Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Won't boot after Combofix


  • This topic is locked This topic is locked
8 replies to this topic

#1 sorabji

sorabji

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 01 March 2012 - 02:23 AM

Hello,

Got infected with sirefef trojan and then got frustrated because of a string of lack of progress and now Win 7 won'y boot. Logs from Farbar scan and Combofix logs are below. (Farbar is first)

Any help would be appreciated.

Thanks.

*** *** *** *** *** *** *** ***

Farbar log

Scan result of Farbar Recovery Scan Tool Version: 29-02-2012 01
Ran by SYSTEM at 01-03-2012 04:16:37
Running from F:\combofix_recover
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [HDSPTray1] hdsp32.exe [x]
HKLM\...\Run: [HDSPTray2] hdspmix.exe [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2221352 2008-06-08] (Nero AG)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [40376 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640440 2010-09-22] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKU\Cristina\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Cristina\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5487488 2012-02-16] (SUPERAntiSpyware.com)
HKU\Cristina\...\Policies\system: [LogonHoursAction] 2
HKU\Cristina\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Hogwarts\...\Run: [Google Update] "C:\Users\Hogwarts\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-10-08] (Google Inc.)
HKU\Hogwarts\...\Run: [AdobeBridge] [x]
HKU\Hogwarts\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKU\Hogwarts\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5487488 2012-02-16] (SUPERAntiSpyware.com)
HKU\Hogwarts\...\Run: [cacaoweb] "C:\Users\Hogwarts\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer [x]
HKU\Hogwarts\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [x]
HKU\Hogwarts\...\Policies\system: [LogonHoursAction] 2
HKU\Hogwarts\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKLM-x32\...\Runonce: [GrpConv] grpconv -o [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: C:\Windows\System32\acaptuser64.dll
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-09-02] (SUPERAntiSpyware.com)
3 FLEXnet Licensing Service; "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [651720 2010-10-08] (Macrovision Europe Ltd.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
2 Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [877864 2008-06-08] (Nero AG)
3 NMIndexingService; "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe" [537896 2008-06-24] (Nero AG)
2 PLFlash DeviceIoControl Service; C:\Windows\SysWOW64\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 TabletServicePen; C:\Windows\system32\Pen_Tablet.exe [1909032 2007-09-07] (Wacom Technology, Corp.)
2 wdm_au8820; C:\Windows\System32\olapserver.dll [6656 2009-07-13] (Oak Technology Inc.)

========================== Drivers (Whitelisted) =============

0 ahcix64s; C:\Windows\System32\DRIVERS\ahcix64s.sys [231224 2009-05-18] (Advanced Micro Devices, Inc)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 E100B; C:\Windows\System32\DRIVERS\efe5b32e.sys [192256 2009-06-10] (Intel Corporation)
3 hdsp; C:\Windows\System32\drivers\hdsp_64.sys [102400 2011-08-03] (RME)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 Ser2pl; C:\Windows\System32\DRIVERS\ser2pl64.sys [97280 2010-03-12] (Prolific Technology Inc.)
3 VSTWinDriver6; C:\Windows\System32\drivers\VSTwindrvr6.sys [252928 2008-07-03] (Jungo)
3 wacommousefilter; C:\Windows\System32\DRIVERS\wacommousefilter.sys [12848 2007-02-16] (Wacom Technology)
3 wacomvhid; C:\Windows\System32\DRIVERS\wacomvhid.sys [14640 2007-02-16] (Wacom Technology)
3 WacomVKHid; C:\Windows\System32\DRIVERS\WacomVKHid.sys [12976 2007-02-15] (Wacom Technology)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
2 DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [x]
0 hotcore2; C:\Windows\System32\drivers\hotcore2.sys [x]
3 KMW_KBD; C:\Windows\System32\DRIVERS\KMW_KBD.sys [x]
2 SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
1 ujuhenav; \??\C:\Windows\system32\drivers\ujuhenav.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: wdm_au8820
NETSVC: AppnBase

============ One Month Created Files and Folders ==============

2012-03-01 01:07 - 2012-02-27 17:56 - 0285280 ____A (Acronis) C:\Windows\System32\Drivers\afcdp.sys
2012-03-01 01:07 - 2012-02-27 17:56 - 0277088 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-03-01 01:07 - 2011-12-20 02:00 - 0296512 ____A (Lynx Studio Technology, Inc.) C:\Windows\System32\Drivers\LynxV264.sys
2012-03-01 01:07 - 2011-02-16 17:23 - 0074240 ____A (Research In Motion Limited) C:\Windows\System32\Drivers\RimUsb_AMD64.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0177128 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadmdm.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0157160 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadbus.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0016872 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadmdfl.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0013800 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadwhnt.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0013800 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadwh.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0013288 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadcmnt.sys
2012-03-01 01:07 - 2011-01-03 00:38 - 0013288 ____A (MCCI Corporation) C:\Windows\System32\Drivers\ssadcm.sys
2012-03-01 01:07 - 2010-12-24 14:27 - 0029288 ____A (Wondershare) C:\Windows\System32\Drivers\WsAudio_DeviceS(5).sys
2012-03-01 01:07 - 2010-12-24 14:27 - 0029288 ____A (Wondershare) C:\Windows\System32\Drivers\WsAudio_DeviceS(4).sys
2012-03-01 01:07 - 2010-12-24 14:27 - 0029288 ____A (Wondershare) C:\Windows\System32\Drivers\WsAudio_DeviceS(3).sys
2012-03-01 01:07 - 2010-12-24 14:27 - 0029288 ____A (Wondershare) C:\Windows\System32\Drivers\WsAudio_DeviceS(2).sys
2012-03-01 01:07 - 2010-12-24 14:27 - 0029288 ____A (Wondershare) C:\Windows\System32\Drivers\WsAudio_DeviceS(1).sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0172104 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdmdm.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0136264 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdbus.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0019016 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdmdfl.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0015944 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdwhnt.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0015944 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdwh.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0015432 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdcmnt.sys
2012-03-01 01:07 - 2010-12-20 21:55 - 0015432 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdcm.sys
2012-03-01 01:07 - 2010-12-13 19:54 - 0058472 ____A (Realtek Corporation) C:\Windows\System32\Drivers\RtTeam60.sys
2012-03-01 01:07 - 2010-12-13 19:54 - 0027136 ____A (Realtek ) C:\Windows\System32\Drivers\RtNdPt60.sys
2012-03-01 01:07 - 2010-12-13 19:54 - 0024064 ____A (Windows ® Codename Longhorn DDK provider) C:\Windows\System32\Drivers\RtVlan60.sys
2012-03-01 01:07 - 2010-11-20 02:43 - 0041984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\winusb.sys
2012-03-01 01:07 - 2010-10-24 21:25 - 0188928 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-03-01 01:07 - 2010-10-24 21:25 - 0072064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-03-01 01:07 - 2010-10-24 21:25 - 0040832 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpNWMon.sys
2012-03-01 01:07 - 2010-07-01 15:11 - 0051024 ____A (Dritek System Inc.) C:\Windows\System32\Drivers\HMuKstE.sys
2012-03-01 01:07 - 2010-04-26 17:30 - 0184968 ____A (Renesas Electronics Corporation) C:\Windows\System32\Drivers\nusb3xhc.sys
2012-03-01 01:07 - 2010-04-26 17:29 - 0083080 ____A (Renesas Electronics Corporation) C:\Windows\System32\Drivers\nusb3hub.sys
2012-03-01 01:07 - 2010-03-26 07:15 - 0287448 ____A (Intel Corporation) C:\Windows\System32\Drivers\e1e6232e.sys
2012-03-01 01:07 - 2009-10-21 12:01 - 0767488 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\WNDA31w7x.sys
2012-03-01 01:07 - 2009-08-26 07:48 - 0071040 ____A (Aladdin Knowledge Systems Ltd.) C:\Windows\System32\Drivers\aksdf.sys
2012-03-01 01:07 - 2009-07-09 02:00 - 0055280 ____A (Sonic Solutions) C:\Windows\System32\Drivers\PxHlpa64.sys
2012-03-01 01:07 - 2009-06-23 02:00 - 0010224 ____A (Sonic Solutions) C:\Windows\System32\Drivers\cdralw2k.sys
2012-03-01 01:07 - 2009-06-23 02:00 - 0010224 ____A (Sonic Solutions) C:\Windows\System32\Drivers\cdr4_xp.sys
2012-03-01 01:07 - 2009-06-10 12:35 - 0278016 ____A (Intel Corporation) C:\Windows\System32\Drivers\e1e6032e.sys
2012-03-01 01:07 - 2009-05-25 16:56 - 0017440 ____A (HighPoint Technologies, Inc.) C:\Windows\System32\Drivers\hptiop.sys
2012-03-01 01:07 - 2009-05-12 14:28 - 0031784 ____A (GARMIN Corp.) C:\Windows\System32\Drivers\grmngen.sys
2012-03-01 01:07 - 2009-05-08 10:08 - 0020520 ____A (GARMIN Corp.) C:\Windows\System32\Drivers\grmnusb.sys
2012-03-01 01:07 - 2009-03-13 11:55 - 0318464 ____A (Aladdin Knowledge Systems Ltd.) C:\Windows\System32\Drivers\hardlock.sys
2012-03-01 01:07 - 2009-01-09 14:02 - 0031744 ____A (Research in Motion Ltd) C:\Windows\System32\Drivers\RimSerial_AMD64.sys
2012-03-01 01:07 - 2009-01-08 11:55 - 0129280 ____A (Aladdin Knowledge Systems Ltd.) C:\Windows\System32\Drivers\aksfridge.sys
2012-03-01 01:07 - 2008-10-01 15:44 - 0026624 ____A (Atheros Communications, Inc.) C:\Windows\System32\Drivers\jswpslwfx.sys
2012-03-01 01:07 - 2007-01-19 17:24 - 0025312 ____A (Windows ® Codename Longhorn DDK provider) C:\Windows\System32\Drivers\SCMNdisP.sys
2012-03-01 01:07 - 2006-11-28 20:46 - 0043328 ____A (Printing Communications Assoc., Inc. (PCAUSA)) C:\Windows\System32\Drivers\PCAMp50a64.sys
2012-03-01 01:07 - 2006-11-28 20:46 - 0041280 ____A (Printing Communications Assoc., Inc. (PCAUSA)) C:\Windows\System32\Drivers\PCASp50a64.sys
2012-02-29 04:56 - 2012-02-29 04:56 - 0000292 __ASH C:\Windows\8306395drv.spi
2012-02-29 04:54 - 2012-02-29 04:54 - 0001016 ____A C:\Users\Cristina\Start Menu\Programs\Startup\_uninst_93157181.lnk
2012-02-29 04:54 - 2012-02-29 04:54 - 0001016 ____A C:\Users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_93157181.lnk
2012-02-29 04:54 - 2012-02-29 04:54 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-02-29 04:54 - 2012-02-29 04:54 - 0000000 ____D C:\ProgramData\Kaspersky Lab
2012-02-29 04:53 - 2012-02-28 19:53 - 122630768 ____A C:\Users\Cristina\Desktop\setup_11.0.0.1245.x01_2012_02_29_07_04.exe
2012-02-29 04:49 - 2012-02-29 04:49 - 0016906 ____A C:\ComboFix.txt
2012-02-29 04:47 - 2012-02-29 04:47 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-29 04:17 - 2012-02-29 04:59 - 0000910 ____A C:\Windows\PFRO.log
2012-02-29 03:28 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-02-29 03:28 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-02-29 03:28 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-02-29 03:28 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-02-29 03:28 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-02-29 03:28 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-02-29 03:28 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-02-29 03:28 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-02-29 03:16 - 2012-02-29 03:16 - 0081968 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_03.16.08_log.txt
2012-02-29 03:10 - 2012-02-29 03:25 - 0016144 ____A (ESET spol. s r.o.) C:\Windows\System32\Drivers\SirefefRemover.sys
2012-02-29 02:28 - 2012-02-29 04:49 - 0000000 ____D C:\Qoobox
2012-02-29 02:05 - 2012-02-29 02:05 - 0000000 ____A C:\Users\Cristina\junction.txt
2012-02-29 01:46 - 2012-02-29 01:46 - 0000000 ____D C:\Users\Cristina\Desktop\sirefef
2012-02-29 01:45 - 2012-02-28 15:24 - 4420957 ____R (Swearware) C:\Users\Cristina\Desktop\ComboFix.exe
2012-02-29 01:05 - 2012-02-29 04:17 - 0000504 ____A C:\Windows\setupact.log
2012-02-29 01:05 - 2012-02-29 01:05 - 0000000 ____A C:\Windows\setuperr.log
2012-02-29 01:03 - 2012-02-29 01:04 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_01.03.40_log.txt
2012-02-29 00:55 - 2012-03-01 02:04 - 0425398 ____A C:\Windows\ntbtlog.txt
2012-02-29 00:55 - 2012-02-29 00:56 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.55.42_log.txt
2012-02-29 00:33 - 2012-02-29 00:34 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.33.10_log.txt
2012-02-29 00:25 - 2012-02-29 00:25 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.25.08_log.txt
2012-02-28 20:26 - 2009-07-13 17:52 - 0024128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\atapi.sys
2012-02-28 19:35 - 2012-02-28 19:36 - 0081664 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_19.35.15_log.txt
2012-02-28 08:39 - 2012-02-28 08:39 - 0001278 ____A C:\Users\Cristina\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
2012-02-28 08:39 - 2012-02-28 08:39 - 0001278 ____A C:\Users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
2012-02-28 08:38 - 2012-02-28 08:39 - 3846656 ____A C:\Users\Cristina\Downloads\foto12-1.pps
2012-02-28 08:34 - 2012-02-28 09:03 - 0235580 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_08.34.25_log.txt
2012-02-28 08:30 - 2012-02-28 08:31 - 0080356 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_08.30.36_log.txt
2012-02-28 07:52 - 2012-02-28 07:57 - 0157676 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.52.19_log.txt
2012-02-28 07:45 - 2012-02-28 07:50 - 0080356 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.45.04_log.txt
2012-02-28 07:27 - 2012-02-28 07:28 - 0081224 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.27.44_log.txt
2012-02-28 07:25 - 2012-02-28 07:25 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-28 07:24 - 2012-02-28 07:25 - 0082916 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.24.49_log.txt
2012-02-28 07:24 - 2012-02-28 07:24 - 0000000 ____D C:\Users\Cristina\Downloads\tdsskiller
2012-02-28 07:24 - 2012-02-27 12:59 - 2062896 ____A (Kaspersky Lab ZAO) C:\Users\Cristina\Desktop\TDSSKiller.exe
2012-02-27 00:41 - 2012-02-27 00:41 - 2134040 ____A C:\Users\Cristina\Downloads\vsthostx64.zip
2012-02-27 00:41 - 2012-02-27 00:41 - 1424132 ____A C:\Users\Cristina\Downloads\vsthostx86.zip
2012-02-26 11:44 - 2012-02-26 11:44 - 0435497 ____A C:\Users\Cristina\Downloads\RR3510-Firmware-1.3.44.7.zip
2012-02-26 11:44 - 2012-02-26 11:44 - 0208417 ____A C:\Users\Cristina\Downloads\hptflash-linux-060307.tgz
2012-02-26 11:44 - 2012-02-26 11:44 - 0036187 ____A C:\Users\Cristina\Downloads\hptiop-win-1.2.28.28.zip
2012-02-26 01:43 - 2012-02-29 02:32 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-16 23:35 - 2012-02-16 23:35 - 0000000 ____D C:\users\junk
2012-02-16 23:04 - 2011-12-13 23:43 - 17790464 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-16 23:04 - 2011-12-13 23:16 - 10887168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-16 23:04 - 2011-12-13 23:11 - 2308096 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-16 23:04 - 2011-12-13 23:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-16 23:04 - 2011-12-13 23:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-16 23:04 - 2011-12-13 23:03 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-16 23:04 - 2011-12-13 23:03 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-16 23:04 - 2011-12-13 23:01 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-16 23:04 - 2011-12-13 23:00 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-16 23:04 - 2011-12-13 22:59 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-16 23:04 - 2011-12-13 22:57 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-16 23:04 - 2011-12-13 22:57 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-16 23:04 - 2011-12-13 22:53 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-16 23:04 - 2011-12-13 19:30 - 12282368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-16 23:04 - 2011-12-13 19:10 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-16 23:04 - 2011-12-13 19:04 - 1798656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-16 23:04 - 2011-12-13 18:57 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-16 23:04 - 2011-12-13 18:57 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-16 23:04 - 2011-12-13 18:56 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-16 23:04 - 2011-12-13 18:55 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-16 23:04 - 2011-12-13 18:54 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-16 23:04 - 2011-12-13 18:53 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-16 23:04 - 2011-12-13 18:52 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-16 23:04 - 2011-12-13 18:50 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-16 23:04 - 2011-12-13 18:50 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-16 23:04 - 2011-12-13 18:47 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-16 23:01 - 2012-02-16 23:01 - 0002243 ____A C:\Users\Cristina\Desktop\Spybot - Search & Destroy.lnk
2012-02-16 07:07 - 2012-01-13 20:06 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-16 07:07 - 2012-01-04 02:44 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-02-16 07:07 - 2012-01-04 02:44 - 0509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-02-16 07:07 - 2012-01-04 00:59 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-02-16 07:07 - 2012-01-04 00:58 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2012-02-16 07:07 - 2011-12-29 22:26 - 0515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2012-02-16 07:07 - 2011-12-29 21:27 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2012-02-16 07:07 - 2011-11-16 22:49 - 0152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-02-16 07:07 - 2011-11-16 22:49 - 0095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-02-16 07:07 - 2011-11-16 22:44 - 0459232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-02-16 07:07 - 2011-11-16 22:35 - 1447936 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2012-02-16 07:07 - 2011-11-16 22:35 - 0395776 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll
2012-02-16 07:07 - 2011-11-16 22:35 - 0340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-02-16 07:07 - 2011-11-16 22:35 - 0136192 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2012-02-16 07:07 - 2011-11-16 22:35 - 0029184 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2012-02-16 07:07 - 2011-11-16 22:35 - 0028160 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2012-02-16 07:07 - 2011-11-16 22:33 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe
2012-02-16 07:07 - 2011-11-16 21:35 - 0314880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll
2012-02-16 07:07 - 2011-11-16 21:34 - 0224768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-02-16 07:07 - 2011-11-16 21:34 - 0022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-02-16 07:07 - 2011-11-16 21:28 - 0096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-02-16 07:07 - 2011-10-25 21:25 - 1572864 ____A (Microsoft Corporation) C:\Windows\System32\quartz.dll
2012-02-16 07:07 - 2011-10-25 21:25 - 0366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-02-16 07:07 - 2011-10-25 20:32 - 1328128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2012-02-16 07:07 - 2011-10-25 20:32 - 0514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-02-16 07:06 - 2011-11-16 22:41 - 1731920 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2012-02-16 07:06 - 2011-11-16 21:38 - 1292080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2012-02-16 07:05 - 2011-12-27 19:59 - 0498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-02-16 07:05 - 2011-12-16 00:46 - 0634880 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2012-02-16 07:05 - 2011-12-15 23:52 - 0690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2012-02-16 07:04 - 2011-11-19 06:58 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2012-02-16 07:04 - 2011-11-19 06:01 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2012-02-16 07:04 - 2009-06-10 13:07 - 0145640 ____A C:\Users\Cristina\Desktop\devmgmt.msc
2012-02-16 06:55 - 2012-02-16 06:55 - 3255248 ____A (Javacool Software LLC ) C:\Users\Cristina\Downloads\spywareblastersetup46.exe


============ 3 Months Modified Files and Folders =============

2012-03-01 04:16 - 2012-03-01 04:16 - 0000000 ____D C:\FRST
2012-03-01 02:04 - 2012-02-29 00:55 - 0425398 ____A C:\Windows\ntbtlog.txt
2012-03-01 02:04 - 2010-10-08 14:57 - 2140545024 __ASH C:\hiberfil.sys
2012-02-29 04:59 - 2012-02-29 04:17 - 0000910 ____A C:\Windows\PFRO.log
2012-02-29 04:58 - 2010-10-08 15:00 - 1098377 ____A C:\Windows\WindowsUpdate.log
2012-02-29 04:56 - 2012-02-29 04:56 - 0000292 __ASH C:\Windows\8306395drv.spi
2012-02-29 04:54 - 2012-02-29 04:54 - 0001016 ____A C:\Users\Cristina\Start Menu\Programs\Startup\_uninst_93157181.lnk
2012-02-29 04:54 - 2012-02-29 04:54 - 0001016 ____A C:\Users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_93157181.lnk
2012-02-29 04:54 - 2012-02-29 04:54 - 0000000 ____D C:\Users\All Users\Kaspersky Lab
2012-02-29 04:54 - 2012-02-29 04:54 - 0000000 ____D C:\ProgramData\Kaspersky Lab
2012-02-29 04:51 - 2010-10-08 20:39 - 0000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1004UA.job
2012-02-29 04:49 - 2012-02-29 04:49 - 0016906 ____A C:\ComboFix.txt
2012-02-29 04:49 - 2012-02-29 02:28 - 0000000 ____D C:\Qoobox
2012-02-29 04:49 - 2009-07-13 21:13 - 0726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-29 04:49 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-02-29 04:48 - 2010-10-08 19:05 - 0000000 ____D C:\Windows\ERDNT
2012-02-29 04:47 - 2012-02-29 04:47 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-29 04:47 - 2010-10-09 14:57 - 0000000 ____D C:\Users\Cristina\AppData\Roaming\WTablet
2012-02-29 04:47 - 2009-07-13 18:34 - 0000302 ____A C:\Windows\system.ini
2012-02-29 04:47 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-02-29 04:24 - 2009-07-13 20:45 - 0018192 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-02-29 04:24 - 2009-07-13 20:45 - 0018192 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-02-29 04:17 - 2012-02-29 01:05 - 0000504 ____A C:\Windows\setupact.log
2012-02-29 04:17 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-29 04:16 - 2009-07-13 18:34 - 68943872 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-02-29 04:16 - 2009-07-13 18:34 - 4980736 ____A C:\Windows\System32\config\DEFAULT.bak
2012-02-29 04:16 - 2009-07-13 18:34 - 18350080 ____A C:\Windows\System32\config\SYSTEM.bak
2012-02-29 04:16 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\SAM.bak
2012-02-29 04:16 - 2009-07-13 18:34 - 0024576 ____A C:\Windows\System32\config\SECURITY.bak
2012-02-29 04:02 - 2010-10-08 16:41 - 0000920 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1000UA.job
2012-02-29 03:27 - 2011-02-02 14:23 - 0001945 ____A C:\Windows\epplauncher.mif
2012-02-29 03:25 - 2012-02-29 03:10 - 0016144 ____A (ESET spol. s r.o.) C:\Windows\System32\Drivers\SirefefRemover.sys
2012-02-29 03:16 - 2012-02-29 03:16 - 0081968 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_03.16.08_log.txt
2012-02-29 02:32 - 2012-02-26 01:43 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-29 02:05 - 2012-02-29 02:05 - 0000000 ____A C:\Users\Cristina\junction.txt
2012-02-29 02:05 - 2010-10-08 15:22 - 0000000 ____D C:\users\Cristina
2012-02-29 01:46 - 2012-02-29 01:46 - 0000000 ____D C:\Users\Cristina\Desktop\sirefef
2012-02-29 01:05 - 2012-02-29 01:05 - 0000000 ____A C:\Windows\setuperr.log
2012-02-29 01:04 - 2012-02-29 01:03 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_01.03.40_log.txt
2012-02-29 00:57 - 2010-10-08 19:01 - 0000000 ____D C:\Program Files (x86)\SpywareBlaster
2012-02-29 00:56 - 2012-02-29 00:55 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.55.42_log.txt
2012-02-29 00:56 - 2010-10-08 22:06 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-02-29 00:56 - 2010-10-08 22:06 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-02-29 00:34 - 2012-02-29 00:33 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.33.10_log.txt
2012-02-29 00:25 - 2012-02-29 00:25 - 0080356 ____A C:\TDSSKiller.2.7.15.0_29.02.2012_00.25.08_log.txt
2012-02-28 19:53 - 2012-02-29 04:53 - 122630768 ____A C:\Users\Cristina\Desktop\setup_11.0.0.1245.x01_2012_02_29_07_04.exe
2012-02-28 19:36 - 2012-02-28 19:35 - 0081664 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_19.35.15_log.txt
2012-02-28 19:34 - 2011-05-31 15:33 - 0000000 ____D C:\Users\Cristina\Desktop\serial_usb
2012-02-28 15:24 - 2012-02-29 01:45 - 4420957 ____R (Swearware) C:\Users\Cristina\Desktop\ComboFix.exe
2012-02-28 09:03 - 2012-02-28 08:34 - 0235580 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_08.34.25_log.txt
2012-02-28 08:39 - 2012-02-28 08:39 - 0001278 ____A C:\Users\Cristina\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
2012-02-28 08:39 - 2012-02-28 08:39 - 0001278 ____A C:\Users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
2012-02-28 08:39 - 2012-02-28 08:38 - 3846656 ____A C:\Users\Cristina\Downloads\foto12-1.pps
2012-02-28 08:31 - 2012-02-28 08:30 - 0080356 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_08.30.36_log.txt
2012-02-28 07:57 - 2012-02-28 07:52 - 0157676 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.52.19_log.txt
2012-02-28 07:51 - 2011-05-25 11:56 - 0000000 ____D C:\Users\Cristina\AppData\Local\ElevatedDiagnostics
2012-02-28 07:51 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-28 07:50 - 2012-02-28 07:45 - 0080356 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.45.04_log.txt
2012-02-28 07:28 - 2012-02-28 07:27 - 0081224 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.27.44_log.txt
2012-02-28 07:25 - 2012-02-28 07:25 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-28 07:25 - 2012-02-28 07:24 - 0082916 ____A C:\TDSSKiller.2.7.15.0_28.02.2012_07.24.49_log.txt
2012-02-28 07:24 - 2012-02-28 07:24 - 0000000 ____D C:\Users\Cristina\Downloads\tdsskiller
2012-02-28 07:02 - 2010-10-08 16:41 - 0000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1000Core.job
2012-02-27 20:27 - 2010-10-09 15:06 - 0000000 ____D C:\Users\Hogwarts\AppData\Roaming\WTablet
2012-02-27 17:56 - 2012-03-01 01:07 - 0285280 ____A (Acronis) C:\Windows\System32\Drivers\afcdp.sys
2012-02-27 17:56 - 2012-03-01 01:07 - 0277088 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-02-27 17:56 - 2011-02-25 11:24 - 1263200 ____A (Acronis) C:\Windows\System32\Drivers\tdrpm273.sys
2012-02-27 17:56 - 2011-02-25 11:24 - 0943712 ____A (Acronis) C:\Windows\System32\Drivers\timntr.sys
2012-02-27 14:31 - 2010-10-08 18:02 - 0000000 ____D C:\Users\Cristina\AppData\Roaming\Skype
2012-02-27 14:31 - 2010-10-08 18:01 - 0000000 ____D C:\Users\All Users\Skype
2012-02-27 14:31 - 2010-10-08 18:01 - 0000000 ____D C:\ProgramData\Skype
2012-02-27 14:30 - 2011-06-14 23:37 - 0000000 ____D C:\Windows\System32\appmgmt
2012-02-27 14:30 - 2011-06-05 19:49 - 0000000 ____D C:\Program Files (x86)\DivX
2012-02-27 14:30 - 2010-12-25 14:16 - 0000000 ____D C:\Users\All Users\DivX
2012-02-27 14:30 - 2010-12-25 14:16 - 0000000 ____D C:\ProgramData\DivX
2012-02-27 14:29 - 2010-10-08 15:22 - 0000000 ____D C:\Users\Cristina\AppData\LocalLow
2012-02-27 12:59 - 2012-02-28 07:24 - 2062896 ____A (Kaspersky Lab ZAO) C:\Users\Cristina\Desktop\TDSSKiller.exe
2012-02-27 00:41 - 2012-02-27 00:41 - 2134040 ____A C:\Users\Cristina\Downloads\vsthostx64.zip
2012-02-27 00:41 - 2012-02-27 00:41 - 1424132 ____A C:\Users\Cristina\Downloads\vsthostx86.zip
2012-02-26 12:51 - 2010-10-08 20:39 - 0000868 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1004Core.job
2012-02-26 11:47 - 2011-12-13 03:42 - 0000000 ____D C:\Users\Cristina\Downloads\highpoint
2012-02-26 11:44 - 2012-02-26 11:44 - 0435497 ____A C:\Users\Cristina\Downloads\RR3510-Firmware-1.3.44.7.zip
2012-02-26 11:44 - 2012-02-26 11:44 - 0208417 ____A C:\Users\Cristina\Downloads\hptflash-linux-060307.tgz
2012-02-26 11:44 - 2012-02-26 11:44 - 0036187 ____A C:\Users\Cristina\Downloads\hptiop-win-1.2.28.28.zip
2012-02-26 02:02 - 2009-07-13 21:08 - 0032554 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-25 21:46 - 2010-10-08 16:28 - 0000000 ____D C:\Users\Cristina\AppData\Roaming\Adobe
2012-02-17 00:50 - 2010-10-08 15:23 - 0000174 ___SH C:\Users\Cristina\Start Menu\Programs\Startup\desktop.ini
2012-02-17 00:50 - 2010-10-08 15:23 - 0000174 ___SH C:\Users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-17 00:18 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-02-16 23:36 - 2009-07-13 20:45 - 4856208 ____A C:\Windows\System32\FNTCACHE.DAT
2012-02-16 23:35 - 2012-02-16 23:35 - 0000000 ____D C:\users\junk
2012-02-16 23:34 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\ModemLogs
2012-02-16 23:33 - 2009-07-13 18:34 - 0442638 ___RA C:\Windows\System32\Drivers\etc\hosts.20120225-193338.backup
2012-02-16 23:01 - 2012-02-16 23:01 - 0002243 ____A C:\Users\Cristina\Desktop\Spybot - Search & Destroy.lnk
2012-02-16 22:37 - 2011-09-02 15:13 - 0000000 ____D C:\Program Files\SUPERAntiSpyware
2012-02-16 22:37 - 2010-10-08 21:48 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-16 07:03 - 2010-10-08 19:09 - 0000000 ____D C:\Users\Cristina\Desktop\utils
2012-02-16 07:03 - 2010-10-08 19:00 - 0000000 ____D C:\Program Files (x86)\CCleaner
2012-02-16 06:58 - 2009-07-13 18:34 - 0442638 ___RA C:\Windows\System32\Drivers\etc\hosts.20120216-233341.backup
2012-02-16 06:56 - 2010-10-08 21:12 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-02-16 06:55 - 2012-02-16 06:55 - 3255248 ____A (Javacool Software LLC ) C:\Users\Cristina\Downloads\spywareblastersetup46.exe
2012-02-16 06:55 - 2010-10-08 21:13 - 0000000 ____D C:\Users\All Users\Adobe
2012-02-16 06:55 - 2010-10-08 21:13 - 0000000 ____D C:\ProgramData\Adobe
2012-01-31 04:44 - 2010-10-08 15:21 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-01-27 00:41 - 2010-10-08 15:32 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-01-21 22:51 - 2012-01-21 22:51 - 0065536 __ASH C:\Windows\System32\config\COMPONENTS{016888b8-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
2012-01-13 20:06 - 2012-02-16 07:07 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-04 02:44 - 2012-02-16 07:07 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-01-04 02:44 - 2012-02-16 07:07 - 0509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-01-04 00:59 - 2012-02-16 07:07 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-01-04 00:58 - 2012-02-16 07:07 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2011-12-29 22:26 - 2012-02-16 07:07 - 0515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2011-12-29 21:27 - 2012-02-16 07:07 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2011-12-27 19:59 - 2012-02-16 07:05 - 0498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2011-12-20 02:00 - 2012-03-01 01:07 - 0296512 ____A (Lynx Studio Technology, Inc.) C:\Windows\System32\Drivers\LynxV264.sys
2011-12-16 00:46 - 2012-02-16 07:05 - 0634880 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2011-12-15 23:52 - 2012-02-16 07:05 - 0690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2011-12-15 23:20 - 2009-07-13 18:34 - 0440535 ___RA C:\Windows\System32\Drivers\etc\hosts.20120216-065821.backup
2011-12-13 23:43 - 2012-02-16 23:04 - 17790464 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-13 23:16 - 2012-02-16 23:04 - 10887168 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-13 23:11 - 2012-02-16 23:04 - 2308096 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-13 23:04 - 2012-02-16 23:04 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-13 23:04 - 2012-02-16 23:04 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-13 23:03 - 2012-02-16 23:04 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-13 23:03 - 2012-02-16 23:04 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-13 23:01 - 2012-02-16 23:04 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-13 23:00 - 2012-02-16 23:04 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-13 22:59 - 2012-02-16 23:04 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-13 22:57 - 2012-02-16 23:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-13 22:57 - 2012-02-16 23:04 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-13 22:53 - 2012-02-16 23:04 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-13 19:30 - 2012-02-16 23:04 - 12282368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-13 19:10 - 2012-02-16 23:04 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-13 19:04 - 2012-02-16 23:04 - 1798656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-12-13 18:57 - 2012-02-16 23:04 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-13 18:57 - 2012-02-16 23:04 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-13 18:56 - 2012-02-16 23:04 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-12-13 18:55 - 2012-02-16 23:04 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-13 18:54 - 2012-02-16 23:04 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-13 18:53 - 2012-02-16 23:04 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-12-13 18:52 - 2012-02-16 23:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-13 18:50 - 2012-02-16 23:04 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-13 18:50 - 2012-02-16 23:04 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-13 18:47 - 2012-02-16 23:04 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-12-13 05:46 - 2011-12-13 05:42 - 0000000 ____D C:\Users\Cristina\Desktop\osx
2011-12-13 05:04 - 2011-12-13 05:04 - 0000000 ____D C:\Users\Cristina\Desktop\ACHI
2011-12-12 23:39 - 2011-12-12 23:39 - 0000000 ____D C:\Windows\pss
2011-12-12 23:39 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Registration
2011-12-12 23:33 - 2011-12-12 23:33 - 0000000 ____D C:\Users\All Users\Samsung
2011-12-12 23:33 - 2011-12-12 23:33 - 0000000 ____D C:\ProgramData\Samsung
2011-12-12 23:12 - 2010-10-08 21:15 - 0000000 ____D C:\Users\Cristina\AppData\Local\Adobe
2011-12-12 23:11 - 2011-12-12 23:11 - 1718435680 ____A C:\Users\Cristina\Desktop\img001.tif
2011-12-12 22:55 - 2011-12-12 22:55 - 0000000 ____D C:\Users\Cristina\AppData\Roaming\EPSON
2011-12-12 22:55 - 2011-12-12 22:55 - 0000000 ____A C:\Users\Cristina\Sti_Trace.log
2011-12-12 22:48 - 2011-12-12 22:48 - 0000000 ____D C:\Users\Cristina\AppData\Local\RME TotalMix
2011-12-12 22:35 - 2011-12-12 22:34 - 0000000 ____D C:\Users\Cristina\Downloads\rme
2011-12-12 22:30 - 2009-07-13 18:34 - 0440225 ___RA C:\Windows\System32\Drivers\etc\hosts.20111215-232022.backup
2011-12-12 22:25 - 2010-10-08 16:00 - 0000000 ____D C:\Users\All Users\NVIDIA
2011-12-12 22:25 - 2010-10-08 16:00 - 0000000 ____D C:\ProgramData\NVIDIA
2011-12-11 11:58 - 2010-10-08 21:42 - 0000000 ____D C:\Users\Hogwarts\AppData\Roaming\Skype
2011-12-10 15:24 - 2010-10-08 21:48 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-05 20:12 - 2009-07-13 18:34 - 0440137 ___RA C:\Windows\System32\Drivers\etc\hosts.20111212-223025.backup
2011-12-05 18:24 - 2011-12-05 18:24 - 0000000 ____D C:\Users\Cristina\AppData\Roaming\OpenOffice.org
2011-12-05 17:19 - 2011-06-14 23:38 - 0000000 ____D C:\Users\Cristina\AppData\Local\CrashDumps
2011-12-05 17:01 - 2011-12-05 17:01 - 0001060 ____A C:\Users\Public\Desktop\CCleaner.lnk
2011-12-05 17:01 - 2011-03-02 17:59 - 0000000 ____D C:\Users\Hogwarts\AppData\Local\CrashDumps
2011-12-05 17:01 - 2010-10-08 15:56 - 0000000 ____D C:\Windows\Panther
2011-12-05 16:58 - 2009-07-13 18:34 - 0440133 ___RA C:\Windows\System32\Drivers\etc\hosts.20111205-171815.backup
2011-12-05 16:39 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2011-12-05 16:13 - 2011-12-05 16:13 - 0001122 ____A C:\Users\Hogwarts\Desktop\SpywareBlaster.lnk
2011-12-05 16:05 - 2011-11-01 11:44 - 0000000 ____D C:\Users\Hogwarts\Desktop\dupre
2011-12-05 16:05 - 2010-10-08 20:29 - 0000000 ____D C:\users\Hogwarts

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 6%
Total physical RAM: 24567.18 MB
Available physical RAM: 23030.95 MB
Total Pagefile: 24565.33 MB
Available Pagefile: 23014.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.57 GB) (Free:362.46 GB) NTFS
2 Drive e: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
3 Drive f: (KINGSTON) (Removable) (Total:1.87 GB) (Free:1.79 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.09 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 102 MB
Disk 1 Online 465 GB 0 B *
Disk 2 Online 1910 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 95 MB 1024 KB
Partition 2 Primary 465 GB 96 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 95 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Unknown 200 MB 20 KB
Partition 2 Unknown 465 GB 200 MB
Partition 3 Unknown 128 MB 465 GB

======================================================================================================

Disk: 1
Partition 1
Type : 48465300-0000-11aa-aa11-00306543ecac
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 1
Partition 2
Type : 48465300-0000-11aa-aa11-00306543ecac
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 1
Partition 3
Type : 48465300-0000-11aa-aa11-00306543ecac
Hidden : Yes
Required: No
Attrib : 0000000000000000

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1910 MB 31 KB

======================================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT Removable 1910 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-02-29 00:53

======================= End Of Log ==========================


*** *** *** *** *** *** *** *** ***

Combofix log


ComboFix 12-02-27.02 - Cristina 02/29/2012 4:12.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.24567.22218 [GMT -8:00]
Running from: c:\users\Cristina\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Cristina\AppData\Roaming\cacaoweb
c:\users\Cristina\AppData\Roaming\cacaoweb\npdfile.dat
c:\users\Cristina\AppData\Roaming\cacaoweb\storage.db
c:\users\Hogwarts\AppData\Roaming\cacaoweb
c:\users\Hogwarts\AppData\Roaming\cacaoweb\ad96D9145E8C867A23E1125CAAA9681BE1.ad
c:\users\Hogwarts\AppData\Roaming\cacaoweb\adstorage.db
c:\users\Hogwarts\AppData\Roaming\cacaoweb\cacaoweb.exe
c:\users\Hogwarts\AppData\Roaming\cacaoweb\downloadIRL3ZIW7658757591.cacao
c:\users\Hogwarts\AppData\Roaming\cacaoweb\storage.db
c:\windows\7Loader.TAG
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\isRS-000.tmp
c:\windows\security\Database\tmp.edb
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 12:16 . 2012-02-29 12:16 -------- d-----w- c:\users\Hogwarts\AppData\Local\temp
2012-02-29 12:16 . 2012-02-29 12:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-29 11:10 . 2012-02-29 11:25 16144 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2012-02-29 04:26 . 2009-07-14 01:52 24128 ----a-w- c:\windows\system32\drivers\atapi.sys
2012-02-28 15:25 . 2012-02-28 15:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-26 09:43 . 2012-02-29 10:32 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-17 07:35 . 2012-02-17 07:35 -------- d-----w- c:\users\junk
2012-02-16 15:07 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-02-16 15:06 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-02-16 15:06 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-02-16 15:05 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 15:05 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 15:05 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-16 15:04 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-02-16 15:04 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-10-08 23:21 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-10 23:24 . 2010-10-09 05:48 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-16 5487488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
.
c:\users\Hogwarts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\users\Cristina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-2-8 1136928]
InterVideo WinCinema Manager.lnk - c:\program files (x86)\InterVideo\Common\Bin\WinCinemaMgr.exe [2010-10-8 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
R1 ujuhenav;ujuhenav;c:\windows\system32\drivers\ujuhenav.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-09-02 140672]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp_64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VSTWinDriver6;VSTWinDriver6;c:\windows\system32\drivers\VSTwindrvr6.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1000Core.job
- c:\users\Cristina\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-09 00:41]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1000UA.job
- c:\users\Cristina\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-09 00:41]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1004Core.job
- c:\users\Hogwarts\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-09 04:39]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3495256483-3459891758-660568540-1004UA.job
- c:\users\Hogwarts\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-09 04:39]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"HDSPTray1"="hdsp32.exe" [2011-08-04 648192]
"HDSPTray2"="hdspmix.exe" [2011-08-03 1158144]
"combofix"="c:\combofix\CF4468.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\acaptuser64.dll
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wdm_au8820
AppnBase
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Cristina\AppData\Roaming\Mozilla\Firefox\Profiles\gu3g70xq.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-12823752.sys
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\SysWOW64\IoctlSvc.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\windows\System32\hdsp32.exe
c:\windows\System32\hdspmix.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\windows\SysWOW64\RunDll32.exe
.
**************************************************************************
.
Completion time: 2012-02-29 04:49:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-29 12:49
.
Pre-Run: 390,159,859,712 bytes free
Post-Run: 389,866,844,160 bytes free
.
- - End Of File - - 7551C6E0514AEB4EB3A490FA68432307

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:47 PM

Posted 01 March 2012 - 03:32 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:47 PM

Posted 01 March 2012 - 05:38 AM

Hello sorabji,

I will be assisting you.

In case the computer booted please don't run the Spybot Teatimer, otherwise it interferes with the fix and puts back the malware entry again.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Cristina\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
SubSystems: [Windows] ==> ZeroAccess
2 wdm_au8820; C:\Windows\System32\olapserver.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\olapserver.dll
3 catchme; \??\C:\ComboFix\catchme.sys [x]
1 ujuhenav; \??\C:\Windows\system32\drivers\ujuhenav.sys [x]
NETSVC: wdm_au8820
NETSVC: AppnBase
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#4 sorabji

sorabji
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 02 March 2012 - 02:10 AM

Thank you very much! Now boots.

Below is <fixlog.txt>

*** *** ***

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 29-02-2012 01
Ran by SYSTEM at 2012-03-02 00:34:29 R:1
Running from F:\sirefef\farbar

==============================================

HKEY_USERS\Cristina\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer Value deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
wdm_au8820 service deleted successfully.
C:\Windows\System32\olapserver.dll moved successfully.
catchme service deleted successfully.
ujuhenav service deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs wdm_au8820 Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs AppnBase Deleted successfully.

==== End of Fixlog ====

Some remnants of sirefef seem to be on this machine. Specifically, Kaspersky active protection won't turn on, saying it can't load the driver. Same with Malwarebytes when I install that instead.

Again thanks!

Edited by farbar, 02 March 2012 - 04:16 AM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:47 PM

Posted 02 March 2012 - 04:21 AM

Great. :thumbup2:

  • Run command Prompt as Administrator. To do that:
    • Go to Start and type cmd.exe in the Search box.
    • It gives you cmd.exe in the upper part. Right-click cmd.exe and select "Run As Administrator".
    • Copy the following command, right-click in the open Command prompt window and select Paste then press Enter:

      netsh winsock reset
    • Please tell me if it gave you any error.
    • Restart.
  • We need to clean install MBAM:


#6 sorabji

sorabji
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 02 March 2012 - 05:44 PM

No errors.

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.02.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
John :: ULTRAMEAN [administrator]

Protection: Disabled

3/2/2012 12:30:59 PM
mbam-log-2012-03-02 (12-30-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217087
Time elapsed: 7 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

*** *** ***

Some services apparently got munged in the virus cleanup. Event viewer indicates:

MBAM Protector Service won't start (dependency does not exist)
I'm gathering that this is <fltmgr> which Event Viewer says is a "nonexistent service".

(I have a registered version of MBAM)

Others:

setupnt (module not found)
wmxicore (module not found)
esdcr (module not found)
winss (module not found)
id2scaps (module not found)

I did a sfc /scannow command about this, but nothing changed.

Thanks for any help. Almost there.

Edited by farbar, 02 March 2012 - 05:46 PM.


#7 sorabji

sorabji
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 02 March 2012 - 05:50 PM

Opps, I'm sorry, I just posted what was going on with another machine with XP SP3 on it, which also got infected with sirefef. Fortunately it always booted. So I didn't need any help until now with these munged services.

Other Win 7 machine is apparently fine. Everything works and no virus' detected.

Sorry for the confusion.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:47 PM

Posted 02 March 2012 - 06:01 PM

It looks good. :thumbup2:

  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You seem to have no antivirus installed on this Windows 7 computer.

    You need to install an antivirus program to have a proper protection. I recommend this good free antivirus:

    Please download and install Microsoft Security Essentials.
    After installing and updating please run a full scan.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
  • Go to Start => Right-click "Computer" and select "Properties".
  • In the left pane select "System Protection".
  • Press "Configure".
  • Select "Delete". Then press "Continue" close and "OK".
  • Select your drive (drive C) and press "Create".
    Fill in a name for the restore point and press "Create".
    After finished press "Close".
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing.:)

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:47 PM

Posted 05 March 2012 - 06:06 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users