BleepingComputer.com: rootkill virus, google redirecting

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

rootkill virus, google redirecting Please help remove.

#16 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 15 February 2012 - 03:44 PM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-15 15:31:34
-----------------------------
15:31:34.387 OS Version: Windows x64 6.1.7600
15:31:34.387 Number of processors: 2 586 0x6B02
15:31:34.387 ComputerName: JANET-PC UserName: Janet
15:31:35.853 Initialize success
15:31:45.135 AVAST engine defs: 12021500
15:31:48.146 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:31:48.146 Disk 0 Vendor: WDC_WD2500AAJS-75M0A0 02.03E02 Size: 238418MB BusType: 11
15:31:48.161 Disk 0 MBR read successfully
15:31:48.161 Disk 0 MBR scan
15:31:48.177 Disk 0 Windows VISTA default MBR code
15:31:48.177 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
15:31:48.193 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 20358 MB offset 81920
15:31:48.208 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 218019 MB offset 41775104
15:31:48.224 Service scanning
15:31:49.768 Modules scanning
15:31:49.768 Disk 0 trace - called modules:
15:31:49.768 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:31:49.784 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800467d060]
15:31:50.299 3 CLASSPNP.SYS[fffff8800190143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80045fb060]
15:31:52.077 AVAST engine scan C:\Windows
15:31:54.807 AVAST engine scan C:\Windows\system32
15:32:08.629 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
15:34:02.072 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
15:34:04.147 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
15:35:52.505 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
15:35:52.567 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
15:35:52.708 File: C:\Windows\assembly\tmp\TF1N9VH3\IEExecRemote.dll **SUSPICIOUS**
15:35:52.723 File: C:\Windows\assembly\tmp\TF1N9VH3\__AssemblyInfo__.ini **SUSPICIOUS**
15:35:53.191 AVAST engine scan C:\Windows\system32\drivers
15:36:07.871 AVAST engine scan C:\Users\Janet
15:40:10.059 AVAST engine scan C:\ProgramData
15:41:38.866 Scan finished successfully
15:43:02.404 Disk 0 MBR has been saved successfully to "C:\Users\Janet\Desktop\MBR.dat"
15:43:02.420 The log file has been saved successfully to "C:\Users\Janet\Desktop\aswMBR.txt"

#17 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 February 2012 - 02:56 AM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#18 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 17 February 2012 - 05:25 PM

Scan result of Farbar Recovery Scan Tool Version: 17-02-2012 (L)
Ran by SYSTEM at 2012-02-17 16:18:13
Running from G:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKU\Janet\...\Run: [Internet Security] C:\ProgramData\isecurity.exe [842752 2012-02-16] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [65888 2008-10-25] (Microsoft Corporation)
4 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [202048 2010-09-07] ()
2 MREMP50a64; C:\Windows\System32\lpds.dll [6656 2009-07-13] (Oak Technology Inc.)
4 QBFCService; "C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe" [71184 2006-09-16] (Intuit Inc.)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [225672 2007-05-31] (Microsoft Corporation)
4 Sony SCSI Helper Service; "C:\Program Files (x86)\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe" [73728 2010-04-02] (Sony Corporation)
4 szserver; "C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe" [62928 2011-08-07] (iS3, Inc.)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [443784 2007-05-31] (Microsoft Corporation)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6368256 2010-02-11] (ATI Technologies Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
0 is3srv; C:\Windows\SysWow64\drivers\is3srv64.sys [74768 2011-06-02] (iS3 Inc.)
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69152 2010-07-12] (Lavasoft AB)
3 motccgp; C:\Windows\System32\DRIVERS\motccgp.sys [20992 2010-06-18] (Motorola)
3 motccgpfl; C:\Windows\System32\DRIVERS\motccgpfl.sys [9216 2009-01-29] (Motorola)
3 MotoSwitchService; C:\Windows\System32\DRIVERS\motswch.sys [8576 2007-11-02] (Motorola)
3 motusbdevice; C:\Windows\System32\DRIVERS\motusbdevice.sys [10240 2010-01-25] (Motorola Inc)
3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [572416 2006-12-05] (PixArt Imaging Inc.)
0 szkg5; C:\Windows\SysWow64\DRIVERS\szkg64.sys [74768 2011-06-02] (iS3 Inc.)
3 12434596; [x]
0 achwwmoz; C:\Windows\System32\drivers\iqsj.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
0 umxmuf; C:\Windows\System32\drivers\nwscidrk.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: MREMP50a64
NETSVC: USB_NDIS_51
NETSVC: vulfnths

============ One Month Created Files and Folders ==============

2012-02-17 16:18 - 2012-02-17 16:18 - 0000000 ____D C:\FRST
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\Application Data\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\Application Data\88B0.tmp
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\88B0.tmp
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\ProgramData\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\ProgramData\88B0.tmp
2012-02-16 22:36 - 2012-02-16 22:36 - 0000000 ____D C:\Windows\Sun
2012-02-16 22:31 - 2012-02-16 22:31 - 4435112 ____A C:\Users\Janet\Desktop\SCUDownloader.exe
2012-02-16 22:31 - 2012-02-16 22:31 - 0001177 ____A C:\Users\Janet\Desktop\System Checkup.lnk
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\Janet\Application Data\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\Janet\AppData\Roaming\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\All Users\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\All Users\Application Data\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\ProgramData\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Program Files (x86)\iolo
2012-02-15 21:08 - 2011-06-26 00:45 - 0256000 ____A C:\Windows\PEV.exe
2012-02-15 21:08 - 2010-11-07 11:20 - 0208896 ____A C:\Windows\MBR.exe
2012-02-15 21:08 - 2009-04-19 22:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-02-15 21:08 - 2000-08-30 18:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-02-15 21:08 - 2000-08-30 18:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-02-15 21:08 - 2000-08-30 18:00 - 0098816 ____A C:\Windows\sed.exe
2012-02-15 21:08 - 2000-08-30 18:00 - 0080412 ____A C:\Windows\grep.exe
2012-02-15 21:08 - 2000-08-30 18:00 - 0068096 ____A C:\Windows\zip.exe
2012-02-15 19:11 - 2012-02-15 19:11 - 0000000 ____D C:\Windows\System32\appmgmt
2012-02-15 15:52 - 2012-02-15 15:52 - 0000000 ____D C:\Windows\Intuit
2012-02-15 13:17 - 2012-02-15 13:17 - 0061440 ____A C:\Windows\SysWOW64\Drivers\iqsj.sys
2012-02-15 13:17 - 2012-02-15 13:17 - 0000484 ____A C:\oyeexnd.txt
2012-02-15 13:14 - 2012-02-15 13:14 - 0061440 ____A C:\Windows\SysWOW64\Drivers\nwscidrk.sys
2012-02-15 13:14 - 2012-02-15 13:14 - 0000484 ____A C:\Windows\SysWOW64\lmwh.txt
2012-02-15 13:13 - 2012-02-15 13:13 - 0724952 ____A C:\Users\Janet\Desktop\avenger.zip
2012-02-15 11:55 - 2012-02-15 11:56 - 0081350 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_12.55.03_log.txt
2012-02-15 11:41 - 2012-02-15 11:42 - 0081178 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_12.41.25_log.txt
2012-02-15 11:40 - 2012-02-15 11:40 - 2061360 ____A (Kaspersky Lab ZAO) C:\Users\Janet\Desktop\tdsskiller.exe
2012-02-12 13:17 - 2012-02-16 21:14 - 2676414 ____A C:\Windows\ntbtlog.txt
2012-02-12 13:02 - 2012-02-12 13:02 - 0000162 ___AH C:\Users\Janet\Desktop\~$rketing_Case_Analysis_Sample_-_Harley_Davidson.doc
2012-02-11 14:18 - 2012-02-11 14:18 - 0011690 ____A C:\Users\Janet\Desktop\positioning strategy.docx
2012-02-11 13:55 - 2012-02-11 13:55 - 0094208 ____A C:\Users\Janet\Desktop\Marketing_Plan_Sample_Massage_Therapy.doc
2012-02-11 13:53 - 2012-02-11 13:53 - 0068608 ____A C:\Users\Janet\Desktop\Marketing_Case_Analysis_Sample_-_Harley_Davidson.doc
2012-02-10 05:23 - 2012-02-16 00:14 - 0000000 ____D C:\Windows\ERDNT
2012-02-10 05:23 - 2012-02-10 05:23 - 0000000 ____D C:\Qoobox
2012-02-08 21:20 - 2012-02-08 21:20 - 0036804 ____A C:\Users\Janet\Desktop\ark.txt
2012-02-08 20:30 - 2012-02-08 20:30 - 0000000 ____D C:\Users\Janet\Desktop\gmer
2012-02-08 20:29 - 2012-02-08 20:29 - 0294216 ____A C:\Users\Janet\Desktop\gmer.zip
2012-02-08 20:28 - 2012-02-08 20:28 - 0016336 ____A C:\Users\Janet\Desktop\DDS.txt
2012-02-08 20:28 - 2012-02-08 20:28 - 0010432 ____A C:\Users\Janet\Desktop\Attach.txt
2012-02-08 20:25 - 2012-02-08 20:25 - 0607260 ____R (Swearware) C:\Users\Janet\Desktop\dds.scr
2012-02-08 20:24 - 2012-02-08 20:24 - 0050477 ____A C:\Users\Janet\Desktop\Defogger.exe
2012-02-08 20:24 - 2012-02-08 20:24 - 0000000 ____A C:\Users\Janet\defogger_reenable
2012-02-08 11:36 - 2012-02-15 14:43 - 0007605 ____A C:\Users\Janet\Desktop\aswMBR.txt
2012-02-08 11:36 - 2012-02-15 14:43 - 0000512 ____A C:\Users\Janet\Desktop\MBR.dat
2012-02-08 11:21 - 2012-02-08 11:21 - 4733440 ____A (AVAST Software) C:\Users\Janet\Desktop\aswMBR.exe
2012-02-08 11:18 - 2012-02-08 11:18 - 0034890 ____A C:\Users\Janet\Desktop\MbrScan.log
2012-02-08 11:18 - 2012-02-08 11:18 - 0000512 ____A C:\Users\Janet\Desktop\Dump_Hdd1_DR1.mbr
2012-02-08 11:18 - 2012-02-08 11:18 - 0000512 ____A C:\Users\Janet\Desktop\Dump_Hdd0_DR0.mbr
2012-02-08 11:17 - 2012-02-08 11:17 - 0146944 ____A (Eric_71) C:\Users\Janet\Desktop\MbrScan.exe
2012-02-08 11:15 - 2012-02-08 11:15 - 0011362 ____A C:\Users\Janet\Desktop\gmer.log
2012-02-08 10:32 - 2012-02-08 10:32 - 0000000 ____A C:\Users\Janet\Desktop\gmeer.log
2012-02-06 19:10 - 2012-02-06 19:10 - 0302592 ____A C:\Users\Janet\Desktop\utvz3xoh.exe
2012-02-06 19:03 - 2012-02-06 19:03 - 0396041 ____A C:\Users\Janet\Desktop\MiniToolBox.exe
2012-02-06 17:03 - 2012-02-06 17:03 - 0283202 ____A C:\Users\Janet\Desktop\baseball ad form.docx
2012-02-05 08:17 - 2012-02-15 21:05 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-03 22:29 - 2012-02-03 22:29 - 0019507 ____A C:\Users\Janet\Desktop\tball schedule.xlsx
2012-01-23 09:01 - 2012-02-15 19:12 - 0000000 ____D C:\Users\Janet\Local Settings\Deployment
2012-01-23 09:01 - 2012-02-15 19:12 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\Deployment
2012-01-23 09:01 - 2012-02-15 19:12 - 0000000 ____D C:\Users\Janet\AppData\Local\Deployment
2012-01-23 09:01 - 2012-01-23 09:01 - 0000311 ____A C:\Users\Janet\eBridge Solutions Viewer.ini
2012-01-23 09:01 - 2012-01-23 09:01 - 0000000 ____D C:\Users\Janet\AppData\Local\Apps\2.0

============ 3 Months Modified Files and Folders =============

2012-02-17 16:18 - 2012-02-17 16:18 - 0000000 ____D C:\FRST
2012-02-17 16:09 - 2011-12-14 21:23 - 0006810 ____A C:\Windows\setupact.log
2012-02-17 16:08 - 2010-08-09 22:57 - 3018993664 __ASH C:\hiberfil.sys
2012-02-17 16:08 - 2009-07-13 23:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\Application Data\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\Application Data\88B0.tmp
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\Users\All Users\88B0.tmp
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\ProgramData\isecurity.exe
2012-02-16 22:37 - 2012-02-16 22:37 - 0842752 ____A C:\ProgramData\88B0.tmp
2012-02-16 22:36 - 2012-02-16 22:36 - 0000000 ____D C:\Windows\Sun
2012-02-16 22:31 - 2012-02-16 22:31 - 4435112 ____A C:\Users\Janet\Desktop\SCUDownloader.exe
2012-02-16 22:31 - 2012-02-16 22:31 - 0001177 ____A C:\Users\Janet\Desktop\System Checkup.lnk
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\Janet\Application Data\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\Janet\AppData\Roaming\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\All Users\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Users\All Users\Application Data\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\ProgramData\iolo
2012-02-16 22:31 - 2012-02-16 22:31 - 0000000 ____D C:\Program Files (x86)\iolo
2012-02-16 22:03 - 2011-11-19 21:26 - 0000000 ____D C:\Users\Janet\Local Settings\ApplicationHistory
2012-02-16 22:03 - 2011-11-19 21:26 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\ApplicationHistory
2012-02-16 22:03 - 2011-11-19 21:26 - 0000000 ____D C:\Users\Janet\AppData\Local\ApplicationHistory
2012-02-16 21:29 - 2011-08-17 10:12 - 1985221 ____A C:\Windows\WindowsUpdate.log
2012-02-16 21:26 - 2010-10-25 09:57 - 0000000 ____D C:\Windows\pss
2012-02-16 21:19 - 2009-07-13 23:13 - 0739790 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-16 21:14 - 2012-02-12 13:17 - 2676414 ____A C:\Windows\ntbtlog.txt
2012-02-16 21:09 - 2010-10-06 10:47 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-250499869-2109789131-799496426-1000UA.job
2012-02-16 20:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At44.job
2012-02-16 20:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At43.job
2012-02-16 20:17 - 2009-07-13 22:45 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-02-16 20:17 - 2009-07-13 22:45 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-02-16 19:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At42.job
2012-02-16 19:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At41.job
2012-02-16 15:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At34.job
2012-02-16 15:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At33.job
2012-02-16 14:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At32.job
2012-02-16 14:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At31.job
2012-02-16 13:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At30.job
2012-02-16 13:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At29.job
2012-02-16 12:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At28.job
2012-02-16 12:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At27.job
2012-02-16 11:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At26.job
2012-02-16 11:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At25.job
2012-02-16 11:39 - 2011-12-14 20:31 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At8.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At24.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At22.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At20.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At18.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At16.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At14.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At12.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At10.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At9.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At7.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At23.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At21.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At19.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At17.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At15.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At13.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At11.job
2012-02-16 11:06 - 2010-10-06 10:47 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-250499869-2109789131-799496426-1000Core.job
2012-02-16 01:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At6.job
2012-02-16 01:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At5.job
2012-02-16 00:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At4.job
2012-02-16 00:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At3.job
2012-02-16 00:16 - 2012-01-06 06:00 - 0005532 ____A C:\Windows\PFRO.log
2012-02-16 00:14 - 2012-02-10 05:23 - 0000000 ____D C:\Windows\ERDNT
2012-02-15 23:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At2.job
2012-02-15 23:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At1.job
2012-02-15 22:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At48.job
2012-02-15 22:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At47.job
2012-02-15 21:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At46.job
2012-02-15 21:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At45.job
2012-02-15 21:05 - 2012-02-05 08:17 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-15 19:12 - 2012-01-23 09:01 - 0000000 ____D C:\Users\Janet\Local Settings\Deployment
2012-02-15 19:12 - 2012-01-23 09:01 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\Deployment
2012-02-15 19:12 - 2012-01-23 09:01 - 0000000 ____D C:\Users\Janet\AppData\Local\Deployment
2012-02-15 19:12 - 2010-12-14 08:45 - 0000000 ____D C:\Program Files (x86)\NCH Swift Sound
2012-02-15 19:11 - 2012-02-15 19:11 - 0000000 ____D C:\Windows\System32\appmgmt
2012-02-15 19:10 - 2010-08-14 11:44 - 0000000 ____D C:\Users\All Users\Lavasoft
2012-02-15 19:10 - 2010-08-14 11:44 - 0000000 ____D C:\Users\All Users\Application Data\Lavasoft
2012-02-15 19:10 - 2010-08-14 11:44 - 0000000 ____D C:\ProgramData\Lavasoft
2012-02-15 18:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At40.job
2012-02-15 18:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At39.job
2012-02-15 17:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At38.job
2012-02-15 17:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At37.job
2012-02-15 16:51 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At35.job
2012-02-15 16:49 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At36.job
2012-02-15 15:52 - 2012-02-15 15:52 - 0000000 ____D C:\Windows\Intuit
2012-02-15 14:43 - 2012-02-08 11:36 - 0007605 ____A C:\Users\Janet\Desktop\aswMBR.txt
2012-02-15 14:43 - 2012-02-08 11:36 - 0000512 ____A C:\Users\Janet\Desktop\MBR.dat
2012-02-15 13:37 - 2009-07-13 23:08 - 0032648 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-15 13:17 - 2012-02-15 13:17 - 0061440 ____A C:\Windows\SysWOW64\Drivers\iqsj.sys
2012-02-15 13:17 - 2012-02-15 13:17 - 0000484 ____A C:\oyeexnd.txt
2012-02-15 13:14 - 2012-02-15 13:14 - 0061440 ____A C:\Windows\SysWOW64\Drivers\nwscidrk.sys
2012-02-15 13:14 - 2012-02-15 13:14 - 0000484 ____A C:\Windows\SysWOW64\lmwh.txt
2012-02-15 13:13 - 2012-02-15 13:13 - 0724952 ____A C:\Users\Janet\Desktop\avenger.zip
2012-02-15 11:56 - 2012-02-15 11:55 - 0081350 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_12.55.03_log.txt
2012-02-15 11:42 - 2012-02-15 11:41 - 0081178 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_12.41.25_log.txt
2012-02-15 11:40 - 2012-02-15 11:40 - 2061360 ____A (Kaspersky Lab ZAO) C:\Users\Janet\Desktop\tdsskiller.exe
2012-02-12 13:17 - 2010-08-21 16:25 - 0107119 ____A C:\aaw7boot.log
2012-02-12 13:02 - 2012-02-12 13:02 - 0000162 ___AH C:\Users\Janet\Desktop\~$rketing_Case_Analysis_Sample_-_Harley_Davidson.doc
2012-02-11 14:18 - 2012-02-11 14:18 - 0011690 ____A C:\Users\Janet\Desktop\positioning strategy.docx
2012-02-11 13:55 - 2012-02-11 13:55 - 0094208 ____A C:\Users\Janet\Desktop\Marketing_Plan_Sample_Massage_Therapy.doc
2012-02-11 13:53 - 2012-02-11 13:53 - 0068608 ____A C:\Users\Janet\Desktop\Marketing_Case_Analysis_Sample_-_Harley_Davidson.doc
2012-02-11 13:18 - 2011-04-25 20:25 - 0000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-02-11 13:18 - 2011-04-25 20:25 - 0000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-02-10 05:23 - 2012-02-10 05:23 - 0000000 ____D C:\Qoobox
2012-02-08 21:20 - 2012-02-08 21:20 - 0036804 ____A C:\Users\Janet\Desktop\ark.txt
2012-02-08 20:30 - 2012-02-08 20:30 - 0000000 ____D C:\Users\Janet\Desktop\gmer
2012-02-08 20:29 - 2012-02-08 20:29 - 0294216 ____A C:\Users\Janet\Desktop\gmer.zip
2012-02-08 20:28 - 2012-02-08 20:28 - 0016336 ____A C:\Users\Janet\Desktop\DDS.txt
2012-02-08 20:28 - 2012-02-08 20:28 - 0010432 ____A C:\Users\Janet\Desktop\Attach.txt
2012-02-08 20:25 - 2012-02-08 20:25 - 0607260 ____R (Swearware) C:\Users\Janet\Desktop\dds.scr
2012-02-08 20:24 - 2012-02-08 20:24 - 0050477 ____A C:\Users\Janet\Desktop\Defogger.exe
2012-02-08 20:24 - 2012-02-08 20:24 - 0000000 ____A C:\Users\Janet\defogger_reenable
2012-02-08 20:24 - 2010-08-14 10:30 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-02-08 20:24 - 2010-08-13 14:04 - 0000000 ____D C:\users\Janet
2012-02-08 11:21 - 2012-02-08 11:21 - 4733440 ____A (AVAST Software) C:\Users\Janet\Desktop\aswMBR.exe
2012-02-08 11:18 - 2012-02-08 11:18 - 0034890 ____A C:\Users\Janet\Desktop\MbrScan.log
2012-02-08 11:18 - 2012-02-08 11:18 - 0000512 ____A C:\Users\Janet\Desktop\Dump_Hdd1_DR1.mbr
2012-02-08 11:18 - 2012-02-08 11:18 - 0000512 ____A C:\Users\Janet\Desktop\Dump_Hdd0_DR0.mbr
2012-02-08 11:17 - 2012-02-08 11:17 - 0146944 ____A (Eric_71) C:\Users\Janet\Desktop\MbrScan.exe
2012-02-08 11:15 - 2012-02-08 11:15 - 0011362 ____A C:\Users\Janet\Desktop\gmer.log
2012-02-08 10:32 - 2012-02-08 10:32 - 0000000 ____A C:\Users\Janet\Desktop\gmeer.log
2012-02-06 19:10 - 2012-02-06 19:10 - 0302592 ____A C:\Users\Janet\Desktop\utvz3xoh.exe
2012-02-06 19:03 - 2012-02-06 19:03 - 0396041 ____A C:\Users\Janet\Desktop\MiniToolBox.exe
2012-02-06 19:01 - 2011-12-14 20:28 - 0000656 ____A C:\rkill.log
2012-02-06 17:03 - 2012-02-06 17:03 - 0283202 ____A C:\Users\Janet\Desktop\baseball ad form.docx
2012-02-04 20:10 - 2011-01-29 14:01 - 0000000 ____D C:\Users\Janet\My Documents\HRBlock
2012-02-04 20:10 - 2011-01-29 14:01 - 0000000 ____D C:\Users\Janet\Documents\HRBlock
2012-02-04 20:09 - 2010-10-26 14:09 - 0000000 ____D C:\Users\Janet\Application Data\TaxCut
2012-02-04 20:09 - 2010-10-26 14:09 - 0000000 ____D C:\Users\Janet\AppData\Roaming\TaxCut
2012-02-04 20:04 - 2010-10-26 14:09 - 0000000 ____D C:\Users\All Users\TaxCut
2012-02-04 20:04 - 2010-10-26 14:09 - 0000000 ____D C:\Users\All Users\Application Data\TaxCut
2012-02-04 20:04 - 2010-10-26 14:09 - 0000000 ____D C:\ProgramData\TaxCut
2012-02-03 22:29 - 2012-02-03 22:29 - 0019507 ____A C:\Users\Janet\Desktop\tball schedule.xlsx
2012-01-23 09:50 - 2011-12-19 21:48 - 0000000 ____D C:\HSM
2012-01-23 09:01 - 2012-01-23 09:01 - 0000311 ____A C:\Users\Janet\eBridge Solutions Viewer.ini
2012-01-23 09:01 - 2012-01-23 09:01 - 0000000 ____D C:\Users\Janet\AppData\Local\Apps\2.0
2012-01-12 21:20 - 2012-01-12 21:20 - 0013344 ____A C:\Windows\SysWOW64\hs_err_pid4472.log
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\Users\Janet\Local Settings\Application Data\0cs43l6qn1
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\Users\Janet\Local Settings\0cs43l6qn1
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\Users\Janet\AppData\Local\0cs43l6qn1
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\Users\All Users\Application Data\0cs43l6qn1
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\Users\All Users\0cs43l6qn1
2012-01-03 18:43 - 2012-01-03 18:41 - 0011438 __ASH C:\ProgramData\0cs43l6qn1
2012-01-02 19:50 - 2012-01-02 19:50 - 0085032 ____A C:\Users\Janet\Desktop\Tinkerbell-Closeup.jpg
2011-12-25 07:12 - 2010-10-26 11:27 - 0000000 ____D C:\Users\Janet\Application Data\Skype
2011-12-25 07:12 - 2010-10-26 11:27 - 0000000 ____D C:\Users\Janet\AppData\Roaming\Skype
2011-12-24 19:12 - 2011-12-24 19:12 - 0000000 ___RD C:\Program Files (x86)\Skype
2011-12-24 19:09 - 2011-12-24 19:09 - 0980616 ____A (Skype Technologies S.A.) C:\Users\Janet\Downloads\SkypeSetup.exe
2011-12-24 08:17 - 2011-12-24 08:17 - 0000000 ____A C:\Users\All Users\mDI05aIW.dat
2011-12-24 08:17 - 2011-12-24 08:17 - 0000000 ____A C:\Users\All Users\Application Data\mDI05aIW.dat
2011-12-24 08:17 - 2011-12-24 08:17 - 0000000 ____A C:\ProgramData\mDI05aIW.dat
2011-12-19 21:45 - 2011-12-19 21:45 - 0715038 ____A C:\Windows\unins000.exe
2011-12-19 21:45 - 2011-12-19 21:45 - 0003593 ____A C:\Windows\unins000.dat
2011-12-19 21:45 - 2011-12-19 21:45 - 0000000 ____D C:\Users\All Users\eBridge
2011-12-19 21:45 - 2011-12-19 21:45 - 0000000 ____D C:\Users\All Users\Application Data\eBridge
2011-12-19 21:45 - 2011-12-19 21:45 - 0000000 ____D C:\ProgramData\eBridge
2011-12-19 21:45 - 2011-12-19 21:45 - 0000000 ____D C:\Program Files (x86)\eBridge
2011-12-14 21:23 - 2011-12-14 21:23 - 0000000 ____A C:\Windows\setuperr.log
2011-12-14 20:31 - 2011-12-14 20:31 - 0000000 ____D C:\Users\Janet\Application Data\Malwarebytes
2011-12-14 20:31 - 2011-12-14 20:31 - 0000000 ____D C:\Users\Janet\AppData\Roaming\Malwarebytes
2011-12-14 20:31 - 2011-12-14 20:31 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-14 20:31 - 2011-12-14 20:31 - 0000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2011-12-14 20:31 - 2011-12-14 20:31 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-14 20:27 - 2011-12-14 20:27 - 1008141 ____A C:\Users\Janet\Desktop\rkill.com
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\Users\Janet\Local Settings\Application Data\370173d2u587h743k306j0xyi3v8
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\Users\Janet\Local Settings\370173d2u587h743k306j0xyi3v8
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\Users\Janet\AppData\Local\370173d2u587h743k306j0xyi3v8
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\Users\All Users\Application Data\370173d2u587h743k306j0xyi3v8
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\Users\All Users\370173d2u587h743k306j0xyi3v8
2011-12-14 20:14 - 2011-12-14 19:55 - 0013182 __ASH C:\ProgramData\370173d2u587h743k306j0xyi3v8
2011-12-14 20:04 - 2011-08-10 08:06 - 0000000 ____D C:\Windows\Minidump
2011-12-14 20:04 - 2010-12-21 17:05 - 0000000 ____D C:\Users\Janet\Application Data\Azureus
2011-12-14 20:04 - 2010-12-21 17:05 - 0000000 ____D C:\Users\Janet\AppData\Roaming\Azureus
2011-12-14 19:55 - 2011-12-14 19:55 - 0000000 ____D C:\Windows\system64
2011-12-14 19:55 - 2009-07-13 23:37 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2011-12-11 21:13 - 2011-12-11 21:13 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\{730D6AB7-BDA6-48B8-A566-96646E397AC5}
2011-12-11 21:13 - 2011-12-11 21:13 - 0000000 ____D C:\Users\Janet\Local Settings\{730D6AB7-BDA6-48B8-A566-96646E397AC5}
2011-12-11 21:13 - 2011-12-11 21:13 - 0000000 ____D C:\Users\Janet\AppData\Local\{730D6AB7-BDA6-48B8-A566-96646E397AC5}
2011-12-11 21:12 - 2011-12-11 21:12 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\{BD9DC2D9-0677-4662-B0A2-4053BA9D2148}
2011-12-11 21:12 - 2011-12-11 21:12 - 0000000 ____D C:\Users\Janet\Local Settings\{BD9DC2D9-0677-4662-B0A2-4053BA9D2148}
2011-12-11 21:12 - 2011-12-11 21:12 - 0000000 ____D C:\Users\Janet\AppData\Local\{BD9DC2D9-0677-4662-B0A2-4053BA9D2148}
2011-12-11 11:20 - 2011-06-08 07:36 - 0000000 ____D C:\Users\Janet\My Documents\Vuze Downloads
2011-12-11 11:20 - 2011-06-08 07:36 - 0000000 ____D C:\Users\Janet\Documents\Vuze Downloads
2011-12-11 11:15 - 2011-12-11 11:15 - 0000000 ____D C:\Users\Janet\.swt
2011-12-11 11:15 - 2011-12-11 11:15 - 0000000 ____D C:\Program Files (x86)\Yontoo Layers Runtime
2011-12-06 22:46 - 2009-07-13 21:20 - 0000000 ____D C:\Windows\System32\NDF
2011-11-24 20:49 - 2011-11-24 20:49 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\{354E395C-2297-46F3-8BB6-B34A606D5DBA}
2011-11-24 20:49 - 2011-11-24 20:49 - 0000000 ____D C:\Users\Janet\Local Settings\{354E395C-2297-46F3-8BB6-B34A606D5DBA}
2011-11-24 20:49 - 2011-11-24 20:49 - 0000000 ____D C:\Users\Janet\AppData\Local\{354E395C-2297-46F3-8BB6-B34A606D5DBA}
2011-11-24 19:10 - 2011-11-24 19:10 - 0000000 ____D C:\Users\Janet\Local Settings\Unity
2011-11-24 19:10 - 2011-11-24 19:10 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\Unity
2011-11-24 19:10 - 2011-11-24 19:10 - 0000000 ____D C:\Users\Janet\AppData\Local\Unity
2011-11-24 19:10 - 2010-08-13 14:04 - 0000000 ____D C:\Users\Janet\AppData\LocalLow
2011-11-24 18:27 - 2011-11-24 18:27 - 0000000 ____D C:\Users\Janet\Local Settings\Application Data\{0C7E93D1-14CE-40A8-A774-1C1BCD4D4321}
2011-11-24 18:27 - 2011-11-24 18:27 - 0000000 ____D C:\Users\Janet\Local Settings\{0C7E93D1-14CE-40A8-A774-1C1BCD4D4321}
2011-11-24 18:27 - 2011-11-24 18:27 - 0000000 ____D C:\Users\Janet\AppData\Local\{0C7E93D1-14CE-40A8-A774-1C1BCD4D4321}
2011-11-20 13:03 - 2011-11-20 13:03 - 0000093 ____A C:\Users\Janet\Local Settings\fusioncache.dat
2011-11-20 13:03 - 2011-11-20 13:03 - 0000093 ____A C:\Users\Janet\Local Settings\Application Data\fusioncache.dat
2011-11-20 13:03 - 2011-11-20 13:03 - 0000093 ____A C:\Users\Janet\AppData\Local\fusioncache.dat
2011-11-20 11:35 - 2010-08-13 14:04 - 0115328 ____A C:\Users\Janet\Local Settings\GDIPFONTCACHEV1.DAT
2011-11-20 11:35 - 2010-08-13 14:04 - 0115328 ____A C:\Users\Janet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2011-11-20 11:35 - 2010-08-13 14:04 - 0115328 ____A C:\Users\Janet\AppData\Local\GDIPFONTCACHEV1.DAT
2011-11-20 11:27 - 2009-07-13 22:45 - 0435984 ____A C:\Windows\System32\FNTCACHE.DAT

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3838.85 MB
Available physical RAM: 3270.95 MB
Total Pagefile: 3837 MB
Available Pagefile: 3260.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:212.91 GB) (Free:169.37 GB) NTFS
2 Drive d: (QBPRO2012R1) (CDROM) (Total:0.49 GB) (Free:0 GB) CDFS
3 Drive e: (RECOVERY) (Fixed) (Total:19.88 GB) (Free:14.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (USB Disk) (Removable) (Total:7.45 GB) (Free:5.11 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 7648 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 19 GB 40 MB
Partition 3 Primary 212 GB 19 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 39 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E RECOVERY NTFS Partition 19 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 212 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 40 KB

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G USB Disk FAT32 Removable 7647 MB Healthy



==========================================================

Last Boot: 2012-02-09 20:37

======================= End Of Log ==========================

#19 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 February 2012 - 09:38 PM

Hello

I want you to run this fix below and when it is complete I want you to rerun combofix again as soon as you are back into windows


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt 

 
SubSystems: [Windows] ==> ZeroAccess
2 MREMP50a64; C:\Windows\System32\lpds.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\lpds.dll
0 achwwmoz; C:\Windows\System32\drivers\iqsj.sys [x]
0 umxmuf; C:\Windows\System32\drivers\nwscidrk.sys [x]
2012-02-15 13:17 - 2012-02-15 13:17 - 0061440 ____A C:\Windows\SysWOW64\Drivers\iqsj.sys
2012-02-15 13:17 - 2012-02-15 13:17 - 0000484 ____A C:\oyeexnd.txt
2012-02-15 13:14 - 2012-02-15 13:14 - 0061440 ____A C:\Windows\SysWOW64\Drivers\nwscidrk.sys
2012-02-15 13:14 - 2012-02-15 13:14 - 0000484 ____A C:\Windows\SysWOW64\lmwh.txt
2012-02-16 20:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At44.job
2012-02-16 20:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At43.job
2012-02-16 19:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At42.job
2012-02-16 19:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At41.job
2012-02-16 15:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At34.job
2012-02-16 15:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At33.job
2012-02-16 14:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At32.job
2012-02-16 14:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At31.job
2012-02-16 13:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At30.job
2012-02-16 13:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At29.job
2012-02-16 12:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At28.job
2012-02-16 12:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At27.job
2012-02-16 11:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At26.job
2012-02-16 11:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At25.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At8.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At24.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At22.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At20.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At18.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At16.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At14.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At12.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At10.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At9.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At7.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At23.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At21.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At19.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At17.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At15.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At13.job
2012-02-16 11:06 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At11.job
2012-02-16 01:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At6.job
2012-02-16 01:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At5.job
2012-02-16 00:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At4.job
2012-02-16 00:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At3.job
2012-02-15 23:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At2.job
2012-02-15 23:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At1.job
2012-02-15 22:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At48.job
2012-02-15 22:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At47.job
2012-02-15 21:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At46.job
2012-02-15 21:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At45.job
2012-02-15 21:05 - 2012-02-05 08:17 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-15 18:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At40.job
2012-02-15 18:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At39.job
2012-02-15 17:47 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At38.job
2012-02-15 17:47 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At37.job
2012-02-15 16:51 - 2011-12-24 08:17 - 0000350 ____A C:\Windows\Tasks\At35.job
2012-02-15 16:49 - 2011-12-24 08:17 - 0000352 ____A C:\Windows\Tasks\At36.job
2011-12-11 11:15 - 2011-12-11 11:15 - 0000000 ____D C:\Program Files (x86)\Yontoo Layers Runtime


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#20 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 17 February 2012 - 09:43 PM

how do I run the fix?

#21 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 February 2012 - 09:45 PM

Quote

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#22 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 17 February 2012 - 09:48 PM

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 17-02-2012 (L)
Ran by SYSTEM at 2012-02-17 19:46:19 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
MREMP50a64 service deleted successfully.
C:\Windows\System32\lpds.dll moved successfully.
achwwmoz service deleted successfully.
umxmuf service deleted successfully.
C:\Windows\SysWOW64\Drivers\iqsj.sys moved successfully.
C:\oyeexnd.txt moved successfully.
C:\Windows\SysWOW64\Drivers\nwscidrk.sys moved successfully.
C:\Windows\SysWOW64\lmwh.txt moved successfully.
C:\Windows\Tasks\At44.job moved successfully.
C:\Windows\Tasks\At43.job moved successfully.
C:\Windows\Tasks\At42.job moved successfully.
C:\Windows\Tasks\At41.job moved successfully.
C:\Windows\Tasks\At34.job moved successfully.
C:\Windows\Tasks\At33.job moved successfully.
C:\Windows\Tasks\At32.job moved successfully.
C:\Windows\Tasks\At31.job moved successfully.
C:\Windows\Tasks\At30.job moved successfully.
C:\Windows\Tasks\At29.job moved successfully.
C:\Windows\Tasks\At28.job moved successfully.
C:\Windows\Tasks\At27.job moved successfully.
C:\Windows\Tasks\At26.job moved successfully.
C:\Windows\Tasks\At25.job moved successfully.
C:\Windows\Tasks\At8.job moved successfully.
C:\Windows\Tasks\At24.job moved successfully.
C:\Windows\Tasks\At22.job moved successfully.
C:\Windows\Tasks\At20.job moved successfully.
C:\Windows\Tasks\At18.job moved successfully.
C:\Windows\Tasks\At16.job moved successfully.
C:\Windows\Tasks\At14.job moved successfully.
C:\Windows\Tasks\At12.job moved successfully.
C:\Windows\Tasks\At10.job moved successfully.
C:\Windows\Tasks\At9.job moved successfully.
C:\Windows\Tasks\At7.job moved successfully.
C:\Windows\Tasks\At23.job moved successfully.
C:\Windows\Tasks\At21.job moved successfully.
C:\Windows\Tasks\At19.job moved successfully.
C:\Windows\Tasks\At17.job moved successfully.
C:\Windows\Tasks\At15.job moved successfully.
C:\Windows\Tasks\At13.job moved successfully.
C:\Windows\Tasks\At11.job moved successfully.
C:\Windows\Tasks\At6.job moved successfully.
C:\Windows\Tasks\At5.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At3.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
C:\Windows\Tasks\At48.job moved successfully.
C:\Windows\Tasks\At47.job moved successfully.
C:\Windows\Tasks\At46.job moved successfully.
C:\Windows\Tasks\At45.job moved successfully.
C:\Windows\System32\dds_trash_log.cmd moved successfully.
C:\Windows\Tasks\At40.job moved successfully.
C:\Windows\Tasks\At39.job moved successfully.
C:\Windows\Tasks\At38.job moved successfully.
C:\Windows\Tasks\At37.job moved successfully.
C:\Windows\Tasks\At35.job moved successfully.
C:\Windows\Tasks\At36.job moved successfully.
C:\Program Files (x86)\Yontoo Layers Runtime moved successfully.

==== End of Fixlog ====

#23 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 17 February 2012 - 09:55 PM

The computer is not letting me do anything. Everything I click on gives me a security warning, "Infected by W32/blaster.worm. Please activate internet security to protect your computer."

#24 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 17 February 2012 - 10:01 PM

got combofix to run in safe mode

#25 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 February 2012 - 10:10 PM

when it completes let me have the report


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#26 User is offline   MAMABOST 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 04-February 12

Posted 18 February 2012 - 04:44 PM

Combo fix is still not working and I keep getting a message saying that windows explorer has stopped working. Would it be better for me to just reformat my hard drive. The only problem I would have with that is I don't know where my boot disks are. There is nothing on there I need to save as I keep all my important docs and files on my external hard drive.

#27 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 February 2012 - 09:25 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.


after combofix has finished its scan please post the report back here.

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#28 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 February 2012 - 01:41 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#29 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 24 February 2012 - 12:37 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users