Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect: Every search link starts a "websearch.php" download


  • This topic is locked This topic is locked
24 replies to this topic

#1 Eveenus

Eveenus

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 01 April 2012 - 04:32 AM

Basically, if I do a google search all of the links are redirected to begin a download (which I have not accepted) titled "websearch.php" from the domain http://buissnesslistingsearch.net or searchbuisnesslisting.com or other similarly named domains.

The problem is consistent between Mozilla Firefox, Google Chrome, and Internet Explorer

Just as a tidbit of information, I have actually already tried using malwarebytes after the scan and removal I restarted as directed and the problem was fixed, I left the system alone for about half an hour and returned to see the redirects again.

Any help with getting rid of this would be greatly appreciated

Sticky Direction Stuff below

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31
Run by Mendoza at 5:08:39 on 2012-04-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.16343.12117 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Installer\MSI1C48.tmp
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Windows\SysWOW64\UAService7.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\PROGRA~2\Raptr\raptr.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\PROGRA~2\Raptr\raptr_im.exe
C:\Program Files (x86)\Raptr\raptr_ep64.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\DolbyAxon\AxonLauncher.exe
C:\Program Files (x86)\DolbyAxon\Axon.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Unknown&pf=laptop
uStart Page = hxxp://www.windstream.net/
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=fx6831&r=17360210n506p03f5v175k4911r25p
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=fx6831&r=17360210n506p03f5v175k4911r25p
uInternet Settings,ProxyOverride = local
uURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
mURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - C:\Program Files (x86)\Splitcam Toolbar\tbcore3.dll
TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
TB: Splitcam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - C:\Program Files (x86)\Splitcam Toolbar\tbcore3.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin0.dll
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [PlayNC Launcher]
uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Raptr] C:\PROGRA~2\Raptr\raptrstub.exe --startup
mRun: [<NO NAME>]
mRun: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Mendoza\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SIDEBA~1.LNK - C:\Program Files (x86)\Windows Sidebar\sidebar.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Winamp Search
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{ACBA63B2-0C08-42E6-8A96-43BF25CDE7B1} : DhcpNameServer = 192.168.254.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
STS: CAveStartButtonChangerObject Class: {f791a188-699d-4fd4-955a-eb59e89b1907} - C:\Program Files (x86)\The Skins Factory\Hyperdesk\Common\AveStartButtonChangerInProc.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin0.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
BHO-X64: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
BHO-X64: Somoto Toolbar - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SMTTB2009 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Splitcam Toolbar\tbcore3.dll
BHO-X64: SMTTB2009 - No File
TB-X64: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files (x86)\XfireXO\tbXfir.dll
TB-X64: Splitcam Toolbar: {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\Splitcam Toolbar\tbcore3.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin0.dll
TB-X64: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [(Default)]
mRun-x64: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
STS-X64: CAveStartButtonChangerObject Class: {F791A188-699D-4FD4-955A-EB59E89B1907} - C:\Program Files (x86)\The Skins Factory\Hyperdesk\Common\AveStartButtonChangerInProc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Mendoza\AppData\Roaming\Mozilla\Firefox\Profiles\dlhqs9gb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Motive\npMotive.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files (x86)\Windstream\Service Agent\nprpspa.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Mendoza\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkfjadjghjpjodfhffafagnkbgbpiphf\1.0.3.151_0\npsoe.dll
FF - plugin: C:\Users\Mendoza\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\Mendoza\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Mendoza\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Mendoza\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};Power Control [2011/01/11 16:36:48];C:\Program Files (x86)\CyberLink\PlayMovie\000.fcl [2011-1-11 146928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-2-28 2343816]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2010-8-30 8704]
R2 HyperDeskCustomThemeEnabler;HyperDesk's Custom Theme Enabler;C:\Windows\Installer\MSI1C48.tmp [2011-6-17 102400]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-2-6 652360]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-11-30 240160]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\Windows\system32\DRIVERS\vrtaucbl.sys --> C:\Windows\system32\DRIVERS\vrtaucbl.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\drivers\LVUSBS64.sys --> C:\Windows\system32\drivers\LVUSBS64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 rzudd;Razer Mouse Driver;C:\Windows\system32\DRIVERS\rzudd.sys --> C:\Windows\system32\DRIVERS\rzudd.sys [?]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\system32\DRIVERS\tap0901t.sys --> C:\Windows\system32\DRIVERS\tap0901t.sys [?]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 bulkadi;Razer Megalodon DFU;C:\Windows\system32\DRIVERS\bulkrazer_x64.sys --> C:\Windows\system32\DRIVERS\bulkrazer_x64.sys [?]
S3 lvpepf64;Volume Adapter;C:\Windows\system32\DRIVERS\lv302a64.sys --> C:\Windows\system32\DRIVERS\lv302a64.sys [?]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 RzSynapse;Razer Naga Driver;C:\Windows\system32\DRIVERS\RzSynapse.sys --> C:\Windows\system32\DRIVERS\RzSynapse.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WPFFontCache_v0400;WPFFontCache_v0400;C:\Windows\Microsoft.NET\Framework64\v4.0.21006\WPF\WPFFontCache_v0400.exe --> C:\Windows\Microsoft.NET\Framework64\v4.0.21006\WPF\WPFFontCache_v0400.exe [?]
S3 WRfiltv;WRfiltv;C:\Windows\system32\drivers\WRfiltv.sys --> C:\Windows\system32\drivers\WRfiltv.sys [?]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S4 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28 1150496]
S4 HsdService;HsdService;C:\Program Files (x86)\Windstream\Diagnostic Tools\HsdService.exe [2011-10-18 1393976]
S4 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2011-9-12 517632]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
S4 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-3-28 1153368]
S4 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-1-10 993848]
S4 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-1-10 399416]
S4 ServicepointService;ServicepointService;C:\Program Files (x86)\Windstream\Service Agent\ServicepointService.exe [2011-10-18 10302776]
S4 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S4 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2011-8-10 741224]
S4 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-30 2314240]
S4 USBS3S4Detection;USBS3S4Detection;C:\OEM\USBDECTION\USBS3S4Detection.exe [2009-12-13 76320]
SUnknown SPService;SPService; [x]
.
=============== Created Last 30 ================
.
2012-03-31 15:18:28 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-03-31 14:39:26 -------- d-----w- C:\Program Files (x86)\Death Road
2012-03-31 14:16:34 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-03-31 14:16:17 -------- d-----w- C:\Program Files (x86)\NAMCO BANDAI Games
2012-03-31 14:15:28 -------- d-----we C:\Windows\system64
2012-03-31 01:09:12 -------- d-----w- C:\Program Files (x86)\EA Games
2012-03-30 11:03:44 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8419708F-1FE1-4F32-9D3C-825D570F2C8E}\mpengine.dll
2012-03-17 08:11:04 -------- d-----w- C:\Users\Mendoza\AppData\Local\LogMeIn Hamachi
2012-03-17 08:09:51 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2012-03-15 09:26:31 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-15 09:26:31 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-07 06:55:22 -------- d-----w- C:\ProgramData\EA Logs
2012-03-07 06:51:58 -------- d--h--w- C:\Program Files (x86)\Common Files\EAInstaller
2012-03-07 02:50:31 -------- d-----w- C:\Users\Mendoza\AppData\Local\Origin
2012-03-07 02:50:31 -------- d-----w- C:\ProgramData\Origin
2012-03-07 02:50:31 -------- d-----w- C:\Program Files (x86)\Origin Games
2012-03-07 02:49:19 -------- d-----w- C:\Users\Mendoza\AppData\Roaming\Origin
2012-03-07 02:49:17 -------- d-----w- C:\Program Files (x86)\Origin
2012-03-05 23:39:18 -------- d-----w- C:\Users\Mendoza\AppData\Roaming\.anomos
2012-03-05 23:39:11 200704 ----a-w- C:\Windows\SysWow64\ssleay32.dll
2012-03-05 23:39:11 200704 ----a-w- C:\Windows\SysWow64\libssl32.dll
2012-03-05 23:39:11 1017344 ----a-w- C:\Windows\SysWow64\libeay32.dll
2012-03-05 23:39:10 -------- d-----w- C:\OpenSSL
.
==================== Find3M ====================
.
2012-03-30 02:58:21 22060032 ----a-w- C:\Windows\System32\imageres.dll
2012-03-16 10:12:29 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-29 19:21:24 42392 ----a-w- C:\Windows\SysWow64\xfcodec.dll
2012-02-29 19:21:24 28056 ----a-w- C:\Windows\System32\xfcodec64.dll
2012-02-23 13:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-19 15:08:32 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 10:29:36 136704 ----a-w- C:\Windows\SysWow64\rztouchdll.dll
2012-01-30 10:29:34 278528 ----a-w- C:\Windows\SysWow64\rzdevicedll.dll
2012-01-30 10:29:34 164864 ----a-w- C:\Windows\SysWow64\rzaudiodll.dll
2012-01-12 15:34:24 74240 ----a-w- C:\Windows\System32\drivers\rzudd.sys
.
============= FINISH: 5:09:26.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 01 April 2012 - 11:54 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 08:37 AM

Well so far it seems google is not being redirected anymore, though some webpages are not fully loading or won't load at all sometimes but I've had that problem for a few months and have been fighting my ISP about it since we got a "new" modem.

The actual running of combofix went smooth, only one restart

Thanks a ton for the help, this was really bothering me first infection on a new computer in 3 years. Had a bit of a freakout.

If you have any further advice on prevention or double checking to make sure it is really gone or anything I'll keep watching this topic.

oh and here's the log

ComboFix 12-04-01.01 - Mendoza 04/02/2012 9:11.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.16343.14259 [GMT -4:00]
Running from: c:\users\Mendoza\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Mendoza\AppData\Local\assembly\tmp
c:\users\Mendoza\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc44D0.tmp
c:\users\Mendoza\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5451.tmp
c:\users\Mendoza\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6BF6.tmp
c:\users\Mendoza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sidebar.exe.lnk
c:\users\Mendoza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool
c:\users\Mendoza\AppData\Roaming\mIRC\logs\status.log
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\AutoRun.ini
c:\windows\jestertb.dll
c:\windows\system32\consrv.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\System64
c:\windows\SysWow64\scvideo.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 13:19 . 2012-04-02 13:19 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-04-02 13:19 . 2012-04-02 13:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-31 15:18 . 2012-03-31 15:18 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-03-31 14:39 . 2012-03-31 15:21 -------- d-----w- c:\program files (x86)\Death Road
2012-03-31 14:16 . 2012-03-31 14:16 -------- d-----w- c:\program files (x86)\NAMCO BANDAI Games
2012-03-31 09:54 . 2012-03-31 09:54 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2012-03-31 01:09 . 2012-03-31 01:09 -------- d-----w- c:\program files (x86)\EA Games
2012-03-30 11:03 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8419708F-1FE1-4F32-9D3C-825D570F2C8E}\mpengine.dll
2012-03-17 08:11 . 2012-03-24 14:03 -------- d-----w- c:\users\Mendoza\AppData\Local\LogMeIn Hamachi
2012-03-17 08:10 . 2012-04-02 13:20 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\LogMeIn Hamachi
2012-03-17 08:09 . 2012-03-17 08:09 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2012-03-16 10:13 . 2012-03-16 10:13 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-15 09:26 . 2012-03-15 09:26 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-15 09:26 . 2012-03-15 09:26 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-07 06:55 . 2012-03-07 22:41 -------- d-----w- c:\programdata\EA Logs
2012-03-07 06:51 . 2012-03-07 06:51 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-03-07 02:50 . 2012-03-07 06:55 -------- d-----w- c:\programdata\Origin
2012-03-07 02:50 . 2012-03-07 02:56 -------- d-----w- c:\program files (x86)\Origin Games
2012-03-07 02:50 . 2012-03-07 02:50 -------- d-----w- c:\users\Mendoza\AppData\Local\Origin
2012-03-07 02:49 . 2012-03-07 02:50 -------- d-----w- c:\users\Mendoza\AppData\Roaming\Origin
2012-03-07 02:49 . 2012-03-07 02:50 -------- d-----w- c:\program files (x86)\Origin
2012-03-05 23:39 . 2012-03-05 23:39 -------- d-----w- c:\users\Mendoza\AppData\Roaming\.anomos
2012-03-05 23:39 . 2009-11-15 18:37 200704 ----a-w- c:\windows\SysWow64\ssleay32.dll
2012-03-05 23:39 . 2009-11-15 18:37 200704 ----a-w- c:\windows\SysWow64\libssl32.dll
2012-03-05 23:39 . 2009-11-15 18:37 1017344 ----a-w- c:\windows\SysWow64\libeay32.dll
2012-03-05 23:39 . 2012-03-05 23:39 -------- d-----w- C:\OpenSSL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 02:58 . 2009-07-13 23:57 22060032 ----a-w- c:\windows\system32\imageres.dll
2012-03-16 10:12 . 2011-02-06 20:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-29 19:21 . 2012-02-29 19:21 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-29 19:21 . 2012-02-29 19:21 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-23 13:18 . 2010-02-09 22:30 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-19 15:08 . 2011-05-29 03:37 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-30 10:29 . 2012-01-30 10:29 136704 ----a-w- c:\windows\SysWow64\rztouchdll.dll
2012-01-30 10:29 . 2012-01-30 10:29 278528 ----a-w- c:\windows\SysWow64\rzdevicedll.dll
2012-01-30 10:29 . 2012-01-30 10:29 164864 ----a-w- c:\windows\SysWow64\rzaudiodll.dll
2012-01-12 15:34 . 2012-01-12 15:34 74240 ----a-w- c:\windows\system32\drivers\rzudd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files (x86)\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\tbVuz1.dll" [2010-10-31 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-31 21:52 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 16:53 2349080 ----a-w- c:\program files (x86)\XfireXO\tbXfir.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-10-31 21:52 3908192 ----a-w- c:\program files (x86)\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files (x86)\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\tbVuz1.dll" [2010-10-31 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngin0.dll" [2010-10-31 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Raptr"="c:\progra~2\Raptr\raptrstub.exe" [2012-03-07 53168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{F791A188-699D-4FD4-955A-EB59E89B1907}"= "c:\program files (x86)\The Skins Factory\Hyperdesk\Common\AveStartButtonChangerInProc.dll" [2010-01-28 104448]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HsdService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ALSysIO;ALSysIO;c:\users\Mendoza\AppData\Local\Temp\ALSysIO64.sys [x]
R3 bulkadi;Razer Megalodon DFU;c:\windows\system32\DRIVERS\bulkrazer_x64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\drivers\LVUSBS64.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys [x]
R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 RzSynapse;Razer Naga Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WPFFontCache_v0400;WPFFontCache_v0400;c:\windows\Microsoft.NET\Framework64\v4.0.21006\WPF\WPFFontCache_v0400.exe [x]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R3 WRfiltv;WRfiltv;c:\windows\system32\drivers\WRfiltv.sys [x]
R3 X6va005;X6va005;c:\users\Mendoza\AppData\Local\Temp\005EA34.tmp [x]
R4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R4 HsdService;HsdService;c:\program files (x86)\Windstream\Diagnostic Tools\HsdService.exe [2011-04-25 1393976]
R4 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-05-13 517632]
R4 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R4 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-01-10 399416]
R4 ServicepointService;ServicepointService;c:\program files (x86)\Windstream\Service Agent\ServicepointService.exe [2011-07-20 10302776]
R4 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2011-08-10 741224]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};Power Control [2011/01/11 16:36];c:\program files (x86)\CyberLink\PlayMovie\000.fcl [2010-02-09 21:51 146928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-28 2343816]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-02-21 8704]
S2 HyperDeskCustomThemeEnabler;HyperDesk's Custom Theme Enabler;c:\windows\Installer\MSI1C48.tmp [2011-06-18 102400]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe [2009-12-09 76320]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [x]
S3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3681274654-1207122361-1378958908-1001Core.job
- c:\users\Mendoza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-09 22:21]
.
2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3681274654-1207122361-1378958908-1001UA.job
- c:\users\Mendoza\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-09 22:21]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"combofix"="c:\combofix\CF20491.3XE" [2009-07-14 344576]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{F791A188-699D-4FD4-955A-EB59E89B1907}"= "c:\program files (x86)\The Skins Factory\Hyperdesk\Common\AveStartButtonChangerInProc.dll" [2010-01-28 104448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
W2acehid
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.windstream.net/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=fx6831&r=17360210n506p03f5v175k4911r25p
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = local
IE: &Winamp Search
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
FF - ProfilePath - c:\users\Mendoza\AppData\Roaming\Mozilla\Firefox\Profiles\dlhqs9gb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.guildwars2guru.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-PlayNC Launcher - (no file)
Notify-LBTWlgn - (no file)
Toolbar-Locked - (no file)
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-RadialpointServicepointDashboardExtensions_is1 - c:\users\Mendoza\AppData\Local\Temp\is-876MA.tmp\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HyperDeskCustomThemeEnabler]
"ImagePath"="\"c:\windows\Installer\MSI1C48.tmp\" -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\Mendoza\AppData\Local\Temp\005EA34.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3681274654-1207122361-1378958908-1001\Software\SecuROM\License information*]
"datasecu"=hex:0c,a5,91,6c,4d,de,08,b2,1b,bb,93,1f,31,c2,04,fc,68,9b,44,d2,81,
72,0d,a5,3d,73,b4,b3,45,4a,d2,7a,99,fb,9f,24,68,8c,ae,5e,e9,0d,57,77,22,38,\
"rkeysecu"=hex:dd,39,1a,08,40,80,38,1c,fa,b4,b9,81,54,47,5b,ca
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\0a\03\05\16,$?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\SysWOW64\UAService7.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
c:\progra~2\Raptr\raptr.exe
c:\progra~2\Raptr\raptr_im.exe
.
**************************************************************************
.
Completion time: 2012-04-02 09:26:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 13:26
.
Pre-Run: 933,373,337,600 bytes free
Post-Run: 933,687,754,752 bytes free
.
- - End Of File - - 308C25CFE28EF5AE238D45F2BFB8B0CC

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 02 April 2012 - 08:43 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 12:05 PM

Ok so I ran tdsskiller and it found one thing I did the whole default thing and rebooted as it said

System now is failing to load windows ran startup repair to see if I could at least get windows 7 to boot and says it can't

Currently running around like a maniac trying to find my boot discs in a panic, not gonna lie

Oh I'm posting from my phone so please forgive any autocorrects and such I don't pick up

#6 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 12:07 PM

Oh if it's any help I haves gateway fx that is roughly 2 years old

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 02 April 2012 - 12:17 PM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 12:48 PM

I'm not going to be able to get flashdrive till later today

I'll update this ASAP once I can get one and use it.

On the off chance it's possible could I put farbar on a DVD and run it from that? It would save me some time and cash if I can not a big deal if it's grandly more complicated than a flash drive though

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 02 April 2012 - 12:56 PM

Hello


I have not tried it that why but the problem comes in when you need to get me the report

I have seen this happen before and 99% of the time it is easy to fix but I need to see the report


Gringo


I want you to try this for me


I want you to boot up the computer again by pressing F10

when you get to the boot edit screen i want you to remove the part in red

NOEXECUTE=OPTIN /minint
restart the computer and when you get back into windows

I want you to click on the start orb

in the search field I want you to type CMD

right click on CMD and select run as admin

In the window that opens copy and paste

bcdedit /set {current} winpe no
Press enter

restart the computer and see if it boots normally now

gringo

Edited by gringo_pr, 02 April 2012 - 12:58 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 01:09 PM

That red part wasn't there

It's really not that big of a deal I I can get a flash drive by the end of the day

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 02 April 2012 - 01:11 PM

I will be around for the next 10 or 11 hours anyway



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 02 April 2012 - 08:26 PM

alright so i finally got my hands on a flash drive and ran the tool

here's the log

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 02-04-2012 21:20:26
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
HKLM-x32\...\Run: [ATICustomerCare] "c:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Guest\...\Run: [Google Update] "C:\Users\Mendoza\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-02-09] (Google Inc.)
HKU\Guest\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Guest\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [x]
HKU\Guest\...\Run: [PlayNC Launcher] [x]
HKU\Guest\...\Run: [NCsoft Launcher] C:\Program Files (x86)\NCSoft\Launcher\NCLauncher.exe /Minimized [38704 2012-03-04] (NCSoft)
HKU\Guest\...\Run: [Orb] "C:\Program Files (x86)\Winamp Remote\bin\OrbTray.exe" /background [x]
HKU\Guest\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-02] (Valve Corporation)
HKU\Guest\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Guest\...\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [x]
HKU\Guest\...\Run: [Raptr] C:\PROGRA~2\Raptr\raptrstub.exe --startup [53168 2012-03-06] (Raptr, Inc)
HKU\Guest\...\Run: [Logitech Vid] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode [x]
HKU\Guest\...\Run: [Logitech Vid HD] "C:\Program Files (x86)\Logitech\Logitech Vid\vid.exe" -bootmode [x]
HKU\Mendoza\...\Run: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart [839680 2010-06-16] ()
HKU\Mendoza\...\Run: [Raptr] C:\PROGRA~2\Raptr\raptrstub.exe --startup [53168 2012-03-06] (Raptr, Inc)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
4 DAUpdaterSvc; C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [25832 2009-12-15] (BioWare)
2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [2343816 2012-02-28] (LogMeIn Inc.)
2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [8704 2012-02-20] (Hi-Rez Studios)
4 HsdService; "C:\Program Files (x86)\Windstream\Diagnostic Tools\HsdService.exe" [1393976 2011-04-25] (Windstream)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
3 LBTServ; C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe [359192 2011-09-27] (Logitech, Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
4 McciCMService; "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" [319488 2010-05-13] (Alcatel-Lucent)
4 McciCMService64; "C:\Program Files\Common Files\Motive\McciCMService.exe" [517632 2010-05-13] (Alcatel-Lucent)
4 Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2009-08-25] (Nero AG)
4 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [62208 2009-08-12] (NewTech Infosystems, Inc.)
4 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [247152 2009-02-15] ()
4 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
4 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [993848 2011-01-10] (Secunia)
4 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [399416 2011-01-10] (Secunia)
4 ServicepointService; "C:\Program Files (x86)\Windstream\Service Agent\ServicepointService.exe" [10302776 2011-07-19] (Radialpoint SafeCare Inc.)
2 SPService; C:\WINDOWS\SysWow64\%APPDATA%\sp.DLL [78848 2012-04-02] ()
4 TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [741224 2011-08-09] (Tunngle.net GmbH)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2314240 2009-09-30] (Intel Corporation)
2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
2 UserAccess7; C:\Windows\SysWow64\UAService7.exe [143360 2011-05-08] (Sony DADC Austria AG.)
4 NetMsmqActivator; "c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [x]
4 NetPipeActivator; c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpActivator; c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
4 NetTcpPortSharing; c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [x]
3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.21006\WPF\WPFFontCache_v0400.exe [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [10720256 2011-12-05] (Advanced Micro Devices, Inc.)
3 atikmdag; C:\Windows\System32\Drivers\atikmdag.sys [10720256 2011-12-05] (Advanced Micro Devices, Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 bulkadi; C:\Windows\System32\DRIVERS\bulkrazer_x64.sys [25088 2009-07-24] (Windows ® Codename Longhorn DDK provider)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2010-11-09] (CPUID)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [283824 2009-09-23] (Intel Corporation)
3 EuMusDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\vrtaucbl.sys [66728 2010-09-07] (Eugene V. Muzychenko)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
2 HyperDeskCustomThemeEnabler; "C:\Windows\Installer\MSI1C48.tmp" -service [102400 2011-06-17] ()
0 JRAID; C:\Windows\System32\Drivers\JRAID.sys [115824 2009-10-29] (JMicron Technology Corp.)
3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.sys [76056 2011-09-01] (Logitech, Inc.)
3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.sys [15128 2011-09-01] (Logitech, Inc.)
3 LHidFilt; C:\Windows\System32\Drivers\LHidFilt.sys [66840 2011-09-01] (Logitech, Inc.)
3 lvpepf64; C:\Windows\System32\DRIVERS\lv302a64.sys [15768 2008-07-26] (Logitech Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
3 MBfilt; C:\Windows\System32\drivers\MBfilt64.sys [25600 2009-08-24] (Creative Technology Ltd.)
3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [97040 2011-01-01] (MotioninJoy)
3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [21248 2011-07-05] (Printing Communications Assoc., Inc. (PCAUSA))
3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [20096 2011-07-05] (Printing Communications Assoc., Inc. (PCAUSA))
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [18432 2009-05-05] (NewTech Infosystems, Inc.)
3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V64.SYS [2624408 2008-07-26] (Logitech Inc.)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [17976 2010-09-01] (Secunia)
3 RzSynapse; C:\Windows\System32\Drivers\RzSynapse.sys [73216 2010-04-21] (Razer USA Ltd)
3 rzudd; C:\Windows\System32\Drivers\rzudd.sys [74240 2012-01-12] (Razer USA Ltd)
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
3 tap0901t; C:\Windows\System32\Drivers\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16896 2009-05-05] (NewTech Infosystems Corporation)
3 WRfiltv; C:\Windows\System32\Drivers\WRfiltv.sys [25600 2009-07-30] (Creative Technology Ltd.)
2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files (x86)\CyberLink\PlayMovie\000.fcl [146928 2010-02-09] (CyberLink Corp.)
3 ALSysIO; \??\C:\Users\Mendoza\AppData\Local\Temp\ALSysIO64.sys [x]
3 btwaudio; C:\Windows\System32\drivers\btwaudio.sys [x]
3 btwavdt; C:\Windows\System32\drivers\btwavdt.sys [x]
3 btwrchid; C:\Windows\System32\DRIVERS\btwrchid.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
3 NLNdisMP; C:\Windows\System32\DRIVERS\nlndis.sys [x]
3 NLNdisPT; C:\Windows\System32\DRIVERS\nlndis.sys [x]
3 WPRO_40_1340; C:\Windows\System32\drivers\WPRO_40_1340.sys [x]
3 X6va005; \??\C:\Users\Mendoza\AppData\Local\Temp\005EA34.tmp [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-02 21:20 - 2012-04-02 21:20 - 0000000 ____D C:\FRST
2012-04-02 07:42 - 2012-04-02 07:42 - 0139170 ____A C:\TDSSKiller.2.7.24.0_02.04.2012_11.42.00_log.txt
2012-04-02 07:42 - 2012-04-02 07:42 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-02 07:41 - 2012-04-02 07:41 - 4731392 ____A (AVAST Software) C:\Users\Mendoza\Desktop\aswMBR.exe
2012-04-02 07:40 - 2012-04-02 07:40 - 2068528 ____A (Kaspersky Lab ZAO) C:\Users\Mendoza\Desktop\tdsskiller.exe
2012-04-02 05:26 - 2012-04-02 05:26 - 0021860 ____A C:\ComboFix.txt
2012-04-02 05:21 - 2012-04-02 05:21 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-04-02 05:08 - 2012-04-02 05:26 - 0000000 ____D C:\Qoobox
2012-04-02 05:08 - 2012-04-02 05:24 - 0000000 ____D C:\Windows\ERDNT
2012-04-02 05:08 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-04-02 05:08 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-04-02 05:08 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-02 05:08 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-02 05:08 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-02 05:08 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-04-02 05:08 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-04-02 05:08 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-04-02 02:47 - 2012-04-02 02:47 - 4453008 ____R (Swearware) C:\Users\Mendoza\Desktop\ComboFix.exe
2012-04-01 01:07 - 2012-04-01 01:07 - 0000000 ____A C:\Users\Mendoza\defogger_reenable
2012-03-31 20:50 - 2011-09-26 08:11 - 0001719 ____A C:\Users\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
2012-03-31 07:21 - 2012-03-31 07:33 - 0000000 ____D C:\Users\Mendoza\Documents\DeathRoad
2012-03-31 07:18 - 2012-03-31 07:18 - 0000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-03-31 06:39 - 2012-03-31 07:21 - 0000000 ____D C:\Program Files (x86)\Death Road
2012-03-31 06:16 - 2012-03-31 06:16 - 0000000 ____D C:\Program Files (x86)\NAMCO BANDAI Games
2012-03-31 06:15 - 2012-03-31 06:15 - 0000000 ____A C:\Users\Mendoza\AppData\Roaming\BCGNU.txt
2012-03-31 01:54 - 2012-03-31 01:54 - 0000000 ____D C:\Program Files (x86)\The Elder Scrolls V Skyrim
2012-03-30 17:09 - 2012-03-30 17:09 - 0000000 ____D C:\Program Files (x86)\EA Games
2012-03-30 10:33 - 2012-04-01 08:09 - 0000000 ____D C:\Users\Mendoza\Desktop\Guild Wars 2
2012-03-17 00:11 - 2012-03-24 06:03 - 0000000 ____D C:\Users\Mendoza\AppData\Local\LogMeIn Hamachi
2012-03-17 00:09 - 2012-03-17 00:09 - 0000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2012-03-16 02:12 - 2012-03-16 02:12 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-16 02:12 - 2012-03-16 02:12 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-16 02:12 - 2012-03-16 02:12 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-13 18:03 - 2012-03-13 18:03 - 0001942 ____A C:\Users\Guest\Desktop\GamezAion Launcher.lnk
2012-03-06 22:55 - 2012-03-07 14:41 - 0000000 ____D C:\Users\All Users\EA Logs
2012-03-06 22:55 - 2012-03-07 14:41 - 0000000 ____D C:\ProgramData\EA Logs
2012-03-06 18:50 - 2012-03-06 22:55 - 0000000 ____D C:\Users\All Users\Origin
2012-03-06 18:50 - 2012-03-06 22:55 - 0000000 ____D C:\ProgramData\Origin
2012-03-06 18:50 - 2012-03-06 18:56 - 0000000 ____D C:\Program Files (x86)\Origin Games
2012-03-06 18:50 - 2012-03-06 18:50 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Origin
2012-03-06 18:49 - 2012-03-06 18:50 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Origin
2012-03-06 18:49 - 2012-03-06 18:50 - 0000000 ____D C:\Program Files (x86)\Origin
2012-03-06 18:49 - 2012-03-06 18:49 - 0000539 ____A C:\Windows\KB893803v2.log
2012-03-05 15:39 - 2012-03-05 15:39 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\.anomos
2012-03-05 15:39 - 2012-03-05 15:39 - 0000000 ____D C:\OpenSSL
2012-03-05 15:39 - 2009-11-15 10:37 - 1017344 ____A (The OpenSSL Project, http://www.openssl.org/) C:\Windows\SysWOW64\libeay32.dll
2012-03-05 15:39 - 2009-11-15 10:37 - 0200704 ____A (The OpenSSL Project, http://www.openssl.org/) C:\Windows\SysWOW64\ssleay32.dll
2012-03-05 15:39 - 2009-11-15 10:37 - 0200704 ____A (The OpenSSL Project, http://www.openssl.org/) C:\Windows\SysWOW64\libssl32.dll
2012-03-05 15:38 - 2012-03-05 15:38 - 0000950 ____A C:\Users\Guest\Desktop\Anomos.lnk

============ 3 Months Modified Files and Folders =============

2012-04-02 21:20 - 2012-04-02 21:20 - 0000000 ____D C:\FRST
2012-04-02 10:07 - 2009-12-30 14:32 - 4262797312 __ASH C:\hiberfil.sys
2012-04-02 07:42 - 2012-04-02 07:42 - 0139170 ____A C:\TDSSKiller.2.7.24.0_02.04.2012_11.42.00_log.txt
2012-04-02 07:42 - 2012-04-02 07:42 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-02 07:42 - 2009-12-30 14:35 - 1855867 ____A C:\Windows\WindowsUpdate.log
2012-04-02 07:41 - 2012-04-02 07:41 - 4731392 ____A (AVAST Software) C:\Users\Mendoza\Desktop\aswMBR.exe
2012-04-02 07:41 - 2011-09-26 08:21 - 0000000 ____D C:\Users\Mendoza\Desktop\Desk
2012-04-02 07:40 - 2012-04-02 07:40 - 2068528 ____A (Kaspersky Lab ZAO) C:\Users\Mendoza\Desktop\tdsskiller.exe
2012-04-02 07:27 - 2010-02-09 14:21 - 0000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3681274654-1207122361-1378958908-1001UA.job
2012-04-02 05:30 - 2010-09-02 23:00 - 0000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-04-02 05:29 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-02 05:29 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-02 05:28 - 2010-11-14 10:22 - 0024063 ____A C:\Windows\setupact.log
2012-04-02 05:26 - 2012-04-02 05:26 - 0021860 ____A C:\ComboFix.txt
2012-04-02 05:26 - 2012-04-02 05:08 - 0000000 ____D C:\Qoobox
2012-04-02 05:26 - 2009-07-13 21:13 - 0779266 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-02 05:26 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-04-02 05:26 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-04-02 05:24 - 2012-04-02 05:08 - 0000000 ____D C:\Windows\ERDNT
2012-04-02 05:22 - 2010-06-14 05:25 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Raptr
2012-04-02 05:21 - 2012-04-02 05:21 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-02 05:21 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-04-02 05:20 - 2010-11-15 09:15 - 0059998 ____A C:\Windows\PFRO.log
2012-04-02 05:20 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-02 05:20 - 2009-07-13 18:34 - 83623936 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-04-02 05:20 - 2009-07-13 18:34 - 4718592 ____A C:\Windows\System32\config\DEFAULT.bak
2012-04-02 05:20 - 2009-07-13 18:34 - 20971520 ____A C:\Windows\System32\config\SYSTEM.bak
2012-04-02 05:20 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-04-02 05:20 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\SAM.bak
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-04-02 05:19 - 2012-04-02 05:19 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-04-02 02:48 - 2011-09-26 16:48 - 0000000 ____D C:\Users\Mendoza\Desktop\backgrounds
2012-04-02 02:47 - 2012-04-02 02:47 - 4453008 ____R (Swearware) C:\Users\Mendoza\Desktop\ComboFix.exe
2012-04-01 23:27 - 2010-11-14 12:52 - 0000000 ____D C:\Users\Mendoza\Desktop\AAA
2012-04-01 23:27 - 2010-02-09 14:21 - 0000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3681274654-1207122361-1378958908-1001Core.job
2012-04-01 08:09 - 2012-03-30 10:33 - 0000000 ____D C:\Users\Mendoza\Desktop\Guild Wars 2
2012-04-01 01:07 - 2012-04-01 01:07 - 0000000 ____A C:\Users\Mendoza\defogger_reenable
2012-04-01 01:07 - 2010-02-09 14:12 - 0000000 ____D C:\users\Mendoza
2012-03-31 22:24 - 2011-02-05 21:09 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-31 20:50 - 2010-11-14 10:02 - 0000000 ____D C:\Windows\pss
2012-03-31 07:34 - 2010-08-21 08:58 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Azureus
2012-03-31 07:33 - 2012-03-31 07:21 - 0000000 ____D C:\Users\Mendoza\Documents\DeathRoad
2012-03-31 07:21 - 2012-03-31 06:39 - 0000000 ____D C:\Program Files (x86)\Death Road
2012-03-31 07:18 - 2012-03-31 07:18 - 0000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-03-31 06:39 - 2010-08-21 09:02 - 0000000 ____D C:\Users\Mendoza\Documents\Vuze Downloads
2012-03-31 06:20 - 2010-07-01 17:59 - 0000000 ____D C:\Users\Mendoza\AppData\Local\SKIDROW
2012-03-31 06:16 - 2012-03-31 06:16 - 0000000 ____D C:\Program Files (x86)\NAMCO BANDAI Games
2012-03-31 06:15 - 2012-03-31 06:15 - 0000000 ____A C:\Users\Mendoza\AppData\Roaming\BCGNU.txt
2012-03-31 02:04 - 2011-12-04 12:15 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Black_Tree_Gaming
2012-03-31 01:54 - 2012-03-31 01:54 - 0000000 ____D C:\Program Files (x86)\The Elder Scrolls V Skyrim
2012-03-30 22:07 - 2010-08-05 18:16 - 0000000 ____D C:\Program Files (x86)\Steam
2012-03-30 17:19 - 2010-07-03 09:50 - 0000000 ____D C:\Users\Mendoza\Documents\My Games
2012-03-30 17:09 - 2012-03-30 17:09 - 0000000 ____D C:\Program Files (x86)\EA Games
2012-03-30 10:34 - 2010-12-20 16:20 - 0000000 ____D C:\Users\Mendoza\Desktop\Movies
2012-03-29 19:10 - 2010-02-26 21:38 - 0000000 ____D C:\Program Files (x86)\Electronic Arts
2012-03-29 19:10 - 2009-11-30 00:16 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-03-29 18:47 - 2011-06-18 15:44 - 0000000 ____A C:\Windows\SysWOW64\Access.dat
2012-03-29 18:47 - 2011-03-17 08:31 - 0000000 ____D C:\Users\All Users\Xfire
2012-03-29 18:47 - 2011-03-17 08:31 - 0000000 ____D C:\ProgramData\Xfire
2012-03-29 18:47 - 2010-02-11 16:59 - 0000000 ____D C:\Program Files (x86)\Xfire
2012-03-29 18:23 - 2011-09-12 05:44 - 0000000 ____D C:\Users\All Users\Radialpoint
2012-03-29 18:23 - 2011-09-12 05:44 - 0000000 ____D C:\ProgramData\Radialpoint
2012-03-24 06:03 - 2012-03-17 00:11 - 0000000 ____D C:\Users\Mendoza\AppData\Local\LogMeIn Hamachi
2012-03-23 16:27 - 2010-02-11 16:59 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Mozilla
2012-03-17 00:09 - 2012-03-17 00:09 - 0000000 ____D C:\Program Files (x86)\LogMeIn Hamachi
2012-03-16 14:52 - 2012-02-24 18:43 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Procaster
2012-03-16 02:51 - 2011-03-25 13:57 - 0413707 ____A C:\Windows\DirectX.log
2012-03-16 02:12 - 2012-03-16 02:12 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-16 02:12 - 2012-03-16 02:12 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-16 02:12 - 2012-03-16 02:12 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-16 02:12 - 2011-02-06 12:21 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-03-16 00:20 - 2011-03-17 08:31 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Xfire
2012-03-15 23:52 - 2010-06-14 05:25 - 0000000 ____D C:\Program Files (x86)\Raptr
2012-03-15 01:28 - 2010-12-06 02:55 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-14 23:04 - 2012-02-03 23:34 - 0000000 ____D C:\Program Files (x86)\DolbyAxon
2012-03-13 18:03 - 2012-03-13 18:03 - 0001942 ____A C:\Users\Guest\Desktop\GamezAion Launcher.lnk
2012-03-11 19:43 - 2010-02-19 12:18 - 0000000 ____D C:\Program Files (x86)\NCSoft
2012-03-11 18:17 - 2012-02-21 10:32 - 0000206 ____A C:\Users\Mendoza\Documents\PWOOptions.ini
2012-03-07 14:41 - 2012-03-06 22:55 - 0000000 ____D C:\Users\All Users\EA Logs
2012-03-07 14:41 - 2012-03-06 22:55 - 0000000 ____D C:\ProgramData\EA Logs
2012-03-06 22:55 - 2012-03-06 18:50 - 0000000 ____D C:\Users\All Users\Origin
2012-03-06 22:55 - 2012-03-06 18:50 - 0000000 ____D C:\ProgramData\Origin
2012-03-06 22:55 - 2011-05-18 06:52 - 0000000 __SHD C:\Users\All Users\DSS
2012-03-06 22:55 - 2011-05-18 06:52 - 0000000 __SHD C:\ProgramData\DSS
2012-03-06 22:55 - 2010-03-05 17:45 - 0000000 ____D C:\Users\All Users\Electronic Arts
2012-03-06 22:55 - 2010-03-05 17:45 - 0000000 ____D C:\ProgramData\Electronic Arts
2012-03-06 22:55 - 2010-02-10 13:41 - 0000000 ____D C:\Users\Mendoza\Documents\BioWare
2012-03-06 18:56 - 2012-03-06 18:50 - 0000000 ____D C:\Program Files (x86)\Origin Games
2012-03-06 18:50 - 2012-03-06 18:50 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Origin
2012-03-06 18:50 - 2012-03-06 18:49 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Origin
2012-03-06 18:50 - 2012-03-06 18:49 - 0000000 ____D C:\Program Files (x86)\Origin
2012-03-06 18:49 - 2012-03-06 18:49 - 0000539 ____A C:\Windows\KB893803v2.log
2012-03-05 16:09 - 2012-02-15 11:34 - 0000600 ____A C:\Users\Mendoza\PUTTY.RND
2012-03-05 15:39 - 2012-03-05 15:39 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\.anomos
2012-03-05 15:39 - 2012-03-05 15:39 - 0000000 ____D C:\OpenSSL
2012-03-05 15:38 - 2012-03-05 15:38 - 0000950 ____A C:\Users\Guest\Desktop\Anomos.lnk
2012-03-05 13:46 - 2010-03-07 13:07 - 0000000 ____D C:\Users\All Users\Media Center Programs
2012-03-05 13:46 - 2010-03-07 13:07 - 0000000 ____D C:\ProgramData\Media Center Programs
2012-03-05 03:55 - 2011-09-12 05:44 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Radialpoint
2012-03-03 21:48 - 2012-02-03 16:46 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Mumble
2012-03-01 17:28 - 2012-03-01 17:27 - 0000000 ____D C:\Users\Mendoza\Documents\Sai
2012-03-01 16:47 - 2010-05-29 16:31 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Zame
2012-02-29 11:21 - 2012-02-29 11:21 - 0042392 ____A C:\Windows\SysWOW64\xfcodec.dll
2012-02-29 11:21 - 2012-02-29 11:21 - 0028056 ____A C:\Windows\System32\xfcodec64.dll
2012-02-27 19:50 - 2012-02-23 11:49 - 0000000 ____D C:\Program Files (x86)\GSC 2.00
2012-02-27 19:39 - 2010-02-19 17:42 - 0000000 ____D C:\Users\Mendoza\Desktop\Guild Wars
2012-02-24 18:43 - 2011-11-16 09:36 - 0000000 ____D C:\Program Files (x86)\Livestream Procaster
2012-02-23 17:59 - 2010-03-26 14:35 - 0000000 ___HD C:\Windows\msdownld.tmp
2012-02-23 17:33 - 2011-02-11 16:18 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Skype
2012-02-23 11:49 - 2012-02-23 11:49 - 0000000 ____D C:\Users\Mendoza\Documents\GSC
2012-02-23 05:18 - 2010-02-09 14:30 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-22 03:25 - 2010-09-30 10:48 - 0000003 ____A C:\Windows\System32\HRUPPROG.TXT
2012-02-22 03:25 - 2010-08-31 11:34 - 0000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2012-02-21 10:32 - 2012-02-21 10:32 - 0000000 ____D C:\Program Files (x86)\Pokemon World Online
2012-02-19 07:16 - 2012-02-19 07:16 - 0000000 ____D C:\Users\All Users\ATI
2012-02-19 07:16 - 2012-02-19 07:16 - 0000000 ____D C:\ProgramData\ATI
2012-02-19 07:16 - 2012-02-19 07:16 - 0000000 ____D C:\Program Files (x86)\AMD APP
2012-02-19 07:16 - 2010-11-15 11:33 - 0000000 ____D C:\Program Files\ATI Technologies
2012-02-19 07:12 - 2012-02-19 07:12 - 0000000 ____D C:\AMD
2012-02-19 07:08 - 2012-02-19 07:08 - 0000000 ____D C:\Windows\System32\Macromed
2012-02-19 07:08 - 2011-05-28 19:37 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-02-14 18:59 - 2012-02-14 18:56 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\Trine2
2012-02-14 18:56 - 2012-02-14 18:56 - 0000000 ____D C:\Users\All Users\RELOADED
2012-02-14 18:56 - 2012-02-14 18:56 - 0000000 ____D C:\ProgramData\RELOADED
2012-02-13 13:14 - 2012-02-13 13:14 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\OpenDNS Updater
2012-02-13 13:14 - 2012-02-13 13:14 - 0000000 ____D C:\Program Files (x86)\OpenDNS Updater
2012-02-12 13:57 - 2010-10-19 16:07 - 0000000 ____D C:\Program Files (x86)\Bethesda Softworks
2012-02-12 13:50 - 2010-02-14 21:09 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Yahoo
2012-02-12 13:50 - 2010-02-14 20:32 - 0000000 ____D C:\Users\All Users\Yahoo!
2012-02-12 13:50 - 2010-02-14 20:32 - 0000000 ____D C:\ProgramData\Yahoo!
2012-02-12 13:48 - 2011-01-25 13:40 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\RIFT
2012-02-12 13:48 - 2010-08-15 10:30 - 0000000 ____D C:\Nexon
2012-02-12 13:45 - 2011-03-25 14:03 - 0000000 ____D C:\Users\Mendoza\Documents\Reakktor Media
2012-02-12 13:44 - 2010-03-24 03:20 - 0000000 ____D C:\Users\All Users\Ubisoft
2012-02-12 13:44 - 2010-03-24 03:20 - 0000000 ____D C:\ProgramData\Ubisoft
2012-02-12 08:23 - 2012-02-12 08:23 - 0000000 ____D C:\Users\Mendoza\AppData\Roaming\PunkBuster
2012-02-11 09:47 - 2012-02-11 09:47 - 0000000 ____D C:\Users\Mendoza\Documents\FLiNGTrainer
2012-02-11 09:03 - 2012-02-11 09:03 - 0000000 ____D C:\Users\Mendoza\Documents\My Cheat Tables
2012-02-11 07:49 - 2012-02-11 07:49 - 0000018 ___SH C:\Windows\SysWOW64\Userdata.ini
2012-02-11 06:57 - 2012-02-11 06:57 - 0000000 ____D C:\Users\Mendoza\AppData\Local\BigHugeEngine
2012-02-04 15:38 - 2012-01-15 17:10 - 0049880 ____A C:\Windows\DPINST.LOG
2012-02-04 15:34 - 2012-02-04 15:34 - 1597360281 ____A C:\Windows\MEMORY.DMP
2012-02-04 15:34 - 2012-02-04 15:34 - 0275544 ____A C:\Windows\Minidump\020412-23961-01.dmp
2012-02-04 15:34 - 2012-02-04 15:34 - 0000000 ____D C:\Windows\Minidump
2012-02-04 07:16 - 2011-12-04 12:15 - 0000000 ____D C:\Users\Mendoza\Documents\Nexus Mod Manager
2012-02-04 00:46 - 2012-02-03 23:34 - 0000000 ____D C:\Users\Mendoza\Documents\DolbyAxon
2012-02-03 16:59 - 2012-02-03 16:59 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Mumble
2012-02-03 16:59 - 2012-02-03 16:46 - 0000000 ____D C:\Program Files (x86)\Mumble
2012-02-03 16:49 - 2012-02-03 16:49 - 0002378 ____A C:\Users\Mendoza\Documents\MumbleAutomaticCertificateBackup.p12
2012-01-31 19:26 - 2012-01-31 19:26 - 0007601 ____A C:\Users\Mendoza\AppData\Local\Resmon.ResmonCfg
2012-01-31 19:08 - 2009-07-13 20:45 - 4967792 ____A C:\Windows\System32\FNTCACHE.DAT
2012-01-30 02:29 - 2012-01-30 02:29 - 0278528 ____A (Razer USA Ltd) C:\Windows\SysWOW64\rzdevicedll.dll
2012-01-30 02:29 - 2012-01-30 02:29 - 0164864 ____A (Razer USA Ltd) C:\Windows\SysWOW64\rzaudiodll.dll
2012-01-30 02:29 - 2012-01-30 02:29 - 0136704 ____A (Razer USA Ltd) C:\Windows\SysWOW64\rztouchdll.dll
2012-01-27 22:44 - 2010-02-09 18:28 - 0000000 ____D C:\Users\All Users\Blizzard Entertainment
2012-01-27 22:44 - 2010-02-09 18:28 - 0000000 ____D C:\ProgramData\Blizzard Entertainment
2012-01-15 17:34 - 2012-01-15 17:34 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_rzudd_01009.Wdf
2012-01-15 17:34 - 2010-07-05 08:21 - 0000000 ____D C:\Program Files (x86)\Razer
2012-01-15 17:31 - 2010-08-22 13:17 - 0097816 ____A C:\Users\Mendoza\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-15 17:22 - 2012-01-15 17:22 - 0000000 ____D C:\Users\Mendoza\AppData\Local\Razer
2012-01-15 17:22 - 2012-01-15 17:22 - 0000000 ____D C:\Users\All Users\Razer
2012-01-15 17:22 - 2012-01-15 17:22 - 0000000 ____D C:\ProgramData\Razer
2012-01-15 17:12 - 2012-01-15 17:12 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_WinUsb_01005.Wdf
2012-01-12 07:34 - 2012-01-12 07:34 - 0074240 ____A (Razer USA Ltd) C:\Windows\System32\Drivers\rzudd.sys
2012-01-08 08:42 - 2010-08-21 08:58 - 0000000 ____D C:\Program Files (x86)\Vuze
2012-01-04 13:59 - 2012-01-04 13:59 - 0000262 ____A C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2012-01-04 13:59 - 2012-01-04 13:59 - 0000000 ____D C:\Program Files\Ventrilo

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 7%
Total physical RAM: 16343.09 MB
Available physical RAM: 15064.68 MB
Total Pagefile: 16341.24 MB
Available Pagefile: 15048.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (Gateway) (Fixed) (Total:1380.17 GB) (Free:869.22 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:17 GB) (Free:6.67 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
11 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
12 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 1397 GB 0 B
Disk 1 Online 3819 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 17 GB 1024 KB
Partition 2 Primary 100 MB 17 GB
Partition 3 Primary 1380 GB 17 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E PQSERVICE NTFS Partition 17 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C Gateway NTFS Partition 1380 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3818 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3818 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-30 03:05

======================= End Of Log ==========================

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 03 April 2012 - 06:33 AM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2 SPService; C:\WINDOWS\SysWow64\%APPDATA%\sp.DLL [78848 2012-04-02] ()
C:\WINDOWS\SysWow64\%APPDATA%\sp.DLL
CMD: bootrec /FixMbr

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Eveenus

Eveenus
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:59 AM

Posted 03 April 2012 - 07:01 AM

Alright so I was just now able to boot up, the only thing I noticed that was wrong is it was about 5 minutes slower to boot windows than usual (usually takes under 2 min for me to boot) other than that I can't see anything quite wrong but really what do I know?

Here's the log

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-04-03 07:51:32 R:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
SPService service deleted successfully.
C:\WINDOWS\SysWow64\%APPDATA%\sp.DLL moved successfully.

========= bootrec /FixMbr =========

˙ūT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========


==== End of Fixlog ====

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:59 AM

Posted 03 April 2012 - 10:26 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files (x86)\ConduitEngine
c:\program files (x86)\Vuze_Remote

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users