BleepingComputer.com: Ran out of programs allowed in infected forum. Need your help.

I have a Dirty Rotten virus. Malware of some sort. I know its there i just dont know where.
I just spent a few days making logs for Broni over at the "Am I infected, What do i do?" forum.
Most of the AV or anti spyware programs dont work.
They will install and update. But none of them will finish a scan. I got malwarebites to work once. the results are on the thread in the other section.

I use Vista x86 or 32bit
The symptoms ive noticed so far are mostly redirecting me on searches. Usually 5 times per search.
no AV program will scan. ( It will install update and start a scan, but then it closes and destroys the file for opening the app. so i have to reinstall it.
now and then i think i disconnect from the internet for 10 15 seconds at a time.
My google chrome wont open any more.
every thing else seems to work so far.

Here is a link to the thread with all the logs so far. Please help. I dont have my vista disc so i cant just wipe it.

.........Thread with broni, containing Logs......

Bump for no response.

Redirect says 100Ksearches.com redirect.
I noticed other people have this.

EDIT: Please be patient. There are over 500 unanswered topics in this forum at present and the current average wait time to receive help is 18 days. ~Budapest

wow too bad i just spent 7 days.
Hopefully my computer lasts that long.

This post has been edited by Budapest: 28 July 2011 - 04:59 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/411498 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
    
  • If you were unable to produce the logs originally please try once more.
    
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

billbradshaw, on 27 July 2011 - 04:47 AM, said:

Please read over the link to my other thread on this forum. it has much information.

A couple other things ive noticed.
My computer crashes if left on for a few hours unatended,
Sometimes when i click on web pages it will ask to view over a secure network when it shouldnt.
and on of the programs i use for work stopped working. one of the only programs i use.


I tried to run GMER but it crashes and then i cant remove the file from my computer. it says i dont have permission.

Here are the DDS Log Files.
DDS:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19019
Run by julio at 2:37:24 on 2011-08-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1021.422 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\julio\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Phone Device Manager] %SystemRoot%\WPDeviceManager\WPDeviceManager.exe /Minimized
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.55 68.105.28.11 68.105.29.11
TCP: Interfaces\{28C04470-6D89-4C9F-BE51-1F6AD84C586B} : DhcpNameServer = 192.168.1.55 68.105.28.11 68.105.29.11
TCP: Interfaces\{C49132D5-05B5-4CFF-84BB-EDD6EB01F696} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Hosts: 192.168.1.103 developerservices.windowsphone.com
============= SERVICES / DRIVERS ===============
.
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-7-19 142592]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2010-11-15 179712]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;"c:\program files\emsisoft anti-malware\a2service.exe" --> c:\program files\emsisoft anti-malware\a2service.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe --> c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [?]
S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\imfsrv.exe --> c:\program files\iobit\iobit malware fighter\IMFsrv.exe [?]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;"c:\program files\nvidia corporation\performance drivers\nvpdsvc.exe" --> c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-7-7 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-7-7 8456]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2011-7-7 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2011-7-7 11104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-27 22:32:50 1152 ----a-w- c:\windows\system32\windrv.sys
2011-07-27 22:31:34 -------- d-----w- c:\users\julio\appdata\roaming\GetRightToGo
2011-07-24 07:54:09 -------- d-----w- c:\programdata\Avira
2011-07-24 06:32:18 -------- d-----w- c:\programdata\AVAST Software
2011-07-24 06:32:18 -------- d-----w- c:\program files\AVAST Software
2011-07-22 08:48:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-20 11:42:16 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-07-20 11:42:16 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-20 11:32:06 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-20 11:13:59 -------- d-s---w- C:\cf8951c
2011-07-20 11:12:37 -------- d-s---w- C:\cf5032c
2011-07-20 10:44:34 -------- d-s---w- C:\cf6080c
2011-07-20 10:36:37 -------- d-----w- c:\programdata\IObit
2011-07-20 07:45:08 -------- d-----w- c:\users\julio\appdata\roaming\QuickScan
2011-07-20 00:11:59 -------- d-----w- c:\users\julio\appdata\roaming\SUPERAntiSpyware.com
2011-07-20 00:11:59 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-19 23:59:27 -------- d-----w- c:\programdata\Kaspersky Lab
2011-07-19 23:20:07 -------- d-----w- c:\program files\Mb av
2011-07-19 12:54:28 98816 ----a-w- c:\windows\sed.exe
2011-07-19 12:54:28 518144 ----a-w- c:\windows\SWREG.exe
2011-07-19 12:54:28 256000 ----a-w- c:\windows\PEV.exe
2011-07-19 12:54:28 208896 ----a-w- c:\windows\MBR.exe
2011-07-19 12:54:22 -------- d-s---w- C:\cf5234c
2011-07-19 12:53:31 -------- d-s---w- C:\cf
2011-07-19 11:46:12 -------- d-----w- c:\users\julio\appdata\roaming\IObit
2011-07-19 11:45:49 -------- d-----w- c:\program files\IObit
2011-07-19 11:15:46 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-07-19 11:15:44 -------- d-----w- c:\users\julio\appdata\roaming\Spyware Terminator
2011-07-19 11:15:37 -------- d-----w- c:\programdata\Spyware Terminator
2011-07-19 10:57:58 -------- d-----w- c:\users\julio\appdata\roaming\Malwarebytes
2011-07-19 10:57:49 -------- d-----w- c:\programdata\Malwarebytes
2011-07-19 10:03:45 -------- d-----w- c:\program files\common files\iS3
2011-07-19 10:03:44 -------- d-----w- c:\programdata\STOPzilla!
2011-07-19 08:12:37 -------- d-----w- c:\program files\DAMN NFO Viewer
2011-07-16 10:04:18 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fa57970b-cf0f-4c3e-832b-37264ebb97a5}\mpengine.dll
.
==================== Find3M ====================
.
2011-06-20 08:46:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-25 02:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 01:25:04 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-05-15 01:24:57 82432 ----a-w- c:\windows\system32\axaltocm.dll
.
============= FINISH: 2:37:51.34 ===============

Thank you guys for your help. Hopefully you can help me solve this.

Hello, unfortunately you have a nasty rootkit on board. Before continuing, read the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

I tried to run combofix and it froze my computer. When I tried to restart it, the caps lock Light would just flash.
I got far enough where it would said something about the memory. But I couldn't get there again.

A couple times it froze at the dell boot screen.

But mainly it just flashes the caps lock light. With a black screen. No backlight.

I took of my keyboard and made sure my ram is in there right. And made sure my hard drive is in right.

I am sending this reply from my phone. HELP

Its a dell presicion m4300 laptop can't edit from phone

From your descirption I am not sure this is related to the rootkit or hardware related. Do you hear the HD spin when starting the computer (or fans, the usual noise you hear when you start the laptop) even if you have no screen input? Do you hear any beeps or so?

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type the following and press enter:
  
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  
  
• Press Enter
  
• After it has finished a file will be located on your USB drive named mbr.bin
  
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Right before you responded I got the computer to boot up.
I switched the slots on the ram but I honestly don't think that's what the problem was.

I am running combofix now and will post the results from my computer once I connect it to the internet.

It actually worked. But at the end it says access denied.
Then my computer crashed twice.
It said rootkit.zero access inserted its self into tcp/ip stack

I rebooted in safe mode and combo fix made its log. I will post that in a minute.

Yes, zero access was indeed what showed in your log. Glad to hear you got it booted up again. This confirms that the cause was not malware, as that does not spontaneously fix itself after swapping RAM.

After running combofix I cannot boot into normal windows mode. Only safe mode.

It will give me a box with a message only if I try to boot after I just booted in safe mode. Then it will not even load windows. If that makes any sense.

The window says:
Error initializing network.
Other stuff I didn't have a change to memorize
Logitech vid will not work untill its fixed

Since I don't have internet in safe mode ill have to figure out how to post that log via android phone.

Does Safe Mode with Networking work? If so, try that as it will give you access to the internet.

This post has been edited by elise025: 12 August 2011 - 06:29 AM

I am using safe mode with networking. But I can't connect.

Now that I think about it combofix said if you can't connect after running then run it again right?

Could you have a look at the Combofix log and let me know at what is under the Other Deletions and Services/drivers list?

Also, can you describe in detail what exactly happens when you boot in normal mode (and exactly when the error occurs).

ComboFix 11-08-11.03 - julio 08/12/2011 3:14.3.2 - x86
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.1021.444 [GMT -7:00]
Running from: c:\users\julio\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB20928$
c:\windows\$NtUninstallKB20928$\2978376240
c:\windows\$NtUninstallKB20928$\3262409803\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB20928$\3262409803\click.tlb
c:\windows\$NtUninstallKB20928$\3262409803\L\qnbwvoto
c:\windows\$NtUninstallKB20928$\3262409803\loader.tlb
c:\windows\$NtUninstallKB20928$\3262409803\U\@00000001
c:\windows\$NtUninstallKB20928$\3262409803\U\@000000c0
c:\windows\$NtUninstallKB20928$\3262409803\U\@000000cb
c:\windows\$NtUninstallKB20928$\3262409803\U\@000000cf
c:\windows\$NtUninstallKB20928$\3262409803\U\@80000000
c:\windows\$NtUninstallKB20928$\3262409803\U\@800000c0
c:\windows\$NtUninstallKB20928$\3262409803\U\@800000cb
c:\windows\$NtUninstallKB20928$\3262409803\U\@800000cf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\assembly\GAC_MSIL\desktop.ini . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-07-12 to 2011-08-12 )))))))))))))))))))))))))))))))
.
.
2011-08-12 10:20 . 2011-08-12 10:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-27 22:32 . 2011-07-27 22:32 1152 ----a-w- c:\windows\system32\windrv.sys
2011-07-27 22:31 . 2011-07-27 22:32 -------- d-----w- c:\users\julio\AppData\Roaming\GetRightToGo
2011-07-24 07:54 . 2011-07-24 07:54 -------- d-----w- c:\programdata\Avira
2011-07-24 06:32 . 2011-07-24 07:43 -------- d-----w- c:\programdata\AVAST Software
2011-07-24 06:32 . 2011-07-24 06:32 -------- d-----w- c:\program files\AVAST Software
2011-07-22 08:48 . 2011-07-24 07:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-20 11:42 . 2011-07-20 11:42 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-07-20 11:42 . 2011-07-20 11:42 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-20 10:36 . 2011-07-20 10:36 -------- d-----w- c:\programdata\IObit
2011-07-20 07:45 . 2011-07-20 07:45 -------- d-----w- c:\users\julio\AppData\Roaming\QuickScan
2011-07-20 00:11 . 2011-07-20 00:11 -------- d-----w- c:\users\julio\AppData\Roaming\SUPERAntiSpyware.com
2011-07-20 00:11 . 2011-07-20 00:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-19 23:59 . 2011-07-19 23:59 -------- d-----w- c:\programdata\Kaspersky Lab
2011-07-19 23:20 . 2011-07-19 23:41 -------- d-----w- c:\program files\Mb av
2011-07-19 12:53 . 2011-07-19 12:53 -------- d-----w- C:\cf
2011-07-19 11:46 . 2011-07-20 23:46 -------- d-----w- c:\users\julio\AppData\Roaming\IObit
2011-07-19 11:45 . 2011-07-20 10:36 -------- d-----w- c:\program files\IObit
2011-07-19 11:26 . 2011-07-20 23:50 -------- dc----w- c:\windows\system32\DRVSTORE
2011-07-19 11:26 . 2011-07-20 23:50 -------- d-----w- c:\programdata\Lavasoft
2011-07-19 11:15 . 2011-07-19 11:15 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-07-19 11:15 . 2011-07-19 11:18 -------- d-----w- c:\users\julio\AppData\Roaming\Spyware Terminator
2011-07-19 11:15 . 2011-07-19 11:45 -------- d-----w- c:\programdata\Spyware Terminator
2011-07-19 10:57 . 2011-07-19 10:57 -------- d-----w- c:\users\julio\AppData\Roaming\Malwarebytes
2011-07-19 10:57 . 2011-07-19 10:57 -------- d-----w- c:\programdata\Malwarebytes
2011-07-19 10:03 . 2011-07-19 10:03 -------- d-----w- c:\program files\Common Files\iS3
2011-07-19 10:03 . 2011-07-19 11:06 -------- d-----w- c:\programdata\STOPzilla!
2011-07-19 08:12 . 2011-07-19 08:12 -------- d-----w- c:\program files\DAMN NFO Viewer
2011-07-16 10:04 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FA57970B-CF0F-4C3E-832B-37264EBB97A5}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-20 08:46 . 2011-06-20 08:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-25 02:14 . 2010-11-10 05:54 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-15 05:29 . 2011-05-15 05:11 155424 ----a-w- c:\programdata\Microsoft\VPDExpress\10.0\1033\ResourceCache.dll
2011-05-15 01:25 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-05-15 01:24 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="nwiz.exe" [2009-06-11 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R1 SASDIFSV;SASDIFSV;c:\users\julio\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\julio\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-07-19 142592]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [x]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [x]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [x]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-08-16 16472]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-08-16 11104]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-03-30 436792]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1207226448-794793204-1783196847-1000Core.job
- c:\users\julio\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-11 15:27]
.
2011-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1207226448-794793204-1783196847-1000UA.job
- c:\users\julio\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-11 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.55 68.105.28.11 68.105.29.11
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DU Meter - c:\program files\DU Meter\DUMeter.exe
HKCU-Run-SpywareTerminatorUpdate - c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe
HKLM-Run-Windows Phone Device Manager - c:\windows\WPDeviceManager\WPDeviceManager.exe
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Roland CAMM-1 CX-24 - c:\users\julio\AppData\Local\Temp\RolandRDCX24.INF\SETUP.EXE
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-08-12 03:28:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-12 10:28
.
Pre-Run: 5,606,023,168 bytes free
Post-Run: 5,698,940,928 bytes free
.
- - End Of File - - D1DA321002DF6A3E59FC709C99D34399

Sweet that worked. I pushed the file to my phone then found a program to view and copy the text.