Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit with STOPzilla Google redirects


  • This topic is locked This topic is locked
19 replies to this topic

#1 Virden

Virden

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 18 December 2011 - 10:33 AM

Hi there. I have what I believe to be a Rootkit - has showed up in HijackThis log - also have a lot of google redirects when trying to reach any page to do with malware removal, redirecting to either STOPzilla or a range of shopping websites.

I didnt realise quite how bad the problem was and though that it was only the google redirect issue, but when reaching the final stage of the removal guide for that particular problem, the TDSSkiller executable would not run even when switched to safe mode. I hope I have not caused too much damage by trying this removal.

Finally, I have attached the DDS log and a HijackThis log if that is any help. The GMER application would not run with the specified settings in the prepost page so I didn't complete the scan.

Thank you in advance for any help!

Virden

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,601 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 24 December 2011 - 10:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433156 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 24 December 2011 - 03:13 PM

Hi there

I would still like some help fixing up my laptop please. I am still suffering the same problems as mentioned in the first post. Here is my updated DDS log.

I am running an Acer 5553G 64bit, Windows 7 Home Professional SP1 - I have a boot disk for Windows 7 but last time I tried a clean install had to stop as the setup package required a set of drivers I could not locate. Not sure if this is a problem with the disc or my laptop.

Anyway, here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by Gavin at 18:26:23 on 2011-12-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3838.2436 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5553g&r=27360111g206l04f3z135t4661l24s
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5553g&r=27360111g206l04f3z135t4661l24s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFYWVAtQTdQRk4tOURGUUktUVpBR0otNllYVVItSg"&"inst=NzYtOTUyODM5MDg3LUZMMTArMS1YTzEwKzExLUxJQysyLVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE"&"prod=92"&"ver=2012.0.1831"&"mid=4f042277a71c47d181761943ef7c5448-72601a18e19dfbc0921505fb0002f24c689f6f53
StartupFolder: C:\Users\Gavin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\244524573796E6563737845726D2439373 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\244524573796E6563737845726D2830343 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\4435C4D22363430325 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\4514C4B44514C4B4D2644463436343 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\4586F6D637F6E6630393231303 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4B3F4430-4D46-47BA-9F63-778AE8A9AE66}\4716C6B64716C6B6 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFYWVAtQTdQRk4tOURGUUktUVpBR0otNllYVVItSg"&"inst=NzYtOTUyODM5MDg3LUZMMTArMS1YTzEwKzExLUxJQysyLVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE"&"prod=92"&"ver=2012.0.1831"&"mid=4f042277a71c47d181761943ef7c5448-72601a18e19dfbc0921505fb0002f24c689f6f53
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Gavin\AppData\Roaming\Mozilla\Firefox\Profiles\4bky4k1e.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Gavin\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Gavin\AppData\Roaming\Mozilla\Firefox\Profiles\4bky4k1e.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-4-26 325200]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2011-1-18 820768]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-3-8 250368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-11-6 144640]
R2 ODDPwrSvc;Acer ODD Power Service;C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2010-4-26 171040]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-3-31 80896]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-4-26 243232]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-11-11 24176]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-1-18 135664]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-1-18 135664]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-5-25 2275720]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-11-6 50432]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-24 18:14:27 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC653D4C-132D-4CED-BA04-071C75FB61B6}\offreg.dll
2011-12-24 14:07:43 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC653D4C-132D-4CED-BA04-071C75FB61B6}\mpengine.dll
2011-12-18 02:29:08 388096 ----a-r- C:\Users\Gavin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-18 02:29:08 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-12-17 16:48:31 -------- d-----w- C:\_OTM
2011-12-16 22:18:42 -------- d-----w- C:\$WINDOWS.~LS
2011-12-16 16:55:03 -------- d-----w- C:\Program Files (x86)\SuperBlank
2011-12-15 15:16:36 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-15 11:40:31 -------- d-----w- C:\Users\Gavin\AppData\Roaming\QuickScan
2011-12-15 00:25:37 98816 ----a-w- C:\Windows\sed.exe
2011-12-15 00:25:37 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-15 00:25:37 256000 ----a-w- C:\Windows\PEV.exe
2011-12-15 00:25:37 208896 ----a-w- C:\Windows\MBR.exe
2011-12-15 00:24:26 -------- d-----w- C:\ComboFix
2011-12-14 10:20:44 3145216 ---ha-w- C:\Windows\System32\win32k.sys
2011-12-14 10:20:42 723456 ---ha-w- C:\Windows\System32\EncDec.dll
2011-12-14 10:20:42 534528 ---ha-w- C:\Windows\SysWow64\EncDec.dll
2011-12-14 10:20:35 2048 ---ha-w- C:\Windows\SysWow64\tzres.dll
2011-12-14 10:20:35 2048 ---ha-w- C:\Windows\System32\tzres.dll
2011-12-13 21:02:13 719872 ----a-w- C:\Windows\SysWow64\devil.dll
2011-12-13 21:02:13 70656 ----a-w- C:\Windows\SysWow64\yv12vfw.dll
2011-12-13 21:02:13 70656 ----a-w- C:\Windows\SysWow64\i420vfw.dll
2011-12-13 21:02:13 369152 ----a-w- C:\Windows\SysWow64\avisynth.dll
2011-12-13 21:02:13 32256 ----a-w- C:\Windows\SysWow64\AVSredirect.dll
2011-12-13 21:02:11 -------- d-----w- C:\Program Files (x86)\AviSynth 2.5
2011-12-13 20:54:18 -------- d-----w- C:\Program Files (x86)\eRightSoft
2011-12-13 10:15:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-28 22:01:39 -------- d-----w- C:\Users\Gavin\AppData\Local\Chromium
.
==================== Find3M ====================
.
2011-11-10 05:54:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-05 05:41:43 1188864 ---ha-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ---ha-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ---ha-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ---ha-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ---ha-w- C:\Windows\System32\csrsrv.dll
2011-10-14 09:29:36 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2006-05-03 12:06:54 163328 --sha-r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 13:47:16 31232 --sha-r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 15:30:52 216064 --sha-r- C:\Windows\SysWOW64\nbDX.dll
2010-01-07 00:00:00 107520 --sha-r- C:\Windows\SysWOW64\TAKDSDecoder.dll
.
============= FINISH: 18:35:17.71 ===============


Thank you for your help!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 29 December 2011 - 07:18 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run aswMBR and MBRCheck

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 30 December 2011 - 03:07 PM

Hi thank you for your response.

Contents of aswMBR.txt

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2011-12-30 09:36:52
-----------------------------
09:36:52.854 OS Version: Windows x64 6.1.7601 Service Pack 1
09:36:52.855 Number of processors: 4 586 0x503
09:36:52.857 ComputerName: GAVIN-PC UserName: Gavin
09:36:54.378 Initialize success
09:37:45.740 AVAST engine defs: 11122901
09:38:25.144 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:38:25.150 Disk 0 Vendor: ST9320325AS 0001SDM1 Size: 305245MB BusType: 11
09:38:25.165 Disk 0 MBR read successfully
09:38:25.170 Disk 0 MBR scan
09:38:25.179 Disk 0 MBR:Alureon-K [Rtk]
09:38:25.186 Disk 0 TDL4@MBR code has been found
09:38:25.194 Disk 0 Windows 7 default MBR code found via API
09:38:25.201 Disk 0 MBR hidden
09:38:25.221 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
09:38:25.249 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 25167872
09:38:25.273 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 146427 MB offset 25372672
09:38:25.312 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 146428 MB offset 325255168
09:38:25.326 Disk 0 MBR [TDL4] **ROOTKIT**
09:38:25.339 Disk 0 trace - called modules:
09:38:25.353 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004ef9334]<<
09:38:25.365 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e3b790]
09:38:25.378 3 CLASSPNP.SYS[fffff88001b7843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004e47680]
09:38:25.390 \Driver\atapi[0xfffffa8004c16e70] -> IRP_MJ_CREATE -> 0xfffffa8003e292c0
09:38:29.033 AVAST engine scan C:\Windows
09:38:34.007 AVAST engine scan C:\Windows\system32
09:41:51.527 AVAST engine scan C:\Windows\system32\drivers
09:42:08.079 AVAST engine scan C:\Users\Gavin
09:52:14.134 AVAST engine scan C:\ProgramData
09:54:27.414 Scan finished successfully
18:55:22.864 Disk 0 MBR has been saved successfully to "C:\Users\Gavin\Desktop\MBR.dat"
18:55:22.885 The log file has been saved successfully to "C:\Users\Gavin\Desktop\aswMBR.txt"

Contents of MBRCheck_12.30.11_18.55.31.txt

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5553G
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 167):
0x0361A000 \SystemRoot\system32\ntoskrnl.exe
0x03C03000 \SystemRoot\system32\hal.dll
0x00BA4000 \SystemRoot\system32\kdcom.dll
0x00CF4000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00D01000 \SystemRoot\system32\PSHED.dll
0x00D15000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00EB7000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F5B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x0103C000 \SystemRoot\System32\Drivers\sptd.sys
0x01199000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x011A2000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x00F6A000 \SystemRoot\system32\drivers\ACPI.sys
0x011D1000 \SystemRoot\system32\drivers\msisadrv.sys
0x011DB000 \SystemRoot\system32\drivers\vdrvroot.sys
0x01000000 \SystemRoot\system32\drivers\pci.sys
0x011E8000 \SystemRoot\System32\drivers\partmgr.sys
0x01033000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00FC1000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00FCD000 \SystemRoot\system32\drivers\volmgr.sys
0x00E00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E5C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E76000 \SystemRoot\system32\drivers\atapi.sys
0x00E7F000 \SystemRoot\system32\drivers\ataport.SYS
0x00EA9000 \SystemRoot\system32\drivers\msahci.sys
0x00FE2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00FF2000 \SystemRoot\system32\drivers\amdxata.sys
0x00D73000 \SystemRoot\system32\drivers\fltmgr.sys
0x00DBF000 \SystemRoot\system32\drivers\fileinfo.sys
0x00DD3000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x0123C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01419000 \SystemRoot\System32\Drivers\msrpc.sys
0x01477000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01492000 \SystemRoot\System32\Drivers\cng.sys
0x01504000 \SystemRoot\System32\drivers\pcw.sys
0x01515000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016FD000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01830000 \SystemRoot\System32\drivers\tcpip.sys
0x01A34000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01A7E000 \SystemRoot\system32\drivers\volsnap.sys
0x01ACA000 \SystemRoot\System32\Drivers\spldr.sys
0x01AD2000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B0C000 \SystemRoot\System32\Drivers\mup.sys
0x01B1E000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B27000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01B61000 \SystemRoot\system32\DRIVERS\disk.sys
0x01B77000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01BA7000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x01800000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0168B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01BE7000 \SystemRoot\System32\Drivers\Null.SYS
0x01BF0000 \SystemRoot\System32\Drivers\Beep.SYS
0x016BC000 \SystemRoot\System32\drivers\vga.sys
0x016CA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x017F0000 \SystemRoot\System32\drivers\watchdog.sys
0x01BF7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x016EF000 \SystemRoot\system32\drivers\rdpencdd.sys
0x0151F000 \SystemRoot\system32\drivers\rdprefmp.sys
0x01528000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01533000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01544000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01566000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x01573000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0429F000 \SystemRoot\system32\drivers\afd.sys
0x04328000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04331000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04357000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x0436D000 \SystemRoot\system32\DRIVERS\netbios.sys
0x0437C000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x043BF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x043DA000 \SystemRoot\system32\drivers\termdd.sys
0x04200000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x0421A000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x04224000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x0422E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0427F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0428B000 \SystemRoot\system32\drivers\mssmbios.sys
0x043EE000 \SystemRoot\System32\drivers\discache.sys
0x015B8000 \SystemRoot\System32\Drivers\dfsc.sys
0x015D6000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01200000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x015E7000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x00CC0000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x074D7000 \SystemRoot\system32\DRIVERS\atipmdag.sys
0x04077000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0416B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x041B1000 \SystemRoot\system32\drivers\HDAudBus.sys
0x041D5000 \SystemRoot\system32\DRIVERS\L1C62x64.sys
0x06ED0000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x071BF000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x071CC000 \??\C:\Windows\system32\drivers\UBHelper.sys
0x071D4000 \??\C:\Windows\system32\drivers\NTIDrvr.sys
0x071DC000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x06E00000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x06E56000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x06E63000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x06E74000 \SystemRoot\system32\drivers\i8042prt.sys
0x06E92000 \SystemRoot\system32\drivers\kbdclass.sys
0x04000000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x06EA1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06EA3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x07B46000 \SystemRoot\System32\Drivers\ak4jl8cn.SYS
0x06EB2000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x06EB7000 \SystemRoot\system32\drivers\wmiacpi.sys
0x06EC0000 \SystemRoot\system32\drivers\CompositeBus.sys
0x071E7000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04052000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x041EA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x07B8A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x07BB9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x07BD4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x07400000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0741A000 \SystemRoot\system32\DRIVERS\hamachi.sys
0x071FD000 \SystemRoot\system32\drivers\swenum.sys
0x07425000 \SystemRoot\system32\drivers\ks.sys
0x07468000 \SystemRoot\system32\drivers\umbus.sys
0x0747A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x01400000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0884C000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x0886E000 \SystemRoot\system32\drivers\portcls.sys
0x088AB000 \SystemRoot\system32\drivers\drmk.sys
0x088CD000 \SystemRoot\system32\drivers\ksthunk.sys
0x08A48000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x08C73000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x08C90000 \SystemRoot\System32\Drivers\crashdmp.sys
0x08C9E000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x08CAA000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x08CB5000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x08CC8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x08CE5000 \SystemRoot\System32\Drivers\usbvideo.sys
0x00090000 \SystemRoot\System32\win32k.sys
0x08D13000 \SystemRoot\System32\drivers\Dxapi.sys
0x08D1F000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00550000 \SystemRoot\System32\TSDDD.dll
0x00650000 \SystemRoot\System32\cdd.dll
0x00880000 \SystemRoot\System32\ATMFD.DLL
0x08D2D000 \SystemRoot\system32\drivers\luafv.sys
0x08D50000 \SystemRoot\system32\drivers\WudfPf.sys
0x08D71000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x08D86000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x08DD9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x08A00000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x08A18000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x088D3000 \SystemRoot\system32\drivers\HTTP.sys
0x08A22000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0899C000 \SystemRoot\System32\drivers\mpsdrv.sys
0x089B4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x080EB000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x08139000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0815D000 \SystemRoot\system32\DRIVERS\atksgt.sys
0x081AC000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0x08000000 \SystemRoot\system32\drivers\peauth.sys
0x080A6000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x080D7000 \SystemRoot\System32\drivers\tcpipreg.sys
0x081B9000 \??\C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys
0x0B0B5000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0B11E000 \SystemRoot\System32\DRIVERS\srv.sys
0x0B1B6000 \??\C:\Program Files\PeerBlock\pbfilter.sys
0x0B1BF000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x0B071000 \??\C:\Users\Gavin\AppData\Local\Temp\aswMBR.sys
0x77720000 \Windows\System32\ntdll.dll
0x47870000 \Windows\System32\smss.exe
0xFFA40000 \Windows\System32\apisetschema.dll
0xFFA80000 \Windows\System32\autochk.exe
0xFF920000 \Windows\System32\msctf.dll

Processes (total 75):
0 System Idle Process
4 System
400 C:\Windows\System32\smss.exe
552 csrss.exe
636 C:\Windows\System32\wininit.exe
672 csrss.exe
700 C:\Windows\System32\services.exe
732 C:\Windows\System32\winlogon.exe
744 C:\Windows\System32\lsass.exe
752 C:\Windows\System32\lsm.exe
876 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
128 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
460 C:\Windows\System32\atiesrxx.exe
892 C:\Windows\System32\svchost.exe
656 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\svchost.exe
1208 C:\Windows\System32\svchost.exe
1312 C:\Windows\System32\svchost.exe
1504 C:\Windows\System32\wlanext.exe
1512 C:\Windows\System32\conhost.exe
1640 C:\Windows\System32\atieclxx.exe
1700 C:\Windows\System32\spoolsv.exe
1732 C:\Windows\System32\svchost.exe
1900 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1948 C:\Program Files (x86)\Launch Manager\dsiwmis.exe
1248 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
1408 C:\Windows\System32\svchost.exe
1620 C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
1084 C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
1816 C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
2080 C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
2120 C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
2164 C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
2208 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
2228 C:\Windows\System32\svchost.exe
2292 C:\Program Files\Acer\Acer Updater\UpdaterService.exe
2420 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2860 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2984 C:\Windows\System32\taskhost.exe
2136 C:\Windows\System32\dwm.exe
1460 C:\Windows\explorer.exe
3244 C:\Windows\System32\rundll32.exe
3412 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3444 C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
3456 C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
3480 C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
3568 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3604 C:\Windows\System32\wbem\unsecapp.exe
3684 C:\Windows\PLFSetI.exe
3744 WmiPrvSE.exe
3844 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3860 C:\Program Files\Microsoft Security Client\msseces.exe
3872 C:\Program Files\PeerBlock\peerblock.exe
3880 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3960 C:\Program Files\Rainmeter\Rainmeter.exe
4000 C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
2320 C:\Program Files (x86)\Google\Google Talk\googletalk.exe
2556 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3908 C:\Windows\System32\svchost.exe
4608 dllhost.exe
4756 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
4836 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
4864 C:\Windows\System32\wbem\unsecapp.exe
4908 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
4972 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
5060 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4124 C:\Windows\System32\wuauclt.exe
2944 C:\Windows\servicing\TrustedInstaller.exe
2036 C:\Windows\System32\taskeng.exe
4288 taskhost.exe
2996 C:\Windows\System32\audiodg.exe
4076 C:\Users\Gavin\Desktop\MBRCheck.exe
3168 C:\Windows\System32\conhost.exe
3756 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000026`c6000000 (NTFS)

PhysicalDrive0 Model Number: ST9320325AS, Rev: 0001SDM1

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 78A4193BE63F5965B96545152F1E1BD10347CA2D


Thank you.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 30 December 2011 - 06:26 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 January 2012 - 09:31 AM

Sorry for the late reply.

ComboFix 11-12-31.03 - Gavin 01/01/2012 13:25:43.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3838.2614 [GMT 0:00]
Running from: c:\users\Gavin\Desktop\COMFIX.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~ZoDVur8xl58fUg
c:\programdata\~ZoDVur8xl58fUgr
c:\programdata\ZoDVur8xl58fUg
c:\users\Gavin\AppData\Roaming\mIRC\logs\status.log
c:\windows\system32\java.exe
c:\windows\SysWow64\tmp5297.tmp
c:\windows\SysWow64\tmpD3F.tmp
c:\windows\SysWow64\tmpD4F.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2012-01-01 13:59 . 2012-01-01 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 13:10 . 2012-01-01 13:10 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E965A727-5DBC-4051-B411-34B1AD3B228E}\offreg.dll
2012-01-01 09:44 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E965A727-5DBC-4051-B411-34B1AD3B228E}\mpengine.dll
2012-01-01 07:01 . 2012-01-01 07:01 0 ---ha-w- c:\users\Gavin\AppData\Local\BIT7F2C.tmp
2011-12-18 02:29 . 2011-12-18 02:29 388096 ----a-r- c:\users\Gavin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-18 02:29 . 2011-12-18 02:29 -------- d-----w- c:\program files (x86)\Trend Micro
2011-12-18 02:28 . 2011-12-18 02:28 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-17 16:48 . 2011-12-17 16:48 -------- d-----w- C:\_OTM
2011-12-16 22:18 . 2011-12-16 22:18 -------- d-----w- C:\$WINDOWS.~LS
2011-12-16 17:10 . 2011-12-16 17:29 -------- d-----w- c:\users\Gavin\AppData\Roaming\ImgBurn
2011-12-16 17:05 . 2011-12-16 17:05 -------- d-----w- c:\program files (x86)\ImgBurn
2011-12-16 16:55 . 2011-12-16 16:55 -------- d-----w- c:\program files (x86)\SuperBlank
2011-12-15 11:40 . 2011-12-15 11:40 -------- d-----w- c:\users\Gavin\AppData\Roaming\QuickScan
2011-12-15 00:24 . 2011-12-31 18:24 -------- d-----w- C:\ComboFix
2011-12-14 10:20 . 2011-11-24 04:52 3145216 ---ha-w- c:\windows\system32\win32k.sys
2011-12-14 10:20 . 2011-10-15 06:31 723456 ---ha-w- c:\windows\system32\EncDec.dll
2011-12-14 10:20 . 2011-10-15 05:38 534528 ---ha-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 10:20 . 2011-11-05 05:32 2048 ---ha-w- c:\windows\system32\tzres.dll
2011-12-14 10:20 . 2011-11-05 04:26 2048 ---ha-w- c:\windows\SysWow64\tzres.dll
2011-12-13 21:02 . 2009-09-27 09:39 369152 ----a-w- c:\windows\SysWow64\avisynth.dll
2011-12-13 21:02 . 2005-07-14 12:31 32256 ----a-w- c:\windows\SysWow64\AVSredirect.dll
2011-12-13 21:02 . 2004-02-22 10:11 719872 ----a-w- c:\windows\SysWow64\devil.dll
2011-12-13 21:02 . 2004-01-25 00:00 70656 ----a-w- c:\windows\SysWow64\yv12vfw.dll
2011-12-13 21:02 . 2004-01-25 00:00 70656 ----a-w- c:\windows\SysWow64\i420vfw.dll
2011-12-13 21:02 . 2011-12-13 21:02 -------- d-----w- c:\program files (x86)\AviSynth 2.5
2011-12-13 10:15 . 2011-12-13 10:15 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-13 10:14 . 2011-12-13 10:14 -------- d-----w- c:\windows\system32\Macromed
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 11:40 . 2011-03-25 23:33 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-10 05:54 . 2011-01-18 21:41 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-14 09:29 . 2011-10-14 09:29 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-10-11 14:27 . 2011-10-11 14:28 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23B31326-7D7C-44D0-8138-E680C80F6B8D}\gapaengine.dll
2006-05-03 12:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 13:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 15:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll
2010-01-07 00:00 107520 --sha-r- c:\windows\SysWOW64\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-15_01.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-12-15 17:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-11-30 13:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-11-30 13:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-15 17:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-30 13:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-15 17:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-26 08:46 . 2012-01-01 13:12 52622 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-01 13:12 41582 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-18 20:16 . 2012-01-01 13:12 15382 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1459559820-3409449084-51288634-1001_UserData.bin
+ 2010-11-13 09:12 . 2011-12-30 22:37 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-13 09:12 . 2011-12-14 23:36 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-13 09:12 . 2011-12-30 22:37 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-13 09:12 . 2011-12-14 23:36 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-12-30 22:37 . 2011-12-30 22:37 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011123020111231\index.dat
+ 2011-12-29 22:34 . 2011-12-29 22:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011122920111230\index.dat
+ 2011-12-28 22:32 . 2011-12-28 22:32 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011122820111229\index.dat
+ 2011-12-27 22:22 . 2011-12-27 22:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011122720111228\index.dat
+ 2011-12-26 22:10 . 2011-12-26 22:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011122620111227\index.dat
+ 2011-12-26 22:10 . 2011-12-26 22:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011121920111226\index.dat
+ 2011-12-19 05:14 . 2011-12-19 05:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011121220111219\index.dat
- 2009-07-14 04:54 . 2011-12-14 23:36 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-30 22:37 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-18 18:22 . 2011-12-14 23:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-18 18:22 . 2012-01-01 13:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-12-24 20:11 94640 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-01-18 18:22 . 2011-12-14 23:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-18 18:22 . 2012-01-01 13:10 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-01-18 18:22 . 2011-12-14 23:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-18 18:22 . 2012-01-01 13:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-18 18:22 . 2012-01-01 09:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-18 18:22 . 2011-12-15 00:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-18 18:22 . 2011-12-15 00:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-18 18:22 . 2012-01-01 09:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-14 23:36 . 2011-12-14 23:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-01 13:10 . 2012-01-01 13:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-01 13:10 . 2012-01-01 13:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-14 23:36 . 2011-12-14 23:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-18 21:41 . 2011-01-18 21:41 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-18 02:28 . 2011-11-10 05:54 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-12-18 02:28 . 2011-11-10 05:54 149280 c:\windows\SysWOW64\javaw.exe
+ 2011-12-18 02:28 . 2011-11-10 05:54 149280 c:\windows\SysWOW64\java.exe
+ 2011-01-19 19:19 . 2012-01-01 07:00 354936 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-12-24 15:08 633878 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-14 23:42 633878 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-12-14 23:42 112870 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-12-24 15:08 112870 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-12-14 11:24 480152 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-01 09:46 480152 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-18 02:28 . 2011-12-18 02:28 207360 c:\windows\Installer\dc1e0.msi
+ 2011-12-20 22:03 . 2011-12-20 22:03 245760 c:\windows\Installer\6644d3.msi
+ 2011-12-17 16:44 . 2005-10-20 12:02 163328 c:\windows\ERDNT\17-12-2011\ERDNT.EXE
+ 2011-01-27 00:35 . 2012-01-01 09:46 3095440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1459559820-3409449084-51288634-1001-12288.dat
- 2011-01-27 00:35 . 2011-12-14 11:24 3095440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1459559820-3409449084-51288634-1001-12288.dat
+ 2011-12-17 18:17 . 2011-12-17 18:17 1402880 c:\windows\Installer\dc1e4.msi
+ 2011-12-17 16:44 . 2011-12-17 16:44 5316608 c:\windows\ERDNT\17-12-2011\Users\00000002\UsrClass.dat
+ 2011-12-17 16:44 . 2011-12-17 16:44 3485696 c:\windows\ERDNT\17-12-2011\Users\00000001\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 2646128]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-12 98304]
"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFYWVAtQTdQRk4tOURGUUktUVpBR0otNllYVVItSg&inst=NzYtOTUyODM5MDg3LUZMMTArMS1YTzEwKzExLUxJQysyLVNUMTJPSSsxLUREVCswLUVVTEErMS1TVDEyQVBQKzE&prod=92&ver=2012.0.1831&mid=4f042277a71c47d181761943ef7c5448-72601a18e19dfbc0921505fb0002f24c689f6f53" [?]
.
c:\users\Gavin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-2-6 100352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-18 135664]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-18 135664]
R3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 2275720]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-11-06 50432]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-03-03 325200]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2010-03-10 820768]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 23584]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-03-08 250368]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-11-06 144640]
S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2010-04-22 171040]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-03-31 80896]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2010-01-28 243232]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-06 24176]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-18 19:34]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-18 19:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Gavin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-25 10081312]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-02-25 877600]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-02-05 324608]
"ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2010-04-22 223264]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"PLFSetI"="c:\windows\PLFSetI.exe" [2010-01-13 206208]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2010-03-10 496160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5553g&r=27360111g206l04f3z135t4661l24s
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5553g&r=27360111g206l04f3z135t4661l24s
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\users\Gavin\AppData\Roaming\Mozilla\Firefox\Profiles\4bky4k1e.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1459559820-3409449084-51288634-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*(/F\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:02,e2,52,2f,e5,d0,19,4d,fc,81,b3,d3,46,f4,27,2d,2e,92,58,3e,31,
4b,5d,be,0c,4a,1c,10,82,d1,4f,52,43,00,ac,9f,f2,c8,ff,3e,17,d7,5c,26,ee,10,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:02,e2,52,2f,e5,d0,19,4d,fc,81,b3,d3,46,f4,27,2d,2e,92,58,3e,31,
4b,5d,be,0c,4a,1c,10,82,d1,4f,52,43,00,ac,9f,f2,c8,ff,3e,17,d7,5c,26,ee,10,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-01 14:21:43
ComboFix-quarantined-files.txt 2012-01-01 14:21
ComboFix2.txt 2011-12-15 01:30
.
Pre-Run: 42,120,142,848 bytes free
Post-Run: 41,862,008,832 bytes free
.
- - End Of File - - 1B4D9775442BB90E8183B8D20AF560DD

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 01 January 2012 - 12:07 PM

We'll get Combofix to check one entry

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegNull::
[HKEY_USERS\S-1-5-21-1459559820-3409449084-51288634-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*m*p*3*(/F\OpenWithList]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please do the following as we need to check the Faked MBR report that aswMBR found earlier

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#9 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 01 January 2012 - 04:24 PM

Hello. Happy New Year! Thank you for your help - it is amazing that you are all here doing this.

I won't be able to access a clean computer until some point tomorrow I hope, though it could be on Tuesday as yet I am unsure.

Was just to let you know that I do still need help but may not be able post the required logs immediately.

Thank you again.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 02 January 2012 - 08:29 AM

No problem, thanks for letting me know :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 05 January 2012 - 10:17 AM

Hey Chap. Having issues using that program to burn the disc needed. The software will not accept 'blank' discs as it requires - having tried unformatted and formatted several times to no avail. The error message is simply 'please insert a 'blank' disc'. I do not know how to proceed outside of this other than using a different burning program? I can have access to this clean computer again tomorrow.

Cheers.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 05 January 2012 - 06:28 PM

You can try the process using a USB drive and no CD

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 11 January 2012 - 08:24 PM

Hi,

I have not had a reply from you for 7 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#14 Virden

Virden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 12 January 2012 - 08:49 AM

Hi

I tried to do the usb .iso install but on boot in the sick computer the load failed/reached a screen that said 'could not load linux kernel'

This is probably most likely due to me doing something wrong so I will try and reload the usb later today. Sorry about the lack of contact.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:13 PM

Posted 12 January 2012 - 05:30 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users