BleepingComputer.com: Google Search Re-Direct Virus? (After removing System Fix virus)

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google Search Re-Direct Virus? (After removing System Fix virus)

#1 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 28 December 2011 - 09:48 PM

Hi (first time poster, so I apologize for any rules/etiquette that I break),

A few weeks ago, I had the System Fix virus. I followed these steps (My link) and successfully (almost) removed the virus. I still have the issue that when I click on a link after a Google search, it will re-direct me to a random website. I also do not get real time search results as I type into the Google search bar.

I have tried multiple programs like Malwarebytes' Anti-Malware, Spybot Search and Destroy, Superanti Spyware, and many others (in safe-mode, and "regular" mode), but nothing seems to work.

Something that doesn't seem to run for me is TDSSKiller (even when I change the file name and extension).

Also, when I try to turn off my computer, the "Windows has to shut down a process" screen appears for about 10 seconds (meaning that there is something running in the background)?

I haven't gotten many viruses on my computer, but I have fixed a lot of my friends/families computers. This one has me stumped.

I would really appreciate some help!

When I tried to run gmer.exe, I received the following error:
Posted Image

DDS Results:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by SARAN at 19:31:38 on 2011-12-28
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.4025.2495 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Stardock\ObjectDock\Dock64.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Akamai NetSession Interface] C:\Users\SARAN\AppData\Local\Akamai\netsession_win.exe
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
StartupFolder: C:\Users\SARAN\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 64.59.144.16 64.59.144.17 64.59.150.132
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963} : DhcpNameServer = 64.59.144.16 64.59.144.17 64.59.150.132
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2533447513E47453 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2554447594E47435 : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 24.244.65.130 209.145.111.229
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\4554C4553513139323 : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\B657070716C6 : DhcpNameServer = 24.207.0.168 64.178.142.11
TCP: Interfaces\{F3EC2CDA-247F-4D58-B66D-5BBD1F255F5C} : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{FD243FDC-8A05-4D4B-8230-875DB4FAE40E} : NameServer = 10.90.88.1
BHO-X64: IDMIEHlprObj Class: {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SARAN\AppData\Roaming\Mozilla\Firefox\Profiles\1v4k6zj7.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: C:\Users\SARAN\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-12-29 02:34:09 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B24FB097-3401-405A-9876-FE61277BE28C}\offreg.dll
2011-12-28 01:53:13 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B24FB097-3401-405A-9876-FE61277BE28C}\mpengine.dll
2011-12-19 00:01:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-19 00:01:49 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 03:11:36 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 03:11:36 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-08 03:01:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-04 06:43:57 388096 ----a-r- C:\Users\SARAN\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-04 06:43:57 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-12-04 06:03:57 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-03 03:06:19 -------- d--h--w- C:\ProgramData\Common Files
2011-12-03 03:00:10 -------- d-----w- C:\ProgramData\MFAData
2011-12-03 01:31:16 98816 ----a-w- C:\Windows\sed.exe
2011-12-03 01:31:16 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-03 01:31:16 256000 ----a-w- C:\Windows\PEV.exe
2011-12-03 01:31:16 208896 ----a-w- C:\Windows\MBR.exe
2011-12-03 01:29:59 -------- d-----w- C:\ComboFix
2011-12-02 22:57:59 -------- d-----w- C:\sh4ldr
2011-12-02 22:57:59 -------- d-----w- C:\Program Files\Enigma Software Group
2011-12-02 22:57:43 -------- d-----w- C:\Windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-12-02 22:57:42 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2011-12-02 22:42:42 -------- d-----w- C:\ProgramData\PC Tools
.
==================== Find3M ====================
.
2011-12-08 02:54:02 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 19:40:05.50 ===============

This post has been edited by l3t5g0w1ng5: 28 December 2011 - 10:46 PM

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435068 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 03 January 2012 - 11:16 PM

1. Clear description has already been posted.

2. I am running Windows 7 64-Bit (unable to run GMER) I also have the Attach.txt file available if it is needed.

DDS.TXT RESULTS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by SARAN at 20:05:23 on 2012-01-03
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.4025.2644 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Stardock\ObjectDock\Dock64.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Akamai NetSession Interface] C:\Users\SARAN\AppData\Local\Akamai\netsession_win.exe
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
StartupFolder: C:\Users\SARAN\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 64.59.144.16 64.59.144.17 64.59.150.132
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963} : DhcpNameServer = 64.59.144.16 64.59.144.17 64.59.150.132
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2533447513E47453 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2554447594E47435 : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 24.244.65.130 209.145.111.229
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\4554C4553513139323 : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{5A5C1FDF-D8CB-48DE-A7DB-D362A6089963}\B657070716C6 : DhcpNameServer = 24.207.0.168 64.178.142.11
TCP: Interfaces\{F3EC2CDA-247F-4D58-B66D-5BBD1F255F5C} : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{FD243FDC-8A05-4D4B-8230-875DB4FAE40E} : NameServer = 10.90.88.1
BHO-X64: IDMIEHlprObj Class: {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SARAN\AppData\Roaming\Mozilla\Firefox\Profiles\1v4k6zj7.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: C:\Users\SARAN\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2012-01-04 03:06:31 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77494B4A-9E53-40D6-934D-E285CFF80F52}\offreg.dll
2012-01-04 03:06:29 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77494B4A-9E53-40D6-934D-E285CFF80F52}\mpengine.dll
2011-12-19 00:01:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-19 00:01:49 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 03:11:36 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-14 03:11:36 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-08 03:01:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-12-08 02:54:02 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 20:13:16.93 ===============


3. I DO NOT have the original Windows CD/DVD

Thank you!

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 04 January 2012 - 02:40 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 04 January 2012 - 10:52 PM

My computer still does not show real time Google search results, and Google search results still are being re-directed when I click on them.

COMBOFIX RESULTS:

ComboFix 12-01-04.03 - SARAN 04/01/2012 18:49:00.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.4025.2793 [GMT -8:00]
Running from: c:\users\SARAN\Documents\Virus Removal\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\chrome.manifest
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\install.js
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\install.rdf
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\META-INF\manifest.mf
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\users\SARAN\AppData\Roaming\IDM\idmmzcc3\META-INF\zigbert.sf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-05 03:23 . 2012-01-05 03:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-05 03:23 . 2012-01-05 03:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-04 03:06 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77494B4A-9E53-40D6-934D-E285CFF80F52}\mpengine.dll
2011-12-19 00:01 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-19 00:01 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 03:11 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 03:11 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-08 03:01 . 2011-12-08 03:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 03:30 . 2012-01-05 03:30 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77494B4A-9E53-40D6-934D-E285CFF80F52}\offreg.dll
2011-12-08 02:54 . 2011-08-16 05:03 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-04 06:43 . 2011-12-04 06:43 388096 ----a-r- c:\users\SARAN\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-03_02.24.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-10-12 21:06 . 2011-08-20 04:27 67072 c:\windows\SysWOW64\mshtmled.dll
+ 2011-12-14 03:15 . 2011-11-05 04:31 67072 c:\windows\SysWOW64\mshtmled.dll
- 2011-10-12 21:06 . 2011-08-20 04:31 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2011-12-14 03:15 . 2011-11-05 04:35 68608 c:\windows\SysWOW64\migration\WininetPlugin.dll
+ 2011-12-14 03:15 . 2011-11-05 04:30 48128 c:\windows\SysWOW64\jsproxy.dll
- 2011-10-12 21:06 . 2011-08-20 04:27 48128 c:\windows\SysWOW64\jsproxy.dll
+ 2009-07-14 04:54 . 2012-01-05 03:26 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-12-03 02:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-05 03:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-03 02:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-03 02:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-05 03:26 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-05 23:09 . 2012-01-05 03:28 59224 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-05 03:28 51744 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-05 20:38 . 2012-01-05 03:28 22742 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4203370873-381558529-3321939469-1000_UserData.bin
- 2011-10-12 21:06 . 2011-08-20 05:34 97280 c:\windows\system32\mshtmled.dll
+ 2011-12-14 03:15 . 2011-11-05 05:38 97280 c:\windows\system32\mshtmled.dll
- 2011-10-12 21:06 . 2011-08-20 05:37 95232 c:\windows\system32\migration\WininetPlugin.dll
+ 2011-12-14 03:15 . 2011-11-05 05:41 95232 c:\windows\system32\migration\WininetPlugin.dll
- 2011-10-12 21:06 . 2011-08-20 05:33 64512 c:\windows\system32\jsproxy.dll
+ 2011-12-14 03:15 . 2011-11-05 05:37 64512 c:\windows\system32\jsproxy.dll
- 2009-07-14 05:30 . 2011-11-25 22:25 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2011-12-04 06:17 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-12-14 03:15 . 2011-10-26 05:21 43520 c:\windows\system32\csrsrv.dll
- 2009-07-13 23:19 . 2009-07-14 01:40 43520 c:\windows\system32\csrsrv.dll
- 2009-11-05 20:30 . 2011-12-03 01:35 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-05 20:30 . 2011-12-24 06:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-05 20:30 . 2011-12-03 01:35 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-05 20:30 . 2011-12-24 06:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-24 06:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-03 01:35 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-06 02:43 . 2012-01-05 03:26 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-06 02:43 . 2011-12-03 02:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-06 02:43 . 2012-01-05 03:26 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-06 02:43 . 2011-12-03 02:22 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-06 02:43 . 2012-01-05 03:26 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-06 02:43 . 2011-12-03 02:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-05 23:27 . 2011-12-03 02:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-05 23:27 . 2012-01-05 03:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-05 23:27 . 2012-01-05 03:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-05 23:27 . 2011-12-03 02:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-06 07:47 . 2011-12-15 02:56 35088 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 35088 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 18704 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 18704 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 20240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 20240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-20 21:58 . 2011-12-15 02:50 35088 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-11-20 21:58 . 2011-09-14 23:19 35088 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-11-20 21:58 . 2011-09-14 23:19 18704 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-11-20 21:58 . 2011-12-15 02:50 18704 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-11-20 21:58 . 2011-09-14 23:19 20240 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-20 21:58 . 2011-12-15 02:50 20240 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-05-10 07:02 . 2011-09-14 23:19 35088 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-05-10 07:02 . 2011-12-15 02:51 35088 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-05-10 07:02 . 2011-12-15 02:51 18704 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-05-10 07:02 . 2011-09-14 23:19 18704 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-05-10 07:02 . 2011-12-15 02:51 20240 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-05-10 07:02 . 2011-09-14 23:19 20240 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-11-07 04:57 . 2011-12-02 10:49 3958 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2009-11-07 04:57 . 2011-12-15 08:37 3958 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-01-05 03:26 . 2012-01-05 03:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-03 02:22 . 2011-12-03 02:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-05 03:26 . 2012-01-05 03:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-03 02:22 . 2011-12-03 02:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-14 03:15 . 2011-11-05 04:35 981504 c:\windows\SysWOW64\wininet.dll
- 2011-10-12 21:07 . 2011-08-20 04:31 981504 c:\windows\SysWOW64\wininet.dll
+ 2011-12-14 03:15 . 2011-11-05 04:34 132096 c:\windows\SysWOW64\url.dll
- 2011-10-12 21:06 . 2011-08-20 04:30 132096 c:\windows\SysWOW64\url.dll
+ 2011-12-14 03:15 . 2011-11-05 04:31 599552 c:\windows\SysWOW64\msfeeds.dll
- 2011-10-12 21:07 . 2011-08-20 04:27 599552 c:\windows\SysWOW64\msfeeds.dll
+ 2011-12-08 02:54 . 2011-12-08 02:54 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2011-12-08 02:54 . 2011-12-08 02:54 335520 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.dll
- 2011-10-12 21:07 . 2011-08-20 04:26 176640 c:\windows\SysWOW64\ieui.dll
+ 2011-12-14 03:15 . 2011-11-11 05:40 176640 c:\windows\SysWOW64\ieui.dll
+ 2009-11-05 21:24 . 2011-12-12 02:55 866224 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2011-10-12 21:06 . 2011-08-20 05:37 134144 c:\windows\system32\url.dll
+ 2011-12-14 03:15 . 2011-11-05 05:41 134144 c:\windows\system32\url.dll
+ 2009-07-14 02:36 . 2011-12-06 06:19 707204 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-02 09:25 707204 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-02 09:25 137534 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-12-06 06:19 137534 c:\windows\system32\perfc009.dat
+ 2011-12-14 03:15 . 2011-11-05 05:38 702464 c:\windows\system32\msfeeds.dll
- 2011-10-12 21:07 . 2011-08-20 05:34 702464 c:\windows\system32\msfeeds.dll
+ 2011-12-14 03:15 . 2011-11-11 06:49 247808 c:\windows\system32\ieui.dll
- 2011-10-12 21:07 . 2011-08-20 05:33 247808 c:\windows\system32\ieui.dll
+ 2009-07-14 05:30 . 2011-12-04 06:17 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-11-25 22:25 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-10-13 00:39 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2011-12-04 06:17 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 04:46 . 2011-12-21 03:21 107912 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:46 . 2011-11-19 04:34 107912 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-12-24 06:56 . 2011-12-24 06:56 236904 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\reliability\Sqm\Manifest\Sqm25.bin
- 2009-07-14 05:01 . 2011-12-03 02:20 444580 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-05 03:25 444580 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-04-19 12:21 . 2011-04-19 12:21 235520 c:\windows\Installer\6bf6d.msi
+ 2011-12-03 03:04 . 2011-12-03 03:04 223232 c:\windows\Installer\275841.msi
- 2009-11-06 07:47 . 2011-10-13 04:23 888080 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 888080 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 272648 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 272648 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 922384 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 922384 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 845584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 845584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 217864 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 217864 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 159504 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 159504 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-20 21:58 . 2011-12-15 02:50 217864 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\misc.exe
- 2009-11-20 21:58 . 2011-09-14 23:19 217864 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\misc.exe
- 2009-11-20 21:58 . 2011-09-14 23:19 184080 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-11-20 21:58 . 2011-12-15 02:50 184080 c:\windows\Installer\{90120000-00A1-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-05-10 07:02 . 2011-12-15 02:51 239376 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
- 2010-05-10 07:02 . 2011-09-14 23:19 239376 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
+ 2010-05-10 07:02 . 2011-12-15 02:51 217864 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
- 2010-05-10 07:02 . 2011-09-14 23:19 217864 c:\windows\Installer\{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
+ 2011-12-15 02:56 . 2011-12-15 02:56 350080 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2011-12-14 03:15 . 2011-11-05 04:34 1231360 c:\windows\SysWOW64\urlmon.dll
- 2011-10-12 21:07 . 2011-08-20 04:30 1231360 c:\windows\SysWOW64\urlmon.dll
+ 2011-12-14 03:15 . 2011-11-05 04:31 5997056 c:\windows\SysWOW64\mshtml.dll
- 2011-10-12 21:06 . 2011-08-20 04:26 2073600 c:\windows\SysWOW64\iertutil.dll
+ 2011-12-14 03:15 . 2011-11-05 04:30 2073600 c:\windows\SysWOW64\iertutil.dll
+ 2011-12-14 03:15 . 2011-11-05 05:41 1188864 c:\windows\system32\wininet.dll
- 2011-10-12 21:07 . 2011-08-20 05:37 1188864 c:\windows\system32\wininet.dll
+ 2011-12-14 03:15 . 2011-11-24 04:52 3145216 c:\windows\system32\win32k.sys
- 2011-10-12 21:07 . 2011-08-20 05:37 1494016 c:\windows\system32\urlmon.dll
+ 2011-12-14 03:15 . 2011-11-05 05:41 1494016 c:\windows\system32\urlmon.dll
+ 2011-12-14 03:15 . 2011-11-05 05:38 9018880 c:\windows\system32\mshtml.dll
+ 2011-12-14 03:15 . 2011-11-05 05:37 2454528 c:\windows\system32\iertutil.dll
- 2011-10-12 21:06 . 2011-08-20 05:33 2454528 c:\windows\system32\iertutil.dll
+ 2009-07-14 04:45 . 2011-12-15 03:20 5103984 c:\windows\system32\FNTCACHE.DAT
- 2009-07-14 04:45 . 2011-11-10 00:02 5103984 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 04:45 . 2011-12-20 02:27 7384303 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-11-18 21:31 7384303 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2010-04-14 00:26 . 2011-12-03 02:20 6035212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4203370873-381558529-3321939469-1000-12288.dat
+ 2010-04-14 00:26 . 2012-01-05 03:25 6035212 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4203370873-381558529-3321939469-1000-12288.dat
+ 2011-11-01 21:34 . 2011-11-01 21:34 4250112 c:\windows\Installer\5c320.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 2247168 c:\windows\Installer\5c2fb.msp
+ 2011-11-12 00:14 . 2011-11-12 00:14 9096192 c:\windows\Installer\5c2e7.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 4225536 c:\windows\Installer\5c2d3.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 2531840 c:\windows\Installer\5c292.msp
+ 2011-11-12 00:15 . 2011-11-12 00:15 1795584 c:\windows\Installer\5c28a.msp
+ 2011-11-12 00:16 . 2011-11-12 00:16 8458240 c:\windows\Installer\5c276.msp
+ 2011-12-03 03:04 . 2011-12-03 03:04 8544256 c:\windows\Installer\275846.msi
+ 2011-12-04 06:42 . 2011-12-04 06:42 1402880 c:\windows\Installer\1c18f0.msi
+ 2009-11-06 07:47 . 2011-12-15 02:56 1172240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 1172240 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-11-06 07:47 . 2011-12-15 02:56 1165584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2009-11-06 07:47 . 2011-10-13 04:23 1165584 c:\windows\Installer\{91120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-12-14 03:15 . 2011-11-11 05:40 10991104 c:\windows\SysWOW64\ieframe.dll
- 2011-10-12 21:07 . 2011-08-20 04:26 10991104 c:\windows\SysWOW64\ieframe.dll
- 2009-07-14 02:34 . 2011-11-17 20:51 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-12-19 11:13 10747904 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-11-06 07:29 . 2011-12-15 02:52 54867776 c:\windows\system32\MRT.exe
+ 2011-12-14 03:15 . 2011-11-11 06:49 12261888 c:\windows\system32\ieframe.dll
- 2011-10-12 21:07 . 2011-08-20 05:33 12261888 c:\windows\system32\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-27 1194504]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
.
c:\users\SARAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files (x86)\Stardock\ObjectDock\ObjectDock.exe [2010-8-9 3450608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2010-10-15 326704]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-20 503864]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-05-22 295936]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"POWER PLAN ASSISTANT"="c:\program files\PowerPlanAssistant\PowerPlanAssistantLauncher.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files (x86)\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.16 64.59.144.17 64.59.150.132
TCP: Interfaces\{FD243FDC-8A05-4D4B-8230-875DB4FAE40E}: NameServer = 10.90.88.1
FF - ProfilePath - c:\users\SARAN\AppData\Roaming\Mozilla\Firefox\Profiles\1v4k6zj7.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\SARAN\AppData\Local\Akamai\netsession_win.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4203370873-381558529-3321939469-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):e1,0f,1d,69,89,02,df,80,6f,5d,f9,b4,00,a2,43,76,96,07,25,13,44,
2a,21,89,3a,66,5a,bf,7d,3e,b2,eb,cd,59,0d,70,ec,82,99,f9,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-4203370873-381558529-3321939469-1000_Classes\Wow6432Node\CLSID\{e0b845b4-76c6-4426-9d7a-005899ed4437}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000098
"Therad"=dword:0000001b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:45,a1,7a,70,be,a0,40,2b,31,c5,91,bc,01,3d,8a,2a,ce,e0,8d,84,d8,
5a,57,cd,18,14,89,b0,1b,ea,3a,2f,e1,ba,fb,4d,6e,6f,14,1c,a2,b9,2e,39,63,d2,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:45,a1,7a,70,be,a0,40,2b,31,c5,91,bc,01,3d,8a,2a,ce,e0,8d,84,d8,
5a,57,cd,18,14,89,b0,1b,ea,3a,2f,e1,ba,fb,4d,6e,6f,14,1c,a2,b9,2e,39,63,d2,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe
c:\program files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2012-01-04 19:48:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-05 03:48
ComboFix2.txt 2011-12-03 02:46
.
Pre-Run: 98,343,321,600 bytes free
Post-Run: 98,150,850,560 bytes free
.
- - End Of File - - 2AF952E4BFB567DA37EA07727AF18339


Thank you

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 04 January 2012 - 11:10 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 05 January 2012 - 12:35 AM

After running combofix, I'm getting this Recycling Bin error when I try to delete files:

Posted Image

If I click "No", the files aren't deleted. If I click "Yes", the it asks me if I want to permanently delete the files (the files are deleted without me "emptying" the Recycling Bin).

As stated in the OP: Something that doesn't seem to run for me is TDSSKiller (even when I change the file name and extension. I've also tried running it in safemode).

Thank you

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 January 2012 - 12:57 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 05 January 2012 - 11:33 AM

After running fixTDSS, it said that it removed something. I wrote down what it was in Notepad, however I am not able to access my Notepad because:

When I restarted my computer (which you told me to do before running TDSSKiller), IT WILL NOT LET ME LOG IN!

It gives me two options:

Run system fix (or something like that).
Start Windows normally.

IT WILL NOT let me run Windows normally.

I have run the System Fix MANY times, and it will not fix the error. It asks me to contact Windows to resolve the issue.
I have also tried 2 System Restores. That also did not fix the problem.
I have also tried to reboot in Safe Mode (with and without Networking).

I think I have a major issue now?

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 January 2012 - 12:38 PM

Hello


press F10 during startup

I want you to remove /MININT after optin


start windows normally

click on the start orb

in the search pane type CMD

right click on CMD and select run as admin


copy and paste this into the window

    bcdedit /set {current} winpe no




restart windows and let me know if it boots fine







gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 05 January 2012 - 01:41 PM

I will try this when I get home.

Is this a fairly common error to have after running fixTDSS? It seems to be quite a serious error.

This post has been edited by l3t5g0w1ng5: 05 January 2012 - 01:56 PM

#12 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 05 January 2012 - 03:11 PM

So I turn on my computer, and keep pressing F10 until a screen appears?

Can you tell me what you mean by "I want you to remove /MININT after optin"

After I do that, will Windows automatically restart?

Thank you

This post has been edited by l3t5g0w1ng5: 05 January 2012 - 03:39 PM

#13 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 January 2012 - 08:42 PM

when you press f10 a screen will appear called "edit boot options"

there will be a little writing on this page but one part will have

optin /MININT

at that part I want you to remove - /MININT from the end of that line

when you have done that windows will boot (but if you don't do the rest of the post you will have to use f10 again)


It has happened a couple of times



gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is offline   l3t5g0w1ng5 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 28-December 11

Posted 05 January 2012 - 09:00 PM

After I pasted "bcdedit /set {current} winpe no" it said that it was successful, and my computer rebooted without any issues. It did prompt me that my system was restored to Dec.24th (which I had tried to do earlier).

Here is what fixTDSS removed:
***Infected MBR detected
Repair was successful

My Google seems to be working fine now (not sure if it has anything to do with the System Restore).

Would you like me to try and run TDSSKiller now?

Thank you

This post has been edited by l3t5g0w1ng5: 05 January 2012 - 09:01 PM

#15 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 January 2012 - 09:02 PM

Hello

Would you like me to try and run TDSSKiller now?

Yes I would


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users