f,a2,fb,3d,ca,23,6f,6b,c7,af,a7,75,5d,69,ca,7d,c7,
6d,36,1a,ad,8e,97,40,0d,0b,de,31,1d,b9,a4,c0,11,1a,65,23,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\atieclxx.exe
f:\windows\system32\taskhost.exe
f:\windows\system32\conhost.exe
f:\windows\system32\PnkBstrA.exe
f:\windows\system32\sppsvc.exe
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
d:\ccc\ATI.ACE\Core-Static\MOM.exe
f:\program files\Windows Media Player\wmpnetwk.exe
f:\program files\PC Connectivity Solution\ServiceLayer.exe
f:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
f:\windows\system32\DllHost.exe
f:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
f:\program files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
.
**************************************************************************
.
Completion time: 2012-06-08 15:19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-08 12:19
.
Pre-Run: 1,042,722,816 bytes free
Post-Run: 3,063,721,984 bytes free
.
- - End Of File - - B7F94625C035AF952401FAA8943723D8

Edited by ppxrare, 08 June 2012 - 09:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users