Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kryptik.jdi and Sirefef/CH Infections?


  • This topic is locked This topic is locked
27 replies to this topic

#1 Anonymousse

Anonymousse

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 08 November 2011 - 03:55 AM

Yesterday, Nod32 alerted me that it had found a few infections and that it had automatically cleaned them. However, every time I boot up my computer, it informs me that Sirefef.CH was detected in startup files and has been automatically cleaned, while a reboot is necessary. So, the first couple times I saw his, I rebooted my computer, however nothing seems to have changed. The same message pops up every time I start up my computer.

Startup is noticably slower than usual, with my desktop background beginning as plain black before the actual image loads. Sometimes my desktop icons take time to load as well.

I ran a scan with Nod32, it found the same infections and as always claims it cleaned them. I forgot to save the log so I'm running another scan now, after which I will post the log.
The scan has just started, but this is already in the log: "Operating memory » C:\Windows\assembly\GAC_MSIL\Desktop.ini - a variant of Win32/Sirefef.CH trojan - cleaned by deleting (after the next restart)"
Which is basically the same message I get every time I start my computer.

Another odd issue is some seemingly random websites wont load, however I know they are not down according to isup.me. An example of this is www.solomid.net, a website about the popular online game League of Legends which i previously visted quite often. However, now, trying to load this website simply does nothing - as if the website were down or my internet connection was not working.

Furthermore, often when trying to visit sites that pertain to these infections (I have been googling for solutions/information) this strange striking search system page comes up first and I have to manually go to the address bar to reload the page before actual page comes up. Attached a screenshot of the page. I assume this is also part of the infection.

I also ran TDSSkiller.exe to try to solve the problem; similar to Nod32, it said it neutralized 3 threats but the problems are still here.

My computer seems to be running a lot slower than usual as well.

I figured I should probably use something like combofix to solve this, however I don't really know how to ue it so I guess the best option would be to wait for some advice/help beforehand.

Thanks in advance.

EDIT: I just ran defogger, and also here are the DDS logs. Gmer crashes partway through scanning so I cannot get logs from that; I did follow all the instructions listed in the preparation guide topic.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Run by Evan at 17:43:56 on 2011-11-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3327.1392 [GMT 8:00]
.
AV: ESET Smart Security 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\mqsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Launchy\Launchy.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\FlyVPN\FlyVPN.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.pmang.com/
uInternet Settings,ProxyOverride = *.local
uWinlogon: Shell=c:\users\evan\appdata\local\2e6d488a\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [<NO NAME>]
StartupFolder: c:\users\evan\appdata\roaming\micros~1\windows\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\flyvpn\FlyVPNBind.dll
LSP: c:\windows\system32\xunyount.dll
LSP: mswsock.dll
LSP: c:\windows\system32\ASProxy.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {93C449FA-ECFB-402F-A8C7-37E4F8D60E49} - hxxp://dl.pmang.com/common/pmangctl/pmangax.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: Interfaces\{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} : NameServer = 202.106.195.68,202.106.46.151
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\evan\appdata\roaming\mozilla\firefox\profiles\6axanmt5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\evan\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\evan\appdata\roaming\mozilla\plugins\npoctoshape.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-11-11 712192]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-9-8 6381056]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-9-8 221696]
R3 bmnadapter;BM Win32 Network Adapter;c:\windows\system32\drivers\bmnet.sys [2011-9-3 32768]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-6 189440]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-11-11 27136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ASOVPNHelper;Astrill OpenVPN Service;c:\program files\astrill\ASOvpnSvc.exe [2011-9-7 432880]
S3 ASProxy;ASProxy;c:\program files\astrill\ASProxy.exe [2011-9-7 1856936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-10-31 101120]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TesSafe;TesSafe;c:\windows\system32\TesSafe.sys [2011-8-10 541824]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-16 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-10 1343400]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
2011-11-08 08:38:52 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ec2cd731-69a3-4512-84e0-4606aad15633}\offreg.dll
2011-11-08 08:28:05 -------- d-----w- c:\users\evan\appdata\local\{B9FB368D-721B-4215-96BC-E10FAE0B4592}
2011-11-08 08:27:51 -------- d-----w- c:\users\evan\appdata\local\{8F302DF8-5223-4191-A8F6-32DBC6870430}
2011-11-08 08:26:30 -------- d-----w- c:\users\evan\appdata\local\{30962194-7DF5-4917-A1F8-C30BDF71885E}
2011-11-08 08:25:12 -------- d-----w- c:\users\evan\appdata\local\{A18D01A8-799D-4D5E-870F-304ADE1DA00C}
2011-11-08 08:04:10 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ec2cd731-69a3-4512-84e0-4606aad15633}\mpengine.dll
2011-11-08 08:00:58 -------- d-----w- c:\users\evan\appdata\local\{22047B32-1FDA-4C9B-9F9F-74E1B238136F}
2011-11-08 08:00:44 -------- d-----w- c:\users\evan\appdata\local\{9A9FB1BB-F034-4556-BBBC-B98DF80F0BE6}
2011-11-07 17:02:21 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-11-07 16:08:10 -------- d-----w- c:\users\evan\appdata\local\{02C86BFC-55C6-4628-A4D7-40A0DC6686F8}
2011-11-07 15:38:04 -------- d-sh--w- c:\users\evan\appdata\local\2e6d488a
2011-11-07 14:05:42 -------- d-----w- c:\users\evan\appdata\local\{F04CFDDF-FEA1-4766-A20B-4E8A66E83BFC}
2011-11-07 14:05:28 -------- d-----w- c:\users\evan\appdata\local\{1A680379-FB7F-4619-A87B-7F941A767F65}
2011-11-07 08:08:45 -------- d-----w- c:\users\evan\appdata\local\{3D46F70C-0953-491A-ACB8-90AD5802FD4C}
2011-11-06 14:17:01 -------- d-----w- c:\program files\xunyou
2011-11-06 07:28:17 -------- d-----w- c:\users\evan\appdata\local\{27544AB3-AA06-40F6-AFB1-74E0AD331F3B}
2011-11-06 07:28:03 -------- d-----w- c:\users\evan\appdata\local\{5CA76E3F-4028-43BC-B5CB-0B078AC8303F}
2011-11-04 10:18:36 -------- d-----w- c:\users\evan\appdata\local\{41C82C7A-DA76-4019-AC22-48444FE1660C}
2011-11-03 10:18:41 -------- d-----w- c:\users\evan\appdata\local\{4DDB42B1-8A28-4598-AFA6-D2DE257758B3}
2011-11-02 08:00:00 -------- d-----w- c:\users\evan\appdata\local\{52D5C799-A7D0-4732-B058-A27F4F0286A0}
2011-11-02 07:59:47 -------- d-----w- c:\users\evan\appdata\local\{37370193-8EC6-462D-909C-0288677576ED}
2011-11-01 09:18:51 -------- d-----w- c:\users\evan\appdata\local\{BBFF32CA-F882-4337-B119-10EC55A064C8}
2011-11-01 09:18:37 -------- d-----w- c:\users\evan\appdata\local\{B65EFD27-4851-41E9-BD76-D1ADBC16B461}
2011-10-31 12:12:27 -------- d-----w- c:\users\evan\appdata\roaming\Mobile Card
2011-10-31 12:11:31 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-31 12:11:31 201168 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-31 12:11:31 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-31 12:11:31 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-31 12:10:51 -------- d-----w- c:\program files\Mobile Card
2011-10-31 12:10:43 -------- d-----w- C:\InstallC112
2011-10-31 08:06:59 -------- d-----w- c:\users\evan\appdata\local\{B9D39BF1-9D79-49D3-986F-6195360A8162}
2011-10-31 08:06:59 -------- d-----w- c:\users\evan\appdata\local\{33C1D636-D40D-41B6-A9C6-F1062A6929A3}
2011-10-28 08:09:10 -------- d-----w- c:\users\evan\appdata\local\{DDA89022-AEAA-4869-9C34-3746ADA770B8}
2011-10-28 08:08:54 -------- d-----w- c:\users\evan\appdata\local\{ACCEABC4-D60C-4D07-BBFC-85EFE99A4C6E}
2011-10-26 21:58:40 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-25 07:17:59 -------- d-----w- c:\users\evan\appdata\local\{D80E2618-4843-45E6-ADEF-38348DFA6464}
2011-10-25 07:17:41 -------- d-----w- c:\users\evan\appdata\local\{1E49EA03-0BF2-4F7D-8ED9-C05730D04592}
2011-10-23 13:10:16 -------- d-----w- c:\users\evan\appdata\local\{69A8D241-635D-45E7-A5F4-B5535BCB6A8D}
2011-10-23 13:10:03 -------- d-----w- c:\users\evan\appdata\local\{F05E57A8-F9FF-44A6-BF3D-A3778265509A}
2011-10-23 12:53:54 -------- d-----w- c:\windows\en
2011-10-23 11:06:17 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-10-23 11:06:17 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-10-23 11:06:16 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-10-23 11:06:01 94040 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\DSETUP.dll
2011-10-23 11:06:01 525656 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\DXSETUP.exe
2011-10-23 11:06:01 1691480 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\dsetup32.dll
2011-10-23 11:05:41 94040 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\DSETUP.dll
2011-10-23 11:05:41 525656 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\DXSETUP.exe
2011-10-23 11:05:41 1691480 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\dsetup32.dll
2011-10-13 07:26:53 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 07:26:53 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 07:26:41 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 07:26:41 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 07:20:24 2334720 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-10-31 06:50:42 120600 ----a-w- c:\windows\system32\xunyount.dll
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-04 09:13:23 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-04 09:13:23 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-04 09:13:23 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-18 09:39:47 1290240 ----a-w- c:\windows\system\rads_user_kernel.exe
2011-08-13 09:42:18 371112 ----a-w- c:\windows\system32\ASProxy.dll
.
============= FINISH: 17:44:42.74 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 08/07/2010 4:13:44 PM
System Uptime: 08/11/2011 4:36:22 PM (1 hours ago)
.
Motherboard: PEGATRON CORPORATION | | EVANS
Processor: Intel® Core™2 Quad CPU Q8400 @ 2.66GHz | CPU 1 | 2670/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 924 GiB total, 538.646 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.383 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi
.
==== System Restore Points ===================
.
RP262: 23/10/2011 7:03:28 PM - CheckIfInstallerIsBusy
RP264: 23/10/2011 7:04:33 PM - Windows Live Essentials
RP266: 23/10/2011 7:05:42 PM - Installed DirectX
RP268: 23/10/2011 7:06:02 PM - Installed DirectX
RP269: 23/10/2011 7:06:52 PM - WLSetup
RP270: 25/10/2011 3:19:30 PM - Windows Update
RP271: 28/10/2011 2:26:32 AM - Windows Update
RP272: 02/11/2011 4:00:31 PM - Windows Update
RP273: 05/11/2011 5:19:32 PM - Windows Update
.
==== Installed Programs ======================
.
.
´©Ô½»ðÏß
°ÔÀÓÅå
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Album Art Downloader XUI 0.37.1
Alien Swarm
AMD Drag and Drop Transcoding
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Astrill
ATI Catalyst Install Manager
µTorrent
Audacity 1.2.6
Bandisoft MPEG-1 Decoder
Bloodline Champions Beta
Bonjour
CamStudio
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 3.0
Canon MP270 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Cheat Engine 5.6.1
Counter-Strike 1.6
Curse Client
ѸÓÎ
D3DX10
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Defraggler
Deus Ex - Human Revolution version 1.0
Diablo II
DirectX for Managed Code Update (Summer 2004)
DivX Setup
Dual-Core Optimizer
DVD Menu Pack for HP MediaSmart Video
EasyBits GO
ESET Smart Security
FlyVPN
foobar2000 v1.0.3
Garena 2010
Google Chrome
Guitar Pro 5.2
Hamachi 1.0.1.5
Heroes of Newerth
HP Customer Experience Enhancements
HP MediaSmart DVD
HP MediaSmart Music/Photo/Video
HydraVision
ICCup Launcher
iTunes
Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 24
Java™ SE Development Kit 6 Update 21
JDownloader
LabelPrint
Launchy 2.5
League of Legends
LightScribe System Software
ManyCam 2.5.48 (remove only)
MathType 6
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Help Viewer 1.0
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft Visual Basic 2010 Express - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
mIRC
Mobile Card
Moonbase Alpha
Movie Theme Pack for HP MediaSmart Video
Mozilla Firefox 7.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nexon Game Manager
NVIDIA PhysX v8.10.29
Octoshape Streaming Services
Pando Media Booster
Plants vs. Zombies
Pokemon Online 0.9.95
Portal 2
Python 2.6
Python 2.6 PIL-1.1.7
QuickTime
Realtek High Definition Audio Driver
Recovery Manager
Recuva
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual Basic 2010 Express - ENU (KB2251489)
ShortKeys Lite
Skype™ 5.3
Spotify
Steam
SteelSeries Xai Laser Mouse
SuddenAttackNA
sXe Injected
Team Fortress 2
The Lord of the Rings FREE Trial
TortoiseSVN 1.6.15.21042 (32 bit)
Tunngle beta
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Vindictus
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VLC media player 1.1.7
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinPcap 4.1.1
WinRAR archiver
WMV9/VC-1 Video Playback
World of Warcraft
.
==== Event Viewer Messages From Past Week ========
.
08/11/2011 4:25:06 PM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
08/11/2011 12:07:33 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
07/11/2011 10:25:32 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{98F24F57-DCBC-496F-A625-4893CF420DEE} because another computer on the network has the same name. The server could not start.
07/11/2011 10:25:32 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{7F97C73E-C750-4A5D-AE22-21CC5D061732} because another computer on the network has the same name. The server could not start.
.
==== End Of File ===========================

edit 2: disabling my antivirus while gmer was scanning fixed it. Unfortunately it makes my computer very slow while scanning and I need to use my computer at the moment so only a partial scan was finished. I'm going to set it scanning overnight so I can edit later with a full scan log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 21:54:48
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000528AS rev.HP34
Running: gmer.exe; Driver: C:\Users\Evan\AppData\Local\Temp\axliapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82C4F349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C88D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.PAGE1 C:\Windows\system32\drivers\afd.sys unknown last section [0x924BDA00, 0x100, 0xC0000040]
? C:\Windows\system32\drivers\afd.sys suspicious PE modification
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92C29000, 0x34203C, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Tunngle\TnglCtrl.exe[564] ntdll.dll!DbgBreakPoint 776D40F0 1 Byte [90]
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1832] kernel32.dll!SetUnhandledExceptionFilter 76F2F4FB 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[4768] ntdll.dll!LdrLoadDll 777022B8 5 Bytes JMP 66C6FAE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4992] USER32.dll!SetWindowLongA 76FE8BA3 5 Bytes JMP 6702E349 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4992] USER32.dll!SetWindowLongW 76FF4449 5 Bytes JMP 6702E2DB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4992] USER32.dll!GetWindowInfo 76FF4B5E 5 Bytes JMP 66DE89A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4992] USER32.dll!TrackPopupMenu 77002228 5 Bytes JMP 66DE8F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[5804] kernel32.dll!SetUnhandledExceptionFilter 76F2F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 924A2000-924B0000 (57344 bytes)
Module (noname) (*** hidden *** ) 9252D000-92536000 (36864 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:280] 925313E0
Thread System [4:284] 925313E0
Thread System [4:288] 925313E0
Thread System [4:292] 925313E0
Thread System [4:296] 86F43330
Thread System [4:300] 86F43330
Thread System [4:304] 86F43330
Thread System [4:308] 86F43330

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{51B909E5-D792-40E0-8CDA-B61A2821CAF0}\Connection@Name isatap.{7F97C73E-C750-4A5D-AE22-21CC5D061732}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{51B909E5-D792-40E0-8CDA-B61A2821CAF0}?\Device\{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3}?\Device\{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1}?\Device\{5B8A541D-FD75-46E3-AF68-3888D01A50D6}?\Device\{3EE076A5-C769-4F05-8A7C-E45657FB560C}?\Device\{D207518F-6F07-4186-81AC-D2D009AB3791}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{51B909E5-D792-40E0-8CDA-B61A2821CAF0}"?"{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3}"?"{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1}"?"{5B8A541D-FD75-46E3-AF68-3888D01A50D6}"?"{3EE076A5-C769-4F05-8A7C-E45657FB560C}"?"{D207518F-6F07-4186-81AC-D2D009AB3791}"?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{51B909E5-D792-40E0-8CDA-B61A2821CAF0}?\Device\TCPIP6TUNNEL_{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3}?\Device\TCPIP6TUNNEL_{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1}?\Device\TCPIP6TUNNEL_{5B8A541D-FD75-46E3-AF68-3888D01A50D6}?\Device\TCPIP6TUNNEL_{3EE076A5-C769-4F05-8A7C-E45657FB560C}?\Device\TCPIP6TUNNEL_{D207518F-6F07-4186-81AC-D2D009AB3791}?
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{51B909E5-D792-40E0-8CDA-B61A2821CAF0}@InterfaceName isatap.{7F97C73E-C750-4A5D-AE22-21CC5D061732}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{51B909E5-D792-40E0-8CDA-B61A2821CAF0}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 25052
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 7909
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\Ñ\xb8ÓÎ.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\Ñ\xb8ÓÎ.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\Ð\xb6ÔØ Ñ\xb8ÓÎ.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\Ð\xb6ÔØ Ñ\xb8ÓÎ.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\ÐÞ\xb8\xb4LSP.lnk 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ñ\xb8ÓÎ\ÐÞ\xb8\xb4LSP.lnk 1

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Anonymousse, 08 November 2011 - 08:56 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 PM

Posted 13 November 2011 - 04:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426871 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 13 November 2011 - 01:12 PM

Cleaned out some stuff with malwarebytes, but some is still there. Sirefef.CH still comes up on Nod32, and im having some weird issues with slow internet at times as well as the same google redirect thing.

This is the new DDS log, and attach.txt is attached:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Run by Evan at 2:04:59 on 2011-11-14
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3327.1817 [GMT 8:00]
.
AV: ESET Smart Security 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\mqsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Launchy\Launchy.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\FlyVPN\FlyVPN.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.pmang.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\evan\appdata\roaming\micros~1\windows\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\windows\system32\xunyount.dll
LSP: c:\program files\flyvpn\FlyVPNBind.dll
LSP: mswsock.dll
LSP: c:\windows\system32\ASProxy.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {93C449FA-ECFB-402F-A8C7-37E4F8D60E49} - hxxp://dl.pmang.com/common/pmangctl/pmangax.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: Interfaces\{7F97C73E-C750-4A5D-AE22-21CC5D061732} : NameServer = 168.126.63.1 8.8.4.4
TCP: Interfaces\{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} : NameServer = 202.106.195.68,202.106.46.151
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\evan\appdata\roaming\mozilla\firefox\profiles\6axanmt5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\evan\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\evan\appdata\roaming\mozilla\plugins\npoctoshape.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-11-11 712192]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-9-8 6381056]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-9-8 221696]
R3 bmnadapter;BM Win32 Network Adapter;c:\windows\system32\drivers\bmnet.sys [2011-9-3 32768]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-2-6 189440]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-11-11 27136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ASOVPNHelper;Astrill OpenVPN Service;c:\program files\astrill\ASOvpnSvc.exe [2011-9-7 432880]
S3 ASProxy;ASProxy;c:\program files\astrill\ASProxy.exe [2011-9-7 1856936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-10-31 101120]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TesSafe;TesSafe;c:\windows\system32\TesSafe.sys [2011-8-10 541824]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-16 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-10 1343400]
.
=============== Created Last 30 ================
.
2011-11-13 08:32:46 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0ca66907-3e22-4dd3-b93f-dcada70bf208}\offreg.dll
2011-11-11 14:08:36 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0ca66907-3e22-4dd3-b93f-dcada70bf208}\mpengine.dll
2011-11-09 22:30:52 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 22:30:50 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 22:30:50 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 13:07:51 -------- d-----w- c:\users\evan\appdata\roaming\Malwarebytes
2011-11-09 13:07:43 -------- d-----w- c:\programdata\Malwarebytes
2011-11-09 13:07:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 13:07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-08 08:28:05 -------- d-----w- c:\users\evan\appdata\local\{B9FB368D-721B-4215-96BC-E10FAE0B4592}
2011-11-08 08:27:51 -------- d-----w- c:\users\evan\appdata\local\{8F302DF8-5223-4191-A8F6-32DBC6870430}
2011-11-08 08:26:30 -------- d-----w- c:\users\evan\appdata\local\{30962194-7DF5-4917-A1F8-C30BDF71885E}
2011-11-08 08:25:12 -------- d-----w- c:\users\evan\appdata\local\{A18D01A8-799D-4D5E-870F-304ADE1DA00C}
2011-11-08 08:00:58 -------- d-----w- c:\users\evan\appdata\local\{22047B32-1FDA-4C9B-9F9F-74E1B238136F}
2011-11-08 08:00:44 -------- d-----w- c:\users\evan\appdata\local\{9A9FB1BB-F034-4556-BBBC-B98DF80F0BE6}
2011-11-07 17:02:21 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-11-07 16:08:10 -------- d-----w- c:\users\evan\appdata\local\{02C86BFC-55C6-4628-A4D7-40A0DC6686F8}
2011-11-07 15:38:04 -------- d-sh--w- c:\users\evan\appdata\local\2e6d488a
2011-11-07 14:05:42 -------- d-----w- c:\users\evan\appdata\local\{F04CFDDF-FEA1-4766-A20B-4E8A66E83BFC}
2011-11-07 14:05:28 -------- d-----w- c:\users\evan\appdata\local\{1A680379-FB7F-4619-A87B-7F941A767F65}
2011-11-07 08:08:45 -------- d-----w- c:\users\evan\appdata\local\{3D46F70C-0953-491A-ACB8-90AD5802FD4C}
2011-11-06 14:17:01 -------- d-----w- c:\program files\xunyou
2011-11-06 07:28:17 -------- d-----w- c:\users\evan\appdata\local\{27544AB3-AA06-40F6-AFB1-74E0AD331F3B}
2011-11-06 07:28:03 -------- d-----w- c:\users\evan\appdata\local\{5CA76E3F-4028-43BC-B5CB-0B078AC8303F}
2011-11-04 10:18:36 -------- d-----w- c:\users\evan\appdata\local\{41C82C7A-DA76-4019-AC22-48444FE1660C}
2011-11-03 10:18:41 -------- d-----w- c:\users\evan\appdata\local\{4DDB42B1-8A28-4598-AFA6-D2DE257758B3}
2011-11-02 08:00:00 -------- d-----w- c:\users\evan\appdata\local\{52D5C799-A7D0-4732-B058-A27F4F0286A0}
2011-11-02 07:59:47 -------- d-----w- c:\users\evan\appdata\local\{37370193-8EC6-462D-909C-0288677576ED}
2011-11-01 09:18:51 -------- d-----w- c:\users\evan\appdata\local\{BBFF32CA-F882-4337-B119-10EC55A064C8}
2011-11-01 09:18:37 -------- d-----w- c:\users\evan\appdata\local\{B65EFD27-4851-41E9-BD76-D1ADBC16B461}
2011-10-31 12:12:27 -------- d-----w- c:\users\evan\appdata\roaming\Mobile Card
2011-10-31 12:11:31 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-31 12:11:31 201168 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-31 12:11:31 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-31 12:11:31 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-31 12:10:51 -------- d-----w- c:\program files\Mobile Card
2011-10-31 12:10:43 -------- d-----w- C:\InstallC112
2011-10-31 08:06:59 -------- d-----w- c:\users\evan\appdata\local\{B9D39BF1-9D79-49D3-986F-6195360A8162}
2011-10-31 08:06:59 -------- d-----w- c:\users\evan\appdata\local\{33C1D636-D40D-41B6-A9C6-F1062A6929A3}
2011-10-28 08:09:10 -------- d-----w- c:\users\evan\appdata\local\{DDA89022-AEAA-4869-9C34-3746ADA770B8}
2011-10-28 08:08:54 -------- d-----w- c:\users\evan\appdata\local\{ACCEABC4-D60C-4D07-BBFC-85EFE99A4C6E}
2011-10-26 21:58:40 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-25 07:17:59 -------- d-----w- c:\users\evan\appdata\local\{D80E2618-4843-45E6-ADEF-38348DFA6464}
2011-10-25 07:17:41 -------- d-----w- c:\users\evan\appdata\local\{1E49EA03-0BF2-4F7D-8ED9-C05730D04592}
2011-10-23 13:10:16 -------- d-----w- c:\users\evan\appdata\local\{69A8D241-635D-45E7-A5F4-B5535BCB6A8D}
2011-10-23 13:10:03 -------- d-----w- c:\users\evan\appdata\local\{F05E57A8-F9FF-44A6-BF3D-A3778265509A}
2011-10-23 12:53:54 -------- d-----w- c:\windows\en
2011-10-23 11:06:17 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-10-23 11:06:17 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-10-23 11:06:16 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-10-23 11:06:01 94040 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\DSETUP.dll
2011-10-23 11:06:01 525656 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\DXSETUP.exe
2011-10-23 11:06:01 1691480 ----a-w- c:\program files\common files\windows live\.cache\bf84c3321cc917302\dsetup32.dll
2011-10-23 11:05:41 94040 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\DSETUP.dll
2011-10-23 11:05:41 525656 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\DXSETUP.exe
2011-10-23 11:05:41 1691480 ----a-w- c:\program files\common files\windows live\.cache\b34a171b1cc917301\dsetup32.dll
.
==================== Find3M ====================
.
2011-10-31 06:50:42 120600 ----a-w- c:\windows\system32\xunyount.dll
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-04 09:13:23 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-04 09:13:23 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-04 09:13:23 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-08-27 04:26:27 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-18 09:39:47 1290240 ----a-w- c:\windows\system\rads_user_kernel.exe
2011-08-17 04:24:12 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- c:\windows\system32\psisrndr.ax
.
============= FINISH: 2:05:33.87 ===============


Will get a new GMER log soon

Attached Files


Edited by Anonymousse, 13 November 2011 - 01:20 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 13 November 2011 - 04:54 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 14 November 2011 - 09:51 AM

Hi Gringo, thanks for the help.
I downloaded and ran Combofix; the first time I ran it, everything was going okay. When it got to the scanning for infected files portion, it notified me that I was infected with Rootkit.ZeroAccess and that if I had issues connecting to the internet after Combofix finished, I should restart my computer/re-run combofix if the issues persisted.
So i hit the OK button and waited. Combofix got stuck on the scanning for infected files step for a couple hours with no progress at all, so I restarted my computer.
At this point I noticed my internet connection was broken but figured it would hopefully be fixed later after Combofix ran successfully.
So I ran Combofix again; this time it worked fine, and deleted some stuff. However, this time it never notified me of the ZeroAccess infection, it just went on as normal.
However, since my internet connection still wasn't working even after restarting, I ran combofix a third time since that's what it suggested. Unfortunately I didn't realize it would overwrite the original log if I did this... So I don't have the original log, but instead the log of the latest run.

My internet connection still isn't working. I know the connection itself is fine; I am writing this on my laptop, which is obviously connected to the same internet that my desktop usually uses. So something is wrong with the internet configuration on my desktop, and it seems that Combofix caused this.

Anyways, here is the Combofix log. I really need to get the internet problem fixed soon though. It seems quite odd that it tried to delete system32 ... Is something wrong?

EDIT: Some more info I forgot to add, concerning the internet connection. I tried the default Windows 7 Troubleshoot thing, which didn't fix the connection. Like I said earlier, the connection itself/router is fine since this laptop is able to connect to it. However, on my desktop, it shows Unidentified Network and no internet connection.

ComboFix 11-11-14.01 - Evan 14/11/2011 20:19:56.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3327.2492 [GMT 8:00]
Running from: c:\users\Evan\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 12:26 . 2011-11-14 12:28 -------- d-----w- c:\users\Evan\AppData\Local\temp
2011-11-14 12:26 . 2011-11-14 12:26 -------- d-----w- c:\users\Pop\AppData\Local\temp
2011-11-14 12:26 . 2011-11-14 12:26 -------- d-----w- c:\users\Mom\AppData\Local\temp
2011-11-14 12:26 . 2011-11-14 12:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-11 14:08 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CA66907-3E22-4DD3-B93F-DCADA70BF208}\mpengine.dll
2011-11-09 22:30 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 22:30 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 22:30 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\users\Evan\AppData\Roaming\Malwarebytes
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\programdata\Malwarebytes
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 13:07 . 2011-08-31 09:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 17:02 . 2011-11-07 17:02 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-11-07 15:38 . 2011-11-14 12:07 -------- d-sh--w- c:\users\Evan\AppData\Local\2e6d488a
2011-11-06 14:17 . 2011-11-13 08:49 -------- d-----w- c:\program files\xunyou
2011-10-31 12:12 . 2011-10-31 12:12 -------- d-----w- c:\users\Evan\AppData\Roaming\Mobile Card
2011-10-31 12:11 . 2009-12-07 11:53 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-31 12:11 . 2009-12-07 11:36 201168 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-31 12:11 . 2009-10-12 07:22 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-31 12:11 . 2007-08-08 20:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-31 12:10 . 2011-10-31 12:11 -------- d-----w- c:\program files\Mobile Card
2011-10-31 12:10 . 2011-10-31 12:10 -------- d-----w- C:\InstallC112
2011-10-26 21:58 . 2011-08-13 04:18 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-23 12:53 . 2011-10-23 12:53 -------- d-----w- c:\windows\en
2011-10-23 11:06 . 2009-09-04 09:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-10-23 11:06 . 2009-09-04 09:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-10-23 11:06 . 2009-09-04 09:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-10-23 11:06 . 2011-10-23 11:06 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\DSETUP.dll
2011-10-23 11:06 . 2011-10-23 11:06 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\DXSETUP.exe
2011-10-23 11:06 . 2011-10-23 11:06 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\dsetup32.dll
2011-10-23 11:05 . 2011-10-23 11:05 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\DSETUP.dll
2011-10-23 11:05 . 2011-10-23 11:05 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\DXSETUP.exe
2011-10-23 11:05 . 2011-10-23 11:05 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\dsetup32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 12:27 . 2010-09-18 12:13 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2011-10-31 06:50 . 2011-09-03 11:29 120600 ----a-w- c:\windows\system32\xunyount.dll
2011-10-23 11:07 . 2011-03-28 10:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-01 02:42 . 2011-10-13 07:34 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-04 09:13 . 2011-03-15 12:40 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-04 09:13 . 2011-03-15 12:40 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-04 09:13 . 2011-03-15 12:40 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-08-27 04:26 . 2011-10-13 07:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26 . 2011-10-13 07:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-08-20 04:31 . 2011-10-13 07:34 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-18 09:39 . 2011-08-25 08:01 1290240 ----a-w- c:\windows\system\rads_user_kernel.exe
2011-08-17 04:24 . 2011-10-13 07:26 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-08-17 04:19 . 2011-10-13 07:26 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-11-10 21:23 . 2011-06-22 16:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-10 2054360]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2011-7-29 380928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^Users^Evan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-26 18:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-17 16:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-10 06:17 136176 ----atw- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2011-05-13 08:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-01 14:39 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ASOVPNHelper;Astrill OpenVPN Service;c:\program files\Astrill\ASOvpnSvc.exe [2011-08-13 432880]
R3 ASProxy;ASProxy;c:\program files\Astrill\ASProxy.exe [2011-08-13 1856936]
R3 GarenaPEngine;GarenaPEngine;c:\users\Evan\AppData\Local\Temp\JEMD0A.tmp [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\plugins\UI\safedrv.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-10 1343400]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
R3 xspirit;xspirit;c:\users\Evan\AppData\Local\Temp\xspirit.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-10 108792]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-09-07 176128]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-09-10 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-10 38240]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2010-09-14 712192]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-09-07 6381056]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-09-07 221696]
S3 bmnadapter;BM Win32 Network Adapter;c:\windows\system32\DRIVERS\bmnet.sys [2010-07-23 32768]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-21 189440]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1743195445-1418676188-2939981509-1000Core.job
- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 06:17]
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1743195445-1418676188-2939981509-1000UA.job
- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 06:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pmang.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\xunyount.dll
LSP: c:\program files\FlyVPN\FlyVPNBind.dll
LSP: c:\windows\system32\ASProxy.dll
TCP: Interfaces\{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F}: NameServer = 202.106.195.68,202.106.46.151
DPF: {93C449FA-ECFB-402F-A8C7-37E4F8D60E49} - hxxp://dl.pmang.com/common/pmangctl/pmangax.cab
FF - ProfilePath - c:\users\Evan\AppData\Roaming\Mozilla\Firefox\Profiles\6axanmt5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Evan\AppData\Local\Temp\JEMD0A.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{4F253FFC-7957E8FC-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2812)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2011-11-14 20:30:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-14 12:30
ComboFix2.txt 2011-11-14 12:12
.
Pre-Run: 561,103,163,392 bytes free
Post-Run: 561,021,845,504 bytes free
.
- - End Of File - - DFB8AB373A32418E28DB5431812093F6

Edited by Anonymousse, 14 November 2011 - 10:04 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 14 November 2011 - 01:08 PM

  • Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
    • Edit 0xA0 and replace it with 0x80 (replace A with 8)
    • Under File menu click Save and close the notepad.
  • Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install a popup window opens.
    • Select Protocol from the list and then click Add.
    • A new window opens, click Have Disk....
    • In the browse... box type c:\windows\inf
    • Click OK.
    • Select Internet Protocol (TCP/IP), and then click OK.
    • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
    • Wait until it asks to restart, confirm restarting.
  • Go to Start ==> Run (or Windows key+R)
    • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
      (note that there is space after notepad)
    • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
    • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
    • Under File menu click Save and close the notepad.
  • Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
    • On the General tab, click Install
    • A popup window opens. Select Protocol.
    • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
    • Wait until it asks to restart, confirm restarting.
  • After restart come back here and let me know about your internet connection.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 15 November 2011 - 05:52 AM

Hi Gringo,
I followed the steps and everything worked as expected, except for one thing.
After the first restart (upon completion of step 2) my computer booted up normally, but BSOD'd as soon as the screen where it displays the user accounts came up.
I restarted twice more with the same result both times; BSOD immediately after the user account selection appears.
I booted the computer in safe mode with networking, and proceeded with steps 3 and 4 successfully.
After restarting again (after completing all steps) the computer booted up normally and is working fine again.
However, the internet connection is still not fixed. It appears the same as before.
Thanks so much for the help so far :)

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 15 November 2011 - 08:55 AM

please run the following:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    NetBT.sys
    afd.sys
    ipsec.sys
    
    :reg
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec /s
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 16 November 2011 - 12:15 AM

Hi Gringo,
Systemlook log is below.
SystemLook 30.07.11 by jpshortstuff
Log created at 13:13 on 16/11/2011 by Evan
Administrator - Elevation successful

========== filefind ==========

Searching for "NetBT.sys"
C:\Windows\System32\drivers\netbt.sys --a---- 187904 bytes [17:22 15/04/2011] [08:39 20/11/2010] 280122DDCF04B378EDD1AD54D71C1E54
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys --a---- 187904 bytes [23:12 13/07/2009] [23:12 13/07/2009] DD52A733BF4CA5AF84562A5E2F963B91
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys --a---- 187904 bytes [17:22 15/04/2011] [08:39 20/11/2010] 280122DDCF04B378EDD1AD54D71C1E54

Searching for "afd.sys"
C:\Windows\System32\drivers\afd.sys --a---- 338944 bytes [04:45 17/06/2011] [02:18 25/04/2011] 7D76E807B5770E22086F6BA25B1A6F86
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [04:45 17/06/2011] [02:35 25/04/2011] 0DB7A48388D54D154EBEC120461A0FCD
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [04:45 17/06/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [17:22 15/04/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [04:45 17/06/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

Searching for "ipsec.sys"
No files found.

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd]
"BootFlags"= 0x0000000001 (1)
"DisplayName"="@%systemroot%\system32\drivers\afd.sys,-1000"
"Group"="PNP_TDI"
"ImagePath"="\SystemRoot\system32\drivers\afd.sys"
"Description"="@%systemroot%\system32\drivers\afd.sys,-1000"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]
"0"="Root\LEGACY_AFD\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
"Start"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]
"OtherDependencies"="Tcpip"
"Bind"="\Device\Tcpip6_{C8BA8787-59A0-4D95-845D-5A59EAF40F1C} \Device\Tcpip6_{51B909E5-D792-40E0-8CDA-B61A2821CAF0} \Device\Tcpip6_{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E} \Device\Tcpip6_{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3} \Device\Tcpip6_{67FD7F3C-5782-4A1E-AA98-37D29ADD9048} \Device\Tcpip6_{E7D6C612-C32C-4928-B044-1F2C4BC7118F} \Device\Tcpip6_{329212B0-E8F4-4790-8D65-2831518B93CE} \Device\Tcpip6_{AA65AB9D-9286-4EA3-A1D7-3E886BB1C6CF} \Device\Tcpip6_{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1} \Device\Tcpip6_{5B8A541D-FD75-46E3-AF68-3888D01A50D6} \Device\Tcpip6_{3EE076A5-C769-4F05-8A7C-E45657FB560C} \Device\Tcpip6_{D207518F-6F07-4186-81AC-D2D009AB3791} \Device\Tcpip6_{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} \Device\Tcpip_{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} \Device\Tcpip_{329212B0-E8F4-4790-8D65-2831518B93CE} \Device\Tcpip_{E7D6C612-C32C-4928-B044-1F2C4BC7118F} \Device\Tcpip_{67FD7F3C-5782-4A1E-AA98-37D29ADD9048} \Device\Tcpip_{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E}"
"Route"=""Tcpip6" "{C8BA8787-59A0-4D95-845D-5A59EAF40F1C}" "Tcpip6" "{51B909E5-D792-40E0-8CDA-B61A2821CAF0}" "Tcpip6" "{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E}" "Tcpip6" "{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3}" "Tcpip6" "{67FD7F3C-5782-4A1E-AA98-37D29ADD9048}" "Tcpip6" "{E7D6C612-C32C-4928-B044-1F2C4BC7118F}" "Tcpip6" "{329212B0-E8F4-4790-8D65-2831518B93CE}" "Tcpip6" "{AA65AB9D-9286-4EA3-A1D7-3E886BB1C6CF}" "Tcpip6" "{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1}" "Tcpip6" "{5B8A541D-FD75-46E3-AF68-3888D01A50D6}" "Tcpip6" "{3EE076A5-C769-4F05-8A7C-E45657FB560C}" "Tcpip6" "{D207518F-6F07-4186-81AC-D2D009AB3791}" "Tcpip6" "{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F}" "Tcpip" "{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F}" "Tcpip" "{329212B0-E8F4-4790-8D65-2831518B93CE}" "Tcpip" "{E7D6C612-C32C-4928-B044-1F2C4BC7118F}" "Tcpip" "{67FD7F3C-5782-4A1E-AA98-37D29ADD9048}" "Tcpip" "{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E}""
"Export"="\Device\NetBT_Tcpip6_{C8BA8787-59A0-4D95-845D-5A59EAF40F1C} \Device\NetBT_Tcpip6_{51B909E5-D792-40E0-8CDA-B61A2821CAF0} \Device\NetBT_Tcpip6_{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E} \Device\NetBT_Tcpip6_{B9950E7E-F5B1-4D29-BF57-715CBD9B16C3} \Device\NetBT_Tcpip6_{67FD7F3C-5782-4A1E-AA98-37D29ADD9048} \Device\NetBT_Tcpip6_{E7D6C612-C32C-4928-B044-1F2C4BC7118F} \Device\NetBT_Tcpip6_{329212B0-E8F4-4790-8D65-2831518B93CE} \Device\NetBT_Tcpip6_{AA65AB9D-9286-4EA3-A1D7-3E886BB1C6CF} \Device\NetBT_Tcpip6_{3F25E861-B04D-4EAF-9D31-D7A3023DBFF1} \Device\NetBT_Tcpip6_{5B8A541D-FD75-46E3-AF68-3888D01A50D6} \Device\NetBT_Tcpip6_{3EE076A5-C769-4F05-8A7C-E45657FB560C} \Device\NetBT_Tcpip6_{D207518F-6F07-4186-81AC-D2D009AB3791} \Device\NetBT_Tcpip6_{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} \Device\NetBT_Tcpip_{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F} \Device\NetBT_Tcpip_{329212B0-E8F4-4790-8D65-2831518B93CE} \Device\NetBT_Tcpip_{E7D6C612-C32C-4928-B044-1F2C4BC7118F} \Device\NetBT_Tcpip_{67FD7F3C-5782-4A1E-AA98-37D29ADD9048} \Devic

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]
"NbProvider"="_tcp"
"NameServerPort"= 0x0000000089 (137)
"CacheTimeout"= 0x00000927c0 (600000)
"BcastNameQueryCount"= 0x0000000003 (3)
"BcastQueryTimeout"= 0x00000002ee (750)
"NameSrvQueryCount"= 0x0000000003 (3)
"NameSrvQueryTimeout"= 0x00000005dc (1500)
"Size/Small/Medium/Large"= 0x0000000001 (1)
"SessionKeepAlive"= 0x000036ee80 (3600000)
"TransportBindName"="\Device\"
"EnableLMHOSTS"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{329212B0-E8F4-4790-8D65-2831518B93CE}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{67FD7F3C-5782-4A1E-AA98-37D29ADD9048}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{93A13AB7-5F7D-46A7-8CB1-4A2EFCBB335F}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{AD3D4071-3BB6-46A2-85B0-B94CF9FC404E}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{E7D6C612-C32C-4928-B044-1F2C4BC7118F}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec]
(Unable to open key - key not found)

-= EOF =-

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 16 November 2011 - 09:34 AM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 16 November 2011 - 10:45 AM

Hi Gringo,
Deleted combofix off my desktop PC's desktop and then ran the new version using the link you provided. It worked fine on the first try this time, without any problems.
Internet connection still does not work, however.
Here is the log:

ComboFix 11-11-15.06 - Evan 16/11/2011 23:16:51.4.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3327.2093 [GMT 8:00]
Running from: c:\users\Evan\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.0 *Disabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
.
.
2011-11-16 15:20 . 2011-11-16 15:39 -------- d-----w- c:\users\Evan\AppData\Local\temp
2011-11-16 15:20 . 2011-11-16 15:20 -------- d-----w- c:\users\Pop\AppData\Local\temp
2011-11-16 15:20 . 2011-11-16 15:20 -------- d-----w- c:\users\Mom\AppData\Local\temp
2011-11-16 15:20 . 2011-11-16 15:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-16 00:27 . 2011-11-16 15:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CA66907-3E22-4DD3-B93F-DCADA70BF208}\offreg.dll
2011-11-14 16:09 . 2011-11-14 16:09 -------- d-----w- c:\users\Evan\AppData\Local\Skyrim
2011-11-14 16:06 . 2009-09-04 09:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2011-11-14 16:06 . 2009-09-04 09:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2011-11-14 16:06 . 2009-09-04 09:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2011-11-14 16:06 . 2009-09-04 09:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-11-14 16:06 . 2008-10-27 02:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2011-11-14 16:06 . 2008-10-27 02:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2011-11-14 16:06 . 2008-10-27 02:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2011-11-14 16:06 . 2008-10-27 02:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2011-11-14 16:01 . 2011-11-15 11:48 -------- d-----w- c:\program files\The Elder Scrolls V Skyrim
2011-11-14 15:55 . 2011-11-14 15:55 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-14 15:54 . 2011-11-14 15:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-11-11 14:08 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0CA66907-3E22-4DD3-B93F-DCADA70BF208}\mpengine.dll
2011-11-09 22:30 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 22:30 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 22:30 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\users\Evan\AppData\Roaming\Malwarebytes
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\programdata\Malwarebytes
2011-11-09 13:07 . 2011-11-09 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-09 13:07 . 2011-08-31 09:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 17:02 . 2011-11-07 17:02 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-11-07 15:38 . 2011-11-14 12:07 -------- d-sh--w- c:\users\Evan\AppData\Local\2e6d488a
2011-11-06 14:17 . 2011-11-13 08:49 -------- d-----w- c:\program files\xunyou
2011-10-31 12:12 . 2011-10-31 12:12 -------- d-----w- c:\users\Evan\AppData\Roaming\Mobile Card
2011-10-31 12:11 . 2009-12-07 11:53 103168 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-31 12:11 . 2009-12-07 11:36 201168 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-31 12:11 . 2009-10-12 07:22 101120 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-31 12:11 . 2007-08-08 20:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-31 12:10 . 2011-10-31 12:11 -------- d-----w- c:\program files\Mobile Card
2011-10-31 12:10 . 2011-10-31 12:10 -------- d-----w- C:\InstallC112
2011-10-26 21:58 . 2011-08-13 04:18 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-23 12:53 . 2011-10-23 12:53 -------- d-----w- c:\windows\en
2011-10-23 11:06 . 2009-09-04 09:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-10-23 11:06 . 2009-09-04 09:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-10-23 11:06 . 2009-09-04 09:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-10-23 11:06 . 2011-10-23 11:06 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\DSETUP.dll
2011-10-23 11:06 . 2011-10-23 11:06 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\DXSETUP.exe
2011-10-23 11:06 . 2011-10-23 11:06 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\bf84c3321cc917302\dsetup32.dll
2011-10-23 11:05 . 2011-10-23 11:05 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\DSETUP.dll
2011-10-23 11:05 . 2011-10-23 11:05 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\DXSETUP.exe
2011-10-23 11:05 . 2011-10-23 11:05 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\b34a171b1cc917301\dsetup32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 15:21 . 2010-09-18 12:13 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2011-10-31 06:50 . 2011-09-03 11:29 120600 ----a-w- c:\windows\system32\xunyount.dll
2011-10-23 11:07 . 2011-03-28 10:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-01 02:42 . 2011-10-13 07:34 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-04 09:13 . 2011-03-15 12:40 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-09-04 09:13 . 2011-03-15 12:40 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-09-04 09:13 . 2011-03-15 12:40 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-08-27 04:26 . 2011-10-13 07:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:26 . 2011-10-13 07:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-08-20 04:31 . 2011-10-13 07:34 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-10 21:23 . 2011-06-22 16:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 00:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-10 2054360]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2011-7-29 380928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^Users^Evan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Evan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-26 18:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-17 16:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-11-10 09:17 3514176 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-10 06:17 136176 ----atw- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2011-05-13 08:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-12-01 14:39 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2010-09-14 712192]
R3 ASOVPNHelper;Astrill OpenVPN Service;c:\program files\Astrill\ASOvpnSvc.exe [2011-08-13 432880]
R3 ASProxy;ASProxy;c:\program files\Astrill\ASProxy.exe [2011-08-13 1856936]
R3 GarenaPEngine;GarenaPEngine;c:\users\Evan\AppData\Local\Temp\JEMD0A.tmp [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\plugins\UI\safedrv.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 101120]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PCDSRVC{4F253FFC-7957E8FC-06000000}_0;PCDSRVC{4F253FFC-7957E8FC-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc.pkms [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-10 1343400]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
R3 xspirit;xspirit;c:\users\Evan\AppData\Local\Temp\xspirit.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-14 239168]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-10 108792]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-09-07 176128]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-09-10 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-10 38240]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-09-07 6381056]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-09-07 221696]
S3 bmnadapter;BM Win32 Network Adapter;c:\windows\system32\DRIVERS\bmnet.sys [2010-07-23 32768]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-21 189440]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1743195445-1418676188-2939981509-1000Core.job
- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 06:17]
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1743195445-1418676188-2939981509-1000UA.job
- c:\users\Evan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-10 06:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pmang.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
DPF: {93C449FA-ECFB-402F-A8C7-37E4F8D60E49} - hxxp://dl.pmang.com/common/pmangctl/pmangax.cab
FF - ProfilePath - c:\users\Evan\AppData\Roaming\Mozilla\Firefox\Profiles\6axanmt5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.facebook.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Evan\AppData\Local\Temp\JEMD0A.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{4F253FFC-7957E8FC-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2584)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2011-11-16 23:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-16 15:40
ComboFix2.txt 2011-11-14 13:28
ComboFix3.txt 2011-11-14 12:30
ComboFix4.txt 2011-11-14 12:12
.
Pre-Run: 549,471,989,760 bytes free
Post-Run: 548,950,208,512 bytes free
.
- - End Of File - - 2581A9FF8D80DA53D17B89B1769CB4E5

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 16 November 2011 - 11:04 AM

Hello

Click on the Start orb

in the search bar type CMD

right click cmd and select run as admin

copy and paste the following into the window

NETSH INT IP RESET reset.log

netsh winsock reset catalog

let me know if you can now connect


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 16 November 2011 - 06:54 PM

Hi Gringo,
The computer is still unable to connect to the internet.

#14 Anonymousse

Anonymousse
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 19 November 2011 - 01:36 AM

Hey, its been a while. Do you have any ideas?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 19 November 2011 - 01:49 AM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check "Include All Files" option.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users