Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR: \\. \PHYSICALDRIVE0\Partition 3 and Alureon.E


  • This topic is locked This topic is locked
27 replies to this topic

#1 Bradix

Bradix

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 08 March 2012 - 11:16 PM

DDS


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Kris at 23:06:01 on 2012-03-08
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2238 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\Computer Alarm Clock\cac.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [Computer Alarm Clock] C:\PROGRA~2\COMPUT~1\cac.exe
mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: infocision.biz\ra
Trusted Zone: infocision.com\careers
Trusted Zone: infocision.com\tsvweb
Trusted Zone: infocision.com\www
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://ra.infocision.biz/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://ra.infocision.biz/+CSCOL+/cscopf.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76522554-8847-4591-9BC4-BE8E3A42196A} : DhcpNameServer = 192.168.1.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO-X64: BitTorrentBar - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun-x64: [Computer Alarm Clock] C:\PROGRA~2\COMPUT~1\cac.exe
mRun-x64: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\ibblrfxq.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-1-13 497496]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-3-7 44768]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-2-21 2348352]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-9 382272]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-03-07 00:15:19 41184 ----a-w- C:\Windows\avastSS.scr
2012-03-07 00:04:06 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-03-07 00:02:20 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-03-07 00:01:52 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-02-23 04:01:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-10 03:14:04 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-02-10 03:14:01 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-02-10 03:07:00 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-02-10 03:07:00 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-02-10 03:07:00 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-02-10 01:05:44 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-14 04:06:27 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-13 01:41:04 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-01-13 01:41:04 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 22:02:52 23896 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-12-16 08:46:06 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-16 07:52:58 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-12-13 16:01:00 1698408 ----a-w- C:\Windows\RtlExUpd.dll
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 23:06:54.37 ===============

Attached Files


Edited by Bradix, 08 March 2012 - 11:17 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 AM

Posted 08 March 2012 - 11:39 PM

:welcome:

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 08 March 2012 - 11:54 PM

the PC I am on is the Infected PC, should I just run For x64 bit systems please download Listparts64 here?

In Other words I am able to stay logged in on the computer and I have no flash-drive to use... I did download the ListParts64 tho, I have it on desktop currently.

Edited by Bradix, 09 March 2012 - 12:29 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 AM

Posted 09 March 2012 - 07:40 AM

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
and save it to the root directory of the main drive, C:\. (In occasions what it seems as drive C: in Windows, is not the same drive as detected in the Recovery Options).

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find the drive root directory where the tool was downloaded and note the drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of the root directory where the tool was downloaded.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the root directory where the tool was downloaded. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 09:13 AM

Sorry for the long wait, it seems as if the computer is getting hung up on the windows start screen for about 20+ minutes per reboot now. Here is the scan log.






ListParts by Farbar Version: 06-03-2012 01
Ran by SYSTEM (administrator) on 09-03-2012 at 09:00:31
Windows 7 (X64)
Running From: C:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4095.3 MB
Available physical RAM: 3643.42 MB
Total Pagefile: 4093.45 MB
Available Pagefile: 3619.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:363.1 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB
Partition 3 Primary 1040 KB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
resumeobject {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
displayorder {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {dfeb726b-3d1e-11e1-8b19-df493fa39cab}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
nx OptIn

Windows Boot Loader
-------------------
identifier {dfeb726b-3d1e-11e1-8b19-df493fa39cab}
device ramdisk=[C:]\Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\Winre.wim,{dfeb726c-3d1e-11e1-8b19-df493fa39cab}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\Winre.wim,{dfeb726c-3d1e-11e1-8b19-df493fa39cab}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {dfeb726c-3d1e-11e1-8b19-df493fa39cab}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\boot.sdi


****** End Of Log ******

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 AM

Posted 09 March 2012 - 01:09 PM

Download the enclosed file:

Save it next to ListParts.

  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 08:24 PM

ListParts by Farbar Version: 06-03-2012 01
Ran by SYSTEM (administrator) on 09-03-2012 at 20:16:16
Windows 7 (X64)
Running From: C:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4095.3 MB
Available physical RAM: 3605.26 MB
Total Pagefile: 4093.45 MB
Available Pagefile: 3581.78 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:362.32 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB
Partition 3 Primary 1040 KB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RAW Partition 1040 KB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
resumeobject {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
displayorder {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {dfeb726a-3d1e-11e1-8b19-df493fa39cab}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {dfeb726b-3d1e-11e1-8b19-df493fa39cab}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
nx OptIn

Windows Boot Loader
-------------------
identifier {dfeb726b-3d1e-11e1-8b19-df493fa39cab}
device ramdisk=[C:]\Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\Winre.wim,{dfeb726c-3d1e-11e1-8b19-df493fa39cab}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[C:]\Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\Winre.wim,{dfeb726c-3d1e-11e1-8b19-df493fa39cab}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {dfeb7269-3d1e-11e1-8b19-df493fa39cab}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {dfeb726c-3d1e-11e1-8b19-df493fa39cab}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\dfeb726b-3d1e-11e1-8b19-df493fa39cab\boot.sdi


****** End Of Log ******

#8 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 09:09 PM

After the Fix, booting into the comp normally is still taking the 5+ minutes to boot in... however now when it boots in it is locking up when I try and load a web browser and requiring a new reboot. Currently in Safe Mode with Networking at the moment.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 AM

Posted 09 March 2012 - 10:45 PM

We can now remove the Raw partition:

Download the enclosed file:

Save it next to ListParts, overwriting the existing one.

  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Click Scan (no need to put a checkmark of BCD) and copy and paste the log (Result.txt) it makes.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Lets scan the computer:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 11:00 PM

Also just received an Error saying, Failure to Display Security and Shutdown Options.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 AM

Posted 09 March 2012 - 11:18 PM

Was that while running Combofix or just from the blue?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 11:32 PM

I had the thinking Icon and it would not let me try and do anything, so I tried Control Alt Delete to bring open Task, and the screen went black and it popped that error up almost 2 minutes later. It was just after a fresh reboot.

#13 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 March 2012 - 11:42 PM

about to do the next step now, but here is the Log from the last scan.






ListParts by Farbar Version: 06-03-2012 01
Ran by SYSTEM (administrator) on 09-03-2012 at 23:39:10
Windows 7 (X64)
Running From: C:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 4095.3 MB
Available physical RAM: 3606.07 MB
Total Pagefile: 4093.45 MB
Available Pagefile: 3581.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:362.72 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

======================================================================================================

****** End Of Log ******

#14 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 10 March 2012 - 12:16 AM

When I first started ComboFix it made me skip one of the things scanned, not sure what that was about.

and also, when I try doing anything on the computer now after the combofix scan unless in safe mode I get a message that says: Illegal operation attemted on a registry key that has been marked for deletion...



here is the combofix log:







ComboFix 12-03-09.05 - Kris 03/09/2012 23:55:10.1.2 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.3434 [GMT -5:00]
Running from: c:\users\Kris\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-10 to 2012-03-10 )))))))))))))))))))))))))))))))
.
.
2012-03-10 05:01 . 2012-03-10 05:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-10 01:30 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA236020-0058-419A-AF5B-0224B866CD3B}\mpengine.dll
2012-03-09 13:38 . 2012-03-09 04:55 801603 ----a-w- C:\ListParts64.exe
2012-02-23 03:15 . 2012-02-23 03:15 -------- d-----w- c:\program files (x86)\Winamp Detect
2012-02-23 03:14 . 2012-02-23 03:14 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2012-02-23 03:14 . 2012-03-01 09:55 -------- d-----w- c:\users\Kris\AppData\Roaming\Winamp
2012-02-23 03:14 . 2012-02-23 03:15 -------- d-----w- c:\program files (x86)\Winamp
2012-02-22 02:20 . 2012-02-22 02:20 -------- d-----w- c:\program files (x86)\Conduit
2012-02-22 02:20 . 2012-03-10 04:48 -------- d-----w- c:\users\Kris\AppData\Local\Conduit
2012-02-22 02:20 . 2012-02-22 02:20 -------- d-----w- c:\program files (x86)\BitTorrent
2012-02-22 02:19 . 2012-02-22 09:45 -------- d-----w- c:\users\Kris\AppData\Roaming\BitTorrent
2012-02-21 22:31 . 2012-02-23 04:01 -------- d-----w- c:\users\UpdatusUser
2012-02-20 05:53 . 2012-02-20 05:53 -------- d-----w- c:\users\Kris\AppData\Roaming\vlc
2012-02-20 05:52 . 2012-02-20 05:52 -------- d-----w- c:\program files (x86)\VideoLAN
2012-02-15 08:01 . 2011-12-14 06:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-15 08:01 . 2011-12-14 02:50 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-15 08:01 . 2011-12-14 07:47 174392 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-02-15 08:01 . 2011-12-14 03:32 141112 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll
2012-02-15 08:01 . 2011-12-14 07:01 304640 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-02-14 21:11 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-14 21:11 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-14 21:11 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-14 21:11 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-14 21:11 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-14 21:11 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-14 21:11 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-14 21:11 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-13 02:37 . 2012-02-13 05:10 -------- d-----w- c:\users\Kris\AppData\Local\Oblivion
2012-02-11 02:23 . 2012-02-09 23:32 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-02-11 02:23 . 2012-02-11 02:22 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4ADE8F39-8FF4-4AF9-A693-CD879F0F6092}\gapaengine.dll
2012-02-11 02:23 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-10 01:23 . 2012-02-10 01:23 -------- d-----w- c:\programdata\PC Tools
2012-02-10 01:05 . 2012-02-10 01:05 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-02-09 23:30 . 2012-02-09 23:30 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-02-09 23:30 . 2012-02-09 23:30 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-09 23:09 . 2012-02-10 04:13 1737536 ----a-w- c:\windows\system32\nvdispco64.dll
2012-02-09 23:09 . 2012-02-10 04:13 1466176 ----a-w- c:\windows\system32\nvgenco64.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-07 00:15 . 2012-01-12 11:57 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-23 04:01 . 2012-01-12 12:17 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-10 04:13 . 2011-05-21 11:01 7713088 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-02-10 04:13 . 2011-05-21 11:01 2660160 ----a-w- c:\windows\system32\nvapi64.dll
2012-02-10 04:13 . 2011-05-21 11:01 2301248 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-02-10 04:13 . 2009-07-13 21:59 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-02-10 03:14 . 2012-01-13 02:28 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-10 03:14 . 2012-01-13 02:28 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-02-10 03:07 . 2012-01-13 02:28 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-10 03:07 . 2012-01-13 02:28 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-02-10 03:07 . 2012-01-13 02:28 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-01-31 12:44 . 2012-01-12 11:00 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-14 03:44 . 2012-01-14 03:44 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-01-14 03:44 . 2012-01-14 03:44 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-01-14 03:44 . 2012-01-14 03:44 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-01-14 03:44 . 2012-01-14 03:44 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-01-14 03:44 . 2012-01-14 03:44 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-01-14 03:44 . 2012-01-14 03:44 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-01-14 03:44 . 2012-01-14 03:44 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-01-14 03:44 . 2012-01-14 03:44 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-01-14 03:44 . 2012-01-14 03:44 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-01-14 03:44 . 2012-01-14 03:44 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-01-14 03:44 . 2012-01-14 03:44 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-01-14 03:44 . 2012-01-14 03:44 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-01-14 03:44 . 2012-01-14 03:44 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-01-14 03:44 . 2012-01-14 03:44 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-01-14 03:44 . 2012-01-14 03:44 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-01-14 03:44 . 2012-01-14 03:44 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-01-14 03:44 . 2012-01-14 03:44 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-01-14 03:44 . 2012-01-14 03:44 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-01-14 03:44 . 2012-01-14 03:44 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-14 03:44 . 2012-01-14 03:44 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-01-14 03:44 . 2012-01-14 03:44 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-01-14 03:44 . 2012-01-14 03:44 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-01-14 03:44 . 2012-01-14 03:44 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-01-14 03:44 . 2012-01-14 03:44 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-01-14 03:44 . 2012-01-14 03:44 448512 ----a-w- c:\windows\system32\html.iec
2012-01-14 03:44 . 2012-01-14 03:44 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-01-14 03:44 . 2012-01-14 03:44 222208 ----a-w- c:\windows\system32\msls31.dll
2012-01-14 03:44 . 2012-01-14 03:44 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-01-14 03:44 . 2012-01-14 03:44 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-01-14 03:44 . 2012-01-14 03:44 160256 ----a-w- c:\windows\system32\wextract.exe
2012-01-14 03:44 . 2012-01-14 03:44 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-01-14 03:44 . 2012-01-14 03:44 12288 ----a-w- c:\windows\system32\mshta.exe
2012-01-14 03:44 . 2012-01-14 03:44 114176 ----a-w- c:\windows\system32\admparse.dll
2012-01-14 03:44 . 2012-01-14 03:44 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-01-13 01:41 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-13 01:41 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-06 05:15 . 2012-02-08 08:40 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{45B1E239-3D79-4DEE-A6EF-F634C02F09EB}\mpengine.dll
2011-12-30 22:02 . 2012-01-13 09:49 23896 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-12-13 16:01 . 2012-01-13 02:49 1698408 ----a-w- c:\windows\RtlExUpd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-01-13 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-21 2583040]
"Computer Alarm Clock"="c:\progra~2\COMPUT~1\cac.exe" [2007-09-06 696832]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-12-09 74752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-02-10 2348352]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-10 382272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: infocision.biz\ra
Trusted Zone: infocision.com\careers
Trusted Zone: infocision.com\tsvweb
Trusted Zone: infocision.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://ra.infocision.biz/+CSCOL+/cscopf.cab
FF - ProfilePath - c:\users\Kris\AppData\Roaming\Mozilla\Firefox\Profiles\ibblrfxq.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-10 00:07:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-10 05:07
.
Pre-Run: 389,741,387,776 bytes free
Post-Run: 390,429,265,920 bytes free
.
- - End Of File - - 78B2F4AEE71CF1A85E0B4565FA612655

#15 Bradix

Bradix
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 10 March 2012 - 12:23 AM

Alright Simple enough to fix the illegal operation thing, a reboot was needed :)

Awaiting next task! :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users