Win32:Rootkit-gen Infection

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Win32:Rootkit-gen Infection Avast blocking for now... Help appreciated

#1 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 09 November 2011 - 02:19 PM

I've been getting regular messages today from avast about a win32 rootkit virus wanting to run in windows temp folder: windows\temp\xxxxx\setup.exe

xxxxx being random characters each time it gets generated.

I had this problem about a month ago and it almost wiped me out. All of my start menu items were gone, quick start menu, taskbar etc. I was able to get them back from a temp folder and copied the shortcuts over. I thought I was in the clear previously after running (in safe mode) malwarebytes, tdskiller ccleaner & combofix. Everything has been stable for the past month until today. I don't recall doing anything different this morning.

This is virus chest log from today in Avast (in case it helps):

Posted Image

I ran DDS as requested (I'm on a 64-bit system running Vista). Here's the DDS.txt file and I've attached the attach.txt file in zip.

Any help is much appreciated!

Thanks!

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_20
Run by Governator at 13:49:13 on 2011-11-09
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.5423 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files (x86)\Mozilla Firefox4\firefox.exe
C:\Program Files (x86)\Mozilla Firefox4\plugin-container.exe
C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe
C:\Windows\splwow64.exe
C:\F\FLASHF~1\FlashFXP.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Opera 10 Beta\opera.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:55737
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\Governator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [4Y3Y0C3A8F7W1VXWUEBRFA] C:\Recycle.Bin\B6232F3ABB0.exe /q
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
StartupFolder: C:\Users\GOVERN~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://98.26.31.151:1024/NetCamPlayerWeb11gv2.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1EFC3D5A-3BF8-41BD-AF89-B188CCC5640F} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D5A06895-CF56-402E-ABA4-AA34F5326BD9} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE-X64: {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Governator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Governator\AppData\Roaming\Mozilla\Firefox\Profiles\z0pgofe9.default\
FF - prefs.js: browser.startup.homepage - hxxp://fullcontactpoker.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Opera 10 Beta\program\plugins\NPOFF12.DLL
FF - plugin: C:\Program Files (x86)\Spoon\3.16.0.5\npMozillaSpoonPlugin.dll
FF - plugin: C:\Program Files (x86)\Spoon\3.26.0.5\npMozillaSpoonPlugin.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Governator\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\Governator\AppData\Local\Spoon\3.11.0.7\npMozillaSpoonPlugin.dll
FF - plugin: C:\Users\Governator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Governator\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\Users\Governator\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Governator\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;C:\Windows\system32\DRIVERS\mv61xx.sys --> C:\Windows\system32\DRIVERS\mv61xx.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-9-9 44768]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-12-4 373640]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 SpyHunter 4 Service;SpyHunter 4 Service;C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2011-5-17 993696]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-8-6 1038088]
S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-4-28 704872]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-26 89920]
S4 TeknicaVdmSvcX86v3;Teknica VDM Service;C:\Program Files (x86)\VDM\System32\VdmSvc32.exe [2010-3-9 163512]
.
=============== File Associations ===============
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-09 15:11:03 167936 ----a-w- C:\ProgramData\HlNg3Uf1.exe_
2011-11-09 15:11:03 167936 ----a-w- C:\ProgramData\HlNg3Uf1.exe
2011-11-08 19:13:30 60 ----a-w- C:\Windows\wpd99.drv
2011-11-04 13:41:54 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 20:45:29 41184 ----a-w- C:\Windows\avastSS.scr
2011-09-06 20:45:29 199304 ----a-w- C:\Windows\SysWow64\aswBoot.exe
2011-09-06 20:45:17 254400 ----a-w- C:\Windows\System32\aswBoot.exe
2011-09-06 20:38:18 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-06 20:38:16 301912 ----a-w- C:\Windows\System32\drivers\aswSP.sys
2011-09-06 20:36:41 42328 ----a-w- C:\Windows\System32\drivers\aswRdr.sys
2011-09-06 20:36:30 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-06 20:36:14 24408 ----a-w- C:\Windows\System32\drivers\aswFsBlk.sys
2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 13:52:50.97 ===============

Attached File(s)

Attach.zip (3.73K)
Number of downloads: 1

#2 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 10 November 2011 - 10:39 PM

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
Then click Continue > Reboot now
Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
Post that log, please.

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
When finished, it will produce a report for you.

.
Please include the following in your next post:

TDSSKiller log

ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#3 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 17 November 2011 - 02:32 PM

Thank you very much for the help and I'm sorry for the delayed response on my end. I was out of the house for most of the week:

TDSSKiller Log:

2011/08/30 14:40:01.0255 3856 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/30 14:40:01.0646 3856 ================================================================================
2011/08/30 14:40:01.0646 3856 SystemInfo:
2011/08/30 14:40:01.0646 3856
2011/08/30 14:40:01.0646 3856 OS Version: 6.0.6002 ServicePack: 2.0
2011/08/30 14:40:01.0646 3856 Product type: Workstation
2011/08/30 14:40:01.0646 3856 ComputerName: GOVERNATOR-PC
2011/08/30 14:40:01.0647 3856 UserName: Governator
2011/08/30 14:40:01.0647 3856 Windows directory: C:\Windows
2011/08/30 14:40:01.0647 3856 System windows directory: C:\Windows
2011/08/30 14:40:01.0647 3856 Running under WOW64
2011/08/30 14:40:01.0647 3856 Processor architecture: Intel x64
2011/08/30 14:40:01.0647 3856 Number of processors: 4
2011/08/30 14:40:01.0647 3856 Page size: 0x1000
2011/08/30 14:40:01.0647 3856 Boot type: Normal boot
2011/08/30 14:40:01.0647 3856 ================================================================================
2011/08/30 14:40:04.0723 3856 Initialize success
2011/08/30 14:40:06.0993 6408 ================================================================================
2011/08/30 14:40:06.0993 6408 Scan started
2011/08/30 14:40:06.0993 6408 Mode: Manual;
2011/08/30 14:40:06.0993 6408 ================================================================================
2011/08/30 14:40:10.0448 6408 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
2011/08/30 14:40:10.0558 6408 adfs (2f0683fd2df1d92e891caca14b45a8c1) C:\Windows\system32\drivers\adfs.sys
2011/08/30 14:40:10.0650 6408 ADIHdAudAddService (4a30fa79f8253134d398251db614e3c9) C:\Windows\system32\drivers\ADIHdAud.sys
2011/08/30 14:40:10.0758 6408 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
2011/08/30 14:40:10.0816 6408 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
2011/08/30 14:40:10.0876 6408 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
2011/08/30 14:40:11.0621 6408 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
2011/08/30 14:40:11.0710 6408 AFD (12415ccfd3e7cec55b5184e67b039fe4) C:\Windows\system32\drivers\afd.sys
2011/08/30 14:40:11.0741 6408 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
2011/08/30 14:40:11.0818 6408 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
2011/08/30 14:40:11.0869 6408 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
2011/08/30 14:40:11.0884 6408 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
2011/08/30 14:40:11.0910 6408 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
2011/08/30 14:40:11.0970 6408 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
2011/08/30 14:40:12.0009 6408 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
2011/08/30 14:40:12.0090 6408 aswFsBlk (b76182f203e0bd5eb6a5f6538f0faee4) C:\Windows\system32\drivers\aswFsBlk.sys
2011/08/30 14:40:12.0146 6408 aswMonFlt (a88e9544edda1ce83825dd22d6a8b5f9) C:\Windows\system32\drivers\aswMonFlt.sys
2011/08/30 14:40:12.0178 6408 aswRdr (cfad2fb33b22e7039c9dc233baacbf8b) C:\Windows\system32\drivers\aswRdr.sys
2011/08/30 14:40:12.0213 6408 aswSP (594365e887f4a5ad3970870b352eb887) C:\Windows\system32\drivers\aswSP.sys
2011/08/30 14:40:12.0233 6408 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/30 14:40:12.0288 6408 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
2011/08/30 14:40:12.0372 6408 ati2mtag (b0d528aae299d9364fb1d183e525253a) C:\Windows\system32\DRIVERS\ati2mtag.sys
2011/08/30 14:40:12.0509 6408 ATIAVPCI (a87c69ea0319a6d1b5457290a7d62f75) C:\Windows\system32\DRIVERS\atinavrr.sys
2011/08/30 14:40:12.0627 6408 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
2011/08/30 14:40:12.0642 6408 bowser (8b2b19031d0aeade6e1b933df1acba7e) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/30 14:40:12.0681 6408 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
2011/08/30 14:40:12.0736 6408 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
2011/08/30 14:40:12.0788 6408 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
2011/08/30 14:40:12.0817 6408 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
2011/08/30 14:40:12.0875 6408 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
2011/08/30 14:40:12.0909 6408 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
2011/08/30 14:40:12.0936 6408 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
2011/08/30 14:40:12.0969 6408 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/30 14:40:13.0018 6408 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/30 14:40:13.0088 6408 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
2011/08/30 14:40:13.0163 6408 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
2011/08/30 14:40:13.0211 6408 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
2011/08/30 14:40:13.0230 6408 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/30 14:40:13.0248 6408 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
2011/08/30 14:40:13.0318 6408 CrystalSysInfo (5228b7a738dc90a06ae4f4a7412cb1e9) C:\Program Files\MediaCoder\SysInfoX64.sys
2011/08/30 14:40:13.0413 6408 CSC (f60f50c8ed3fcbe358430b95fe27d09c) C:\Windows\system32\drivers\csc.sys
2011/08/30 14:40:13.0501 6408 DfsC (36cd31121f228e7e79bae60aa45764c6) C:\Windows\system32\Drivers\dfsc.sys
2011/08/30 14:40:13.0546 6408 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
2011/08/30 14:40:13.0617 6408 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
2011/08/30 14:40:13.0707 6408 DXGKrnl (1d96e28ebcd96ad1b44a3fd02ca6433d) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/30 14:40:13.0783 6408 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
2011/08/30 14:40:13.0834 6408 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
2011/08/30 14:40:13.0902 6408 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
2011/08/30 14:40:13.0953 6408 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
2011/08/30 14:40:14.0059 6408 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
2011/08/30 14:40:14.0125 6408 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
2011/08/30 14:40:14.0183 6408 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/30 14:40:14.0231 6408 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
2011/08/30 14:40:14.0258 6408 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
2011/08/30 14:40:14.0294 6408 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/30 14:40:14.0337 6408 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
2011/08/30 14:40:14.0388 6408 fssfltr (53dab1791917a72738539ad25c4eed7f) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/08/30 14:40:14.0416 6408 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/30 14:40:14.0431 6408 fvevol (849e38db7d829962d0233a0a252b60c3) C:\Windows\system32\DRIVERS\fvevol.sys
2011/08/30 14:40:14.0483 6408 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
2011/08/30 14:40:14.0574 6408 HdAudAddService (68e732382b32417ff61fd663259b4b09) C:\Windows\system32\drivers\HdAudio.sys
2011/08/30 14:40:14.0675 6408 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/30 14:40:14.0783 6408 HidBatt (68214c82fa6222591873677a72df2a66) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/08/30 14:40:14.0806 6408 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
2011/08/30 14:40:14.0826 6408 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
2011/08/30 14:40:14.0893 6408 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/30 14:40:14.0937 6408 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
2011/08/30 14:40:15.0002 6408 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
2011/08/30 14:40:15.0032 6408 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
2011/08/30 14:40:15.0055 6408 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/30 14:40:15.0086 6408 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
2011/08/30 14:40:15.0118 6408 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
2011/08/30 14:40:15.0154 6408 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
2011/08/30 14:40:15.0172 6408 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/30 14:40:15.0223 6408 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/30 14:40:15.0291 6408 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
2011/08/30 14:40:15.0316 6408 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
2011/08/30 14:40:15.0338 6408 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
2011/08/30 14:40:15.0378 6408 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
2011/08/30 14:40:15.0447 6408 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/30 14:40:15.0468 6408 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
2011/08/30 14:40:15.0497 6408 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
2011/08/30 14:40:15.0525 6408 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/30 14:40:15.0543 6408 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/30 14:40:15.0612 6408 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/30 14:40:15.0639 6408 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
2011/08/30 14:40:15.0706 6408 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/30 14:40:15.0860 6408 LMIInfo (0317335b15ff3bda8e10197e3434cfc0) C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
2011/08/30 14:40:15.0911 6408 lmimirr (413ecdcfad9a82804d3674c8d7eec24e) C:\Windows\system32\DRIVERS\lmimirr.sys
2011/08/30 14:40:15.0981 6408 LMIRfsDriver (c57d3faa50e6f395759ffb7c709bd944) C:\Windows\system32\drivers\LMIRfsDriver.sys
2011/08/30 14:40:16.0027 6408 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
2011/08/30 14:40:16.0052 6408 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
2011/08/30 14:40:16.0109 6408 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
2011/08/30 14:40:16.0142 6408 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
2011/08/30 14:40:16.0189 6408 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
2011/08/30 14:40:16.0240 6408 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
2011/08/30 14:40:16.0293 6408 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
2011/08/30 14:40:16.0317 6408 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/30 14:40:16.0458 6408 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/30 14:40:16.0525 6408 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/30 14:40:16.0563 6408 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
2011/08/30 14:40:16.0771 6408 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
2011/08/30 14:40:16.0849 6408 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/30 14:40:17.0129 6408 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
2011/08/30 14:40:17.0187 6408 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
2011/08/30 14:40:17.0251 6408 mrxsmb (d58d129e26705e83a4deba7177eb7972) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/30 14:40:17.0279 6408 mrxsmb10 (d5be5c14e0f1dc489f5bb2a67983f630) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/30 14:40:17.0332 6408 mrxsmb20 (09a2990c3b293c212816c9bc0d7c200e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/30 14:40:17.0374 6408 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
2011/08/30 14:40:17.0410 6408 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
2011/08/30 14:40:17.0444 6408 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
2011/08/30 14:40:17.0478 6408 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
2011/08/30 14:40:17.0537 6408 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/30 14:40:17.0570 6408 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/30 14:40:17.0617 6408 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
2011/08/30 14:40:17.0680 6408 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
2011/08/30 14:40:17.0700 6408 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/30 14:40:17.0739 6408 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
2011/08/30 14:40:17.0788 6408 MTsensor (6936198f2cc25b39cf5262436c80df46) C:\Windows\system32\DRIVERS\ASACPI.sys
2011/08/30 14:40:17.0854 6408 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
2011/08/30 14:40:17.0893 6408 mv61xx (792ca0761a6ff267fb271fa4dbe8cd84) C:\Windows\system32\DRIVERS\mv61xx.sys
2011/08/30 14:40:18.0068 6408 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/30 14:40:18.0184 6408 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
2011/08/30 14:40:18.0219 6408 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/30 14:40:18.0280 6408 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/30 14:40:18.0350 6408 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/30 14:40:18.0369 6408 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
2011/08/30 14:40:18.0393 6408 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/30 14:40:18.0415 6408 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/30 14:40:18.0473 6408 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
2011/08/30 14:40:18.0511 6408 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
2011/08/30 14:40:18.0563 6408 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/30 14:40:18.0650 6408 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
2011/08/30 14:40:18.0690 6408 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
2011/08/30 14:40:18.0764 6408 NVHDA (e20abd5b229760158f753ca90b97e090) C:\Windows\system32\drivers\nvhda64v.sys
2011/08/30 14:40:19.0045 6408 nvlddmkm (e55cab397f77d5208db18a78b1b7c0d5) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/08/30 14:40:19.0178 6408 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
2011/08/30 14:40:19.0210 6408 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
2011/08/30 14:40:19.0256 6408 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
2011/08/30 14:40:19.0371 6408 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/30 14:40:19.0424 6408 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
2011/08/30 14:40:19.0492 6408 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
2011/08/30 14:40:19.0556 6408 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
2011/08/30 14:40:19.0603 6408 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys
2011/08/30 14:40:19.0636 6408 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
2011/08/30 14:40:19.0677 6408 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
2011/08/30 14:40:19.0805 6408 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/30 14:40:19.0835 6408 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
2011/08/30 14:40:19.0888 6408 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/30 14:40:19.0945 6408 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
2011/08/30 14:40:20.0001 6408 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
2011/08/30 14:40:20.0041 6408 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/30 14:40:20.0071 6408 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/30 14:40:20.0128 6408 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/30 14:40:20.0181 6408 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/30 14:40:20.0243 6408 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/30 14:40:20.0318 6408 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/30 14:40:20.0335 6408 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/30 14:40:20.0403 6408 rdpdr (ae23e79b13feb62939e2ca1189e71735) C:\Windows\system32\DRIVERS\rdpdr.sys
2011/08/30 14:40:20.0419 6408 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/30 14:40:20.0482 6408 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys
2011/08/30 14:40:20.0569 6408 RimUsb (71700b4c5797da5412e9250e26894586) C:\Windows\system32\Drivers\RimUsb_AMD64.sys
2011/08/30 14:40:20.0624 6408 RimVSerPort (c903d49655b4aae46673f0aaa6be0f58) C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys
2011/08/30 14:40:20.0678 6408 ROOTMODEM (6a0cf73b019cbc9255e23c9192ec3702) C:\Windows\system32\Drivers\RootMdm.sys
2011/08/30 14:40:20.0725 6408 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/30 14:40:20.0813 6408 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
2011/08/30 14:40:20.0876 6408 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/08/30 14:40:20.0925 6408 Serenum (2449316316411d65bd2c761a6ffb2ce2) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/30 14:40:20.0952 6408 Serial (4b438170be2fc8e0bd35ee87a960f84f) C:\Windows\system32\DRIVERS\serial.sys
2011/08/30 14:40:20.0980 6408 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
2011/08/30 14:40:21.0025 6408 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
2011/08/30 14:40:21.0042 6408 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/30 14:40:21.0061 6408 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/30 14:40:21.0080 6408 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
2011/08/30 14:40:21.0112 6408 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
2011/08/30 14:40:21.0140 6408 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
2011/08/30 14:40:21.0192 6408 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
2011/08/30 14:40:21.0242 6408 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
2011/08/30 14:40:21.0310 6408 srv (cb5bd298e62aed1b4af3cc44811a30a5) C:\Windows\system32\DRIVERS\srv.sys
2011/08/30 14:40:21.0336 6408 srv2 (26cd9130775c59439b77ece2f6df9c4c) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/30 14:40:21.0398 6408 srvnet (caea15e0e52fb15a2c8b505643228057) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/30 14:40:21.0444 6408 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/30 14:40:21.0481 6408 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
2011/08/30 14:40:21.0511 6408 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
2011/08/30 14:40:21.0560 6408 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
2011/08/30 14:40:21.0655 6408 Tcpip (0011810b5211fdacd784de585262ecfe) C:\Windows\system32\drivers\tcpip.sys
2011/08/30 14:40:21.0730 6408 Tcpip6 (0011810b5211fdacd784de585262ecfe) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/30 14:40:21.0768 6408 tcpipreg (ce3ae2ba7a076f0ade9f48c598c1d15d) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/30 14:40:21.0796 6408 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
2011/08/30 14:40:21.0837 6408 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
2011/08/30 14:40:21.0969 6408 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/30 14:40:22.0070 6408 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/30 14:40:22.0117 6408 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/30 14:40:22.0131 6408 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
2011/08/30 14:40:22.0168 6408 tunnel (f6a4fba7c03ac2efd00f3301c0c1e067) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/30 14:40:22.0203 6408 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
2011/08/30 14:40:22.0273 6408 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/30 14:40:22.0331 6408 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/30 14:40:22.0385 6408 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
2011/08/30 14:40:22.0410 6408 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
2011/08/30 14:40:22.0452 6408 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
2011/08/30 14:40:22.0489 6408 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/30 14:40:22.0636 6408 usbaudio (c6ba890de6e41857fbe84175519cae7d) C:\Windows\system32\drivers\usbaudio.sys
2011/08/30 14:40:22.0690 6408 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/30 14:40:22.0727 6408 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
2011/08/30 14:40:22.0761 6408 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/30 14:40:22.0822 6408 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/30 14:40:22.0852 6408 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
2011/08/30 14:40:22.0900 6408 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/30 14:40:22.0994 6408 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/30 14:40:23.0015 6408 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/30 14:40:23.0051 6408 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/30 14:40:23.0088 6408 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
2011/08/30 14:40:23.0123 6408 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
2011/08/30 14:40:23.0159 6408 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
2011/08/30 14:40:23.0235 6408 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
2011/08/30 14:40:23.0277 6408 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
2011/08/30 14:40:23.0307 6408 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
2011/08/30 14:40:23.0346 6408 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
2011/08/30 14:40:23.0392 6408 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/30 14:40:23.0403 6408 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/30 14:40:23.0450 6408 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
2011/08/30 14:40:23.0510 6408 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/30 14:40:23.0595 6408 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
2011/08/30 14:40:23.0678 6408 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/08/30 14:40:23.0721 6408 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/30 14:40:23.0792 6408 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/30 14:40:23.0906 6408 yukonx64 (2ae06b41b36549fabf0886b2af89a599) C:\Windows\system32\DRIVERS\yk60x64.sys
2011/08/30 14:40:23.0932 6408 MBR (0x1B8) (04d4350ae5fb6fc2ad3e7c26b1323c68) \Device\Harddisk0\DR0
2011/08/30 14:40:23.0938 6408 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/30 14:40:23.0945 6408 Boot (0x1200) (12f3dea13caf0e96dc1a9750b508c8be) \Device\Harddisk0\DR0\Partition0
2011/08/30 14:40:23.0952 6408 ================================================================================
2011/08/30 14:40:23.0952 6408 Scan finished
2011/08/30 14:40:23.0952 6408 ================================================================================
2011/08/30 14:40:23.0962 6136 Detected object count: 1
2011/08/30 14:40:23.0962 6136 Actual detected object count: 1
2011/08/30 14:40:33.0397 6136 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/30 14:40:33.0397 6136 \Device\Harddisk0\DR0 - ok
2011/08/30 14:40:33.0397 6136 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/30 14:40:44.0222 7052 Deinitialize success

#4 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 17 November 2011 - 03:07 PM

Here is the Combofix Log:

ComboFix 11-11-17.03 - Governator 11/17/2011 14:38:12.3.4 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.6212 [GMT -5:00]
Running from: c:\users\Governator\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\028E\D1B5.tmp
c:\program files (x86)\LP\028E\E565.tmp
c:\programdata\HlNg3Uf1.exe
c:\programdata\HlNg3Uf1.exe_
C:\Recycle.Bin
c:\recycle.bin\B6232F3ABB0.exe
c:\windows\assembly\tmp\U
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-17 19:51 . 2011-11-17 19:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-17 19:51 . 2011-11-17 19:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-14 19:14 . 2006-09-30 09:36 13008 ----a-w- c:\windows\system32\drivers\pstrip64.sys
2011-11-14 19:14 . 2011-11-14 19:14 -------- d-----w- c:\program files (x86)\PowerStrip
2011-11-13 21:09 . 2011-11-13 21:09 -------- d-----w- c:\windows\system32\Macromed
2011-11-09 14:55 . 2011-11-17 19:31 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-09 14:15 . 2011-11-09 14:15 -------- d-----w- c:\program files (x86)\8FBF1
2011-11-09 14:14 . 2011-11-09 14:53 -------- d-----w- c:\users\Governator\AppData\Roaming\E578F
2011-11-09 14:12 . 2011-11-09 14:12 -------- d-sh--w- c:\users\Governator\AppData\Local\84df704a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 21:09 . 2011-05-15 18:15 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 20:45 . 2010-09-09 13:42 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-09-09 13:42 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-09-06 20:45 . 2011-08-30 18:59 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-08-30 18:59 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:38 . 2010-09-09 13:43 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-09-09 13:43 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-09-09 13:43 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-06 20:36 . 2010-09-09 13:43 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-31 22:00 . 2011-08-30 18:41 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\IconF7A21AF7.exe
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\IconD7F16134.exe
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\Icon1226A4C5.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-31_20.47.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-09 15:13 . 2011-11-09 15:17 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
+ 2011-11-09 15:13 . 2011-11-09 15:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-01-21 03:19 . 2011-11-17 19:54 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:19 . 2011-11-17 19:54 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-09 15:13 . 2011-11-09 15:17 20992 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{711EC49C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-11-09 15:14 . 2011-11-09 15:17 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
+ 2008-01-21 02:09 . 2011-11-14 19:18 53990 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:44 . 2011-11-17 19:56 82732 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-06 01:10 . 2011-11-17 19:56 12524 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-644441329-2233287101-2965224069-1000_UserData.bin
- 2009-08-06 01:04 . 2011-08-30 19:04 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-06 01:04 . 2011-11-17 19:53 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-06 01:04 . 2011-08-30 19:04 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-06 01:04 . 2011-11-17 19:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-06 01:04 . 2011-08-30 19:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-06 01:04 . 2011-11-17 19:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-01 14:36 . 2011-08-30 19:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-01 14:36 . 2011-11-14 19:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-01 14:36 . 2011-08-30 19:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-01 14:36 . 2011-11-14 19:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 3584 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{711EC49F-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{8132103D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:14 6144 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B5FF92C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE95005A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FE950059-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F485709E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F485709D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F485709C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F485709B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F485709A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F4857099-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FFE-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FFD-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FFC-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FFB-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FFA-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA900FF9-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542FE-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542FD-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542FC-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542FB-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542FA-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:17 . 2011-11-09 15:17 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E08542F9-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841ABE-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841ABD-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841ABC-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841ABB-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841ABA-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D6841AB9-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB86E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB86D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB86C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB86B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB86A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CC9AB869-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A7E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A7D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A7C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A7B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A7A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C2A39A79-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A8E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A8D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:16 . 2011-11-09 15:16 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A8C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A8B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A8A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B8A79A89-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F2E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F2D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F2C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F2B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F2A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEB92F29-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C7415E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C7415D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C7415C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C7415B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C7415A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4C74159-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD7766E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD7766D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD7766C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD7766B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD7766A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:15 . 2011-11-09 15:15 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9AD77669-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9144BF9C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9144BF9B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9144BF9A-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9144BF99-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{87578CBC-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{87578CBB-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{87578CBA-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{87578CB9-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8132103C-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8132103B-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{81321039-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{716DA7EB-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{716DA7EA-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{716DA7E9-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{711EC49E-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:14 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{711EC49D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B5FF931-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B5FF930-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B5FF92F-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:13 . 2011-11-09 15:13 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B5FF92D-0AE5-11E1-881D-002215067028}.dat
+ 2011-11-09 15:14 . 2011-11-09 15:14 9066 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
- 2011-08-31 20:46 . 2011-08-31 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-17 19:53 . 2011-11-17 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-17 19:53 . 2011-11-17 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-31 20:46 . 2011-08-31 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-21 14:58 . 2011-09-16 20:21 346680 c:\windows\SysWOW64\mlfcache.dat
+ 2011-11-13 21:09 . 2011-11-13 21:09 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2011-11-04 13:41 . 2011-11-04 13:41 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11c_Plugin.exe
+ 2008-01-21 03:19 . 2011-11-17 19:54 540672 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-02-06 09:03 . 2011-11-17 19:24 665188 c:\windows\system32\perfh019.dat
+ 2006-11-02 12:46 . 2011-11-17 19:24 607168 c:\windows\system32\perfh009.dat
+ 2008-02-06 09:03 . 2011-11-17 19:24 130032 c:\windows\system32\perfc019.dat
+ 2006-11-02 12:46 . 2011-11-17 19:24 104808 c:\windows\system32\perfc009.dat
+ 2011-11-13 21:09 . 2011-11-13 21:09 461984 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_Plugin.exe
+ 2011-06-25 14:16 . 2011-11-17 19:52 774088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-28 12:46 . 2011-10-28 12:46 332288 c:\windows\Installer\45989922.msi
+ 2011-11-12 15:29 . 2011-11-17 19:18 223744 c:\windows\assembly\temp\kwrd.dll
+ 2010-01-27 01:07 . 2011-11-13 21:09 8527008 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2011-08-31 20:46 . 2011-11-04 13:41 3656592 c:\windows\system32\FNTCACHE.DAT
+ 2011-11-13 21:09 . 2011-11-13 21:09 11336864 c:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll
+ 2011-06-25 14:16 . 2011-11-17 19:52 40614336 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-644441329-2233287101-2965224069-1000-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1302528]
.
c:\users\Governator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2009-8-6 221295]
PowerStrip.lnk - c:\program files (x86)\PowerStrip\PStrip.exe [2011-4-27 742944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ATICDSDr;ATICDSDr;c:\users\GOVERN~1\AppData\Local\Temp\ATICDSDr.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-08-06 1038088]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 TeknicaVdmSvcX86v3;Teknica VDM Service;c:\program files (x86)\VDM\System32\VdmSvc32.exe [2010-03-09 163512]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 PStrip64;PStrip64;c:\windows\system32\drivers\pstrip64.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-12-15 373640]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2008-08-11 15928]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-644441329-2233287101-2965224069-1000Core.job
- c:\users\Governator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 22:16]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-644441329-2233287101-2965224069-1000UA.job
- c:\users\Governator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 22:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2008-08-11 57928]
"combofix"="c:\combofix\CF10275.3XE" [2008-01-21 363008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:55737
TCP: DhcpNameServer = 192.168.0.1
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://98.26.31.151:1024/NetCamPlayerWeb11gv2.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Governator\AppData\Roaming\Mozilla\Firefox\Profiles\z0pgofe9.default\
FF - prefs.js: browser.startup.homepage - hxxp://fullcontactpoker.com
FF - prefs.js: network.proxy.type - 4
.
.
------- File Associations -------
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-4Y3Y0C3A8F7W1VXWUEBRFA - c:\recycle.bin\B6232F3ABB0.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-644441329-2233287101-2965224069-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4025A6F4-B5AF-62C5-4B9C-D3F8BE38806C}*]
"napbkjeajpcgkajkmdfojadeejdd"=hex:6b,61,63,6f,6f,62,66,6b,62,6d,6d,63,6a,66,
70,6a,6c,6e,6a,68,67,6a,00,e6
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\ASUS\Six Engine\SixEngine.exe
c:\program files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2011-11-17 15:05:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-17 20:05
ComboFix2.txt 2011-10-12 14:08
ComboFix3.txt 2011-08-31 20:57
.
Pre-Run: 695,984,914,432 bytes free
Post-Run: 695,952,265,216 bytes free
.
- - End Of File - - B535748A65BEE21D98FFAB64AB6AB5A2

#5 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 17 November 2011 - 11:30 PM

Governator:

Please do this next:

Posted Image

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DirLook::

DirLook::
c:\users\Governator\AppData\Roaming\E578F
c:\users\Governator\AppData\Local\84df704a
Suspect::[131]
c:\program files (x86)\VDM\System32\VdmSvc32.exe
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:55737

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

ComboFix log

MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#6 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 18 November 2011 - 09:30 AM

Thanks Again!

Here is the new Combofix Log - Note: It didn't need to restart but it had to "upload files to their server for further analysis":

ComboFix 11-11-18.01 - Governator 11/18/2011 9:14.4.4 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.5398 [GMT -5:00]
Running from: c:\users\Governator\Desktop\ComboFix.exe
Command switches used :: c:\users\Governator\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
.
((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
.
.
2011-11-18 14:25 . 2011-11-18 14:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-11-18 14:25 . 2011-11-18 14:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-14 19:14 . 2006-09-30 09:36 13008 ----a-w- c:\windows\system32\drivers\pstrip64.sys
2011-11-14 19:14 . 2011-11-14 19:14 -------- d-----w- c:\program files (x86)\PowerStrip
2011-11-13 21:09 . 2011-11-13 21:09 -------- d-----w- c:\windows\system32\Macromed
2011-11-09 14:55 . 2011-11-17 19:31 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-09 14:15 . 2011-11-09 14:15 -------- d-----w- c:\program files (x86)\8FBF1
2011-11-09 14:14 . 2011-11-09 14:53 -------- d-----w- c:\users\Governator\AppData\Roaming\E578F
2011-11-09 14:12 . 2011-11-09 14:12 -------- d-sh--w- c:\users\Governator\AppData\Local\84df704a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-13 21:09 . 2011-05-15 18:15 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 20:45 . 2010-09-09 13:42 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2010-09-09 13:42 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-09-06 20:45 . 2011-08-30 18:59 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-08-30 18:59 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:38 . 2010-09-09 13:43 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2010-09-09 13:43 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2010-09-09 13:43 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-06 20:36 . 2010-09-09 13:43 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-31 22:00 . 2011-08-30 18:41 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\IconF7A21AF7.exe
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\IconD7F16134.exe
2011-08-31 20:07 . 2011-08-31 20:07 110080 ----a-r- c:\users\Governator\AppData\Roaming\Microsoft\Installer\{8AE3EC14-EAF8-4064-958A-C340C66EDD44}\Icon1226A4C5.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Governator\AppData\Local\84df704a ----
.
2011-11-09 14:12 . 2011-11-09 14:12 2048 --sha-w- c:\users\Governator\AppData\Local\84df704a\@
.
---- Directory of c:\users\Governator\AppData\Roaming\E578F ----
.
2011-11-09 14:53 . 2011-11-09 14:53 172544 ----a-w- c:\users\Governator\AppData\Roaming\E578F\ECAF3.exe
2011-11-09 14:15 . 2011-11-09 14:15 172544 ----a-w- c:\users\Governator\AppData\Roaming\E578F\06702.exe
2011-11-09 14:14 . 2011-11-09 14:15 1197 ----a-w- c:\users\Governator\AppData\Roaming\E578F\FBF1.578
.
.
((((((((((((((((((((((((((((( SnapShot_2011-11-17_19.55.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-06 01:04 . 2011-11-18 07:45 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-06 01:04 . 2011-11-17 19:53 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-06 01:04 . 2011-11-17 19:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-06 01:04 . 2011-11-18 07:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-06 01:04 . 2011-11-17 19:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-06 01:04 . 2011-11-18 07:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-01 14:36 . 2011-11-17 19:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-01 14:36 . 2011-11-14 19:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-01 14:36 . 2011-11-17 19:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-01 14:36 . 2011-11-14 19:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-02-06 09:03 . 2011-11-17 20:44 665188 c:\windows\system32\perfh019.dat
- 2008-02-06 09:03 . 2011-11-17 19:24 665188 c:\windows\system32\perfh019.dat
- 2006-11-02 12:46 . 2011-11-17 19:24 607168 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-11-17 20:44 607168 c:\windows\system32\perfh009.dat
- 2008-02-06 09:03 . 2011-11-17 19:24 130032 c:\windows\system32\perfc019.dat
+ 2008-02-06 09:03 . 2011-11-17 20:44 130032 c:\windows\system32\perfc019.dat
+ 2006-11-02 12:46 . 2011-11-17 20:44 104808 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2011-11-17 19:24 104808 c:\windows\system32\perfc009.dat
+ 2011-11-17 20:38 . 2011-11-17 20:38 4057088 c:\windows\Installer\24c370.msi
+ 2011-11-17 20:35 . 2011-11-17 20:35 3178496 c:\windows\Installer\24a4d2.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3075072 c:\windows\Installer\24a206.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3078656 c:\windows\Installer\24a1f7.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3076096 c:\windows\Installer\24a1ef.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3079680 c:\windows\Installer\24a1e5.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3086336 c:\windows\Installer\24a1db.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3150848 c:\windows\Installer\24a1b9.msi
+ 2011-11-17 20:34 . 2011-11-17 20:34 3228160 c:\windows\Installer\24a18f.msi
+ 2011-11-17 20:33 . 2011-11-17 20:33 3070976 c:\windows\Installer\24a0fc.msi
+ 2011-11-17 20:33 . 2011-11-17 20:33 3174400 c:\windows\Installer\24a0f3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1302528]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
.
c:\users\Governator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2009-8-6 221295]
PowerStrip.lnk - c:\program files (x86)\PowerStrip\PStrip.exe [2011-4-27 742944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2008-08-11 15928]
R3 ATICDSDr;ATICDSDr;c:\users\GOVERN~1\AppData\Local\Temp\ATICDSDr.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-08-06 1038088]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 TeknicaVdmSvcX86v3;Teknica VDM Service;c:\program files (x86)\VDM\System32\VdmSvc32.exe [2010-03-09 163512]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 PStrip64;PStrip64;c:\windows\system32\drivers\pstrip64.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-12-15 373640]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-644441329-2233287101-2965224069-1000Core.job
- c:\users\Governator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 22:16]
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-644441329-2233287101-2965224069-1000UA.job
- c:\users\Governator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-28 22:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2008-08-11 57928]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 192.168.0.1
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://98.26.31.151:1024/NetCamPlayerWeb11gv2.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Governator\AppData\Roaming\Mozilla\Firefox\Profiles\z0pgofe9.default\
FF - prefs.js: browser.startup.homepage - hxxp://fullcontactpoker.com
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-644441329-2233287101-2965224069-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4025A6F4-B5AF-62C5-4B9C-D3F8BE38806C}*]
"napbkjeajpcgkajkmdfojadeejdd"=hex:6b,61,63,6f,6f,62,66,6b,62,6d,6d,63,6a,66,
70,6a,6c,6e,6a,68,67,6a,00,e6
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-18 09:28:09
ComboFix-quarantined-files.txt 2011-11-18 14:28
ComboFix2.txt 2011-11-17 20:05
ComboFix3.txt 2011-10-12 14:08
ComboFix4.txt 2011-08-31 20:57
.
Pre-Run: 695,182,733,312 bytes free
Post-Run: 695,145,058,304 bytes free
.
- - End Of File - - 197C283AEA885C563A368C0955A7B017
Upload was successful

#7 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 18 November 2011 - 01:58 PM

MBAM Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8188

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

11/18/2011 1:57:32 PM
mbam-log-2011-11-18 (13-57-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 882513
Time elapsed: 2 hour(s), 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\F\keygen.exe (Riskware.Tool.CK) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files (x86)\LP\028E\d1b5.tmp.vir (Malware.Packer) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\programdata\hlng3uf1.exe.vir (Trojan.Downloader.H) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\programdata\hlng3uf1.exe_.vir (Trojan.Downloader.H) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Windows\assembly\tmp\U\800000cf.@.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\governator\AppData\LocalLow\Sun\Java\deployment\cache\6.0\51\53d5be33-5c9d4e77 (Trojan.Inject.adb) -> Quarantined and deleted successfully.
c:\Users\governator\AppData\LocalLow\Sun\Java\deployment\cache\6.0\52\7951b2b4-7eeb0be0 (Trojan.Inject.adb) -> Quarantined and deleted successfully.
c:\Users\governator\AppData\Roaming\E578F\06702.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\Users\governator\AppData\Roaming\E578F\ECAF3.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

#8 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 18 November 2011 - 05:27 PM

Governator:

How is your computer running now? Please do this next:

Posted Image

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
rd "c:\users\Governator\AppData\Roaming\E578F"
rd "c:\users\Governator\AppData\Local\84df704a"
del /Q %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Posted Image

Right click on fix.bat and select "Run as administrator" to allow it to run.

Posted Image

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Please go to here to run an online scan with ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click on Advanced Settings and ensure these options are ticked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan
Wait for the scan to finish
If any threats were found, click the 'List of found threats' , then click Export to text file....
Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please include the following in your next post:

How is the computer running now?

ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#9 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 21 November 2011 - 05:03 PM

Hello! First of all yes my computer seems very stable now and running great thank you very much.

I have an issue though with your latest response. I don't have the Java icon showing up in my control panel. A quick google search seems like a bug in vista 64 bit. I downloaded the latest version from java.com but since I can't see it in the control panel still I can't find how to remove the temporary files from it.

Any thoughts?

Thanks again for all your help.

#10 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 21 November 2011 - 05:51 PM

Hi,

I'll have you run a utility when we wrap up that will clear the temp files and cache - go ahead and continue with the ESET scan.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#11 Governator

New Member

Group: Members
Posts: 7
Joined: 09-November 11

Posted 23 November 2011 - 09:58 AM

Hi RPM - Sorry the scan took about 4.5hrs to run. Unfortunately a lot came up from the eset scan, see here:

C:\Downloads\PCStats 1.1 (English)[02-20].zip probably a variant of Win32/TrojanDropper.Agent.HJOVFDD trojan
C:\Downloads\Setup_FreeBurnerN.exe Win32/Adware.Toolbar.Dealio application
C:\F\_Atlantis Digital\live help\setup.exe probably a variant of Win32/TrojanDownloader.Agent.FWPKWPC trojan
C:\F\_Poker Royalty\cgi-bin\.mail.pl Perl/RemoteAdmin.Cgi-telnet.A application
C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\80000000.@.vir probably a variant of Win32/Agent.FHYFVGX trojan
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.E trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0000\tsk0003.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0000\tsk0004.dta Win64/Olmarik.R trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0000\tsk0006.dta Win64/Olmarik.Y trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0001\tsk0003.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0001\tsk0004.dta Win64/Olmarik.R trojan
C:\TDSSKiller_Quarantine\09.11.2011_09.54.38\tdlfs0001\tsk0006.dta Win64/Olmarik.Y trojan
C:\TDSSKiller_Quarantine\17.11.2011_14.30.00\tdlfs0000\tsk0003.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\17.11.2011_14.30.00\tdlfs0000\tsk0004.dta Win64/Olmarik.R trojan
C:\TDSSKiller_Quarantine\17.11.2011_14.30.00\tdlfs0000\tsk0006.dta Win64/Olmarik.Y trojan
C:\Users\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\7879fdc0-33d48dd5 a variant of Java/Agent.BR trojan
C:\Users\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\560822d3-45748994 a variant of Java/Agent.BR trojan
C:\Users\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\2172b79c-1ac49167 Java/TrojanDownloader.OpenStream.NBZ trojan
C:\Users\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\5968b5e0-7ce93d09 a variant of Java/Agent.DW trojan
C:\Users\Governator\Desktop\desktop-icons\cnet_SweetHome3D-3_3-windows_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Governator\Desktop\desktop-icons\siw-all\siw\Multilanguage With Installer\siw-setup.exe Win32/OpenCandy application
C:\Users\Governator\Downloads\CS4.ISO probably a variant of Win32/Agent.FASOXUX trojan
C:\Windows.old.000\Documents and Settings\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\7879fdc0-33d48dd5 a variant of Java/Agent.BR trojan
C:\Windows.old.000\Documents and Settings\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\560822d3-45748994 a variant of Java/Agent.BR trojan
C:\Windows.old.000\Documents and Settings\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\2172b79c-1ac49167 Java/TrojanDownloader.OpenStream.NBZ trojan
C:\Windows.old.000\Documents and Settings\Governator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\5968b5e0-7ce93d09 a variant of Java/Agent.DW trojan
C:\Windows.old.000\Documents and Settings\Governator\Desktop\desktop-icons\cnet_SweetHome3D-3_3-windows_exe.exe a variant of Win32/InstallCore.D application
C:\Windows.old.000\Documents and Settings\Governator\Desktop\desktop-icons\siw-all\siw\Multilanguage With Installer\siw-setup.exe Win32/OpenCandy application
C:\Windows.old.000\Documents and Settings\Governator\Downloads\CS4.ISO probably a variant of Win32/Agent.FASOXUX trojan

#12 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 23 November 2011 - 10:31 AM

Governator:

That actually isn't that bad:

I'd just delete that enitre windows.old folder. this link explains what is is and how to remove it.
The items in C:\Qoobox and c:\TDSSKoller_Quarantine are already taken care of and just need to be mopped up

File::
C:\Downloads\PCStats 1.1 (English)[02-20].zip
C:\Downloads\Setup_FreeBurnerN.exe
C:\F\_Atlantis Digital\live help\setup.exe
C:\F\_Poker Royalty\cgi-bin\.mail.pl 
C:\Users\Governator\Desktop\desktop-icons\cnet_SweetHome3D-3_3-windows_exe.exe
C:\Users\Governator\Desktop\desktop-icons\siw-all\siw\Multilanguage With Installer\siw-setup.exe 
C:\Users\Governator\Downloads\CS4.ISO 
Folder::
C:\TDSSKiller_Quarantine
ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. If it asks to update, please allow it to. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#13 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,397
Joined: 16-May 10
Gender:Male

Posted 29 November 2011 - 11:30 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may