Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS--Google redirect


  • This topic is locked This topic is locked
18 replies to this topic

#1 Kev_the_Ref

Kev_the_Ref

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 14 May 2012 - 09:15 AM

My daughter's computer has become infected with what appears to be a TDSS trojan. The symptoms are Google redirects in both Firefox and Internet Explorere. Chrome appears to be unaffected. Kaspersky's TDSSKiller doesn't run, and Symantec's FixTDSS fails with the message "Pre-boot operation failed, unable to continue" even after booting into Safe Mode and running rkill and fixexec.

I have followed the instructions in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" topic and am posting the DDS log below. I have also attached the attach.txt log. I did not run GMER because the computer is running Windows 7 Pro, an 64-bit operating system.

Any help would be greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by x120 at 23:48:11 on 2012-05-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1641.612 [GMT -6:00]
.
AV: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\LanSchool\student.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Windows\system32\lxcicoms.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LanSchool\Student.exe
C:\Program Files (x86)\LanSchool\LskHlpr64.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
C:\Program Files (x86)\Lexmark 7300 Series\ezprint.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\x120\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x120\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x120\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x120\AppData\Local\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://americanacademyk8.org/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [Teacher] C:\Program Files (x86)\LanSchool\student.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\x120\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 8.8.4.4
TCP: Interfaces\{66E2CB5A-5A62-4EF6-A4B9-4E28D24295FA} : DhcpNameServer = 192.168.0.1 8.8.4.4
TCP: Interfaces\{66E2CB5A-5A62-4EF6-A4B9-4E28D24295FA}\1414D23547574656E647 : DhcpNameServer = 10.133.88.21 10.133.88.22
TCP: Interfaces\{66E2CB5A-5A62-4EF6-A4B9-4E28D24295FA}\1414D264163657C64797 : DhcpNameServer = 10.133.88.21 10.133.88.22
TCP: Interfaces\{66E2CB5A-5A62-4EF6-A4B9-4E28D24295FA}\7514C444F4 : DhcpNameServer = 192.168.0.1 205.171.2.65
TCP: Interfaces\{B2270187-C79A-49D1-B438-DF0B71B36EA6} : DhcpNameServer = 10.133.88.21 10.133.88.22
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun-x64: [Teacher] C:\Program Files (x86)\LanSchool\student.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\x120\AppData\Roaming\Mozilla\Firefox\Profiles\0vx13l41.default\
FF - prefs.js: browser.startup.homepage - hxxp://americanacademyk8.org/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\x120\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 LanSchoolStudent;LanSchool Student Service;C:\Program Files (x86)\LanSchool\student.exe [2011-5-17 1591168]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2011-7-21 41320]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2011-7-21 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-7-21 59240]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2011-7-21 93032]
R2 lxci_device;lxci_device;C:\Windows\system32\lxcicoms.exe -service --> C:\Windows\system32\lxcicoms.exe -service [?]
R2 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2011-7-21 148840]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2011-7-21 144232]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2011-7-21 64952]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 usbsmi;Integrated Camera Service Display Name V1;C:\Windows\system32\DRIVERS\SMIksdrv.sys --> C:\Windows\system32\DRIVERS\SMIksdrv.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-22 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-4-5 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-2 257696]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-22 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-7-21 83304]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-05-14 05:00:19 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A1907EB1-E9D8-48D7-88D0-F76307226B8A}\mpengine.dll
2012-05-14 04:24:29 -------- d-----w- C:\Program Files (x86)\ESET
2012-05-14 02:18:08 -------- d-----w- C:\tools
2012-05-14 00:32:33 -------- d-----w- C:\Users\x120\AppData\Local\{29E7B952-A760-4E00-B8B5-7144D2EB339C}
2012-05-14 00:25:00 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-13 21:33:51 98816 ----a-w- C:\Windows\sed.exe
2012-05-13 21:33:51 518144 ----a-w- C:\Windows\SWREG.exe
2012-05-13 21:33:51 256000 ----a-w- C:\Windows\PEV.exe
2012-05-13 21:33:51 208896 ----a-w- C:\Windows\MBR.exe
2012-05-13 21:32:33 -------- d-----w- C:\ComboFix
2012-05-13 20:25:40 -------- d-----w- C:\Users\x120\AppData\Local\{8AA7B601-62C0-4589-9BA2-57443AE1BEB3}
2012-05-13 20:25:15 -------- d-----w- C:\Users\x120\AppData\Local\{80FD4070-954B-42D4-A835-49B956A77682}
2012-05-13 20:07:18 -------- d-----w- C:\Windows\pss
2012-05-13 20:05:06 2075184 ----a-w- C:\12345.com
2012-05-13 18:36:41 -------- d-----w- C:\Users\x120\AppData\Roaming\PC Tools
2012-05-13 18:18:09 -------- d-----w- C:\Users\x120\AppData\Local\{6ADB7F48-438E-49D8-93D5-E22880DB22D1}
2012-05-13 18:17:58 -------- d-----w- C:\Users\x120\AppData\Local\{CF37D78D-E86F-4E1A-B6E8-D45D0D101208}
2012-05-13 17:53:50 -------- d-----w- C:\Users\x120\AppData\Local\Threat Expert
2012-05-13 17:39:34 -------- d-----w- C:\Users\x120\AppData\Roaming\Resource Tuner
2012-05-13 17:39:04 -------- d-----w- C:\Program Files (x86)\Resource Tuner
2012-05-13 17:12:32 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-05-13 16:45:05 251528 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-05-13 16:44:51 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-05-13 16:42:33 -------- d-----w- C:\ProgramData\PC Tools
2012-05-13 16:42:26 -------- d-----w- C:\Users\x120\AppData\Roaming\TestApp
2012-05-12 13:46:30 -------- d-----w- C:\Users\x120\AppData\Local\{6592C358-5BE4-4347-9EA4-52A031D79984}
2012-05-12 13:46:18 -------- d-----w- C:\Users\x120\AppData\Local\{5BDFB9BC-8087-4831-8D10-2D70CBA551AA}
2012-05-11 02:14:46 -------- d-----w- C:\Users\x120\AppData\Local\{F15E8516-E706-40E3-BCC8-FD48D932A118}
2012-05-11 02:14:35 -------- d-----w- C:\Users\x120\AppData\Local\{D1EE0B84-C21E-40A2-B873-F77A936DCB7A}
2012-05-11 00:32:12 -------- d-----w- C:\Users\x120\AppData\Local\{969A4C40-31CF-4107-B60A-7B83B98BA69D}
2012-05-11 00:32:01 -------- d-----w- C:\Users\x120\AppData\Local\{07583A49-9772-406B-8BCD-D16728DEE251}
2012-05-09 23:09:46 -------- d-----w- C:\Users\x120\AppData\Local\{14A5BB0A-6C62-4744-B776-3FEF09BD1908}
2012-05-09 23:09:34 -------- d-----w- C:\Users\x120\AppData\Local\{7D713032-2E55-42BD-861D-2400B3F93370}
2012-05-09 00:40:59 -------- d-----w- C:\Users\x120\AppData\Local\{1D9C9C8F-7383-4D04-9838-2EEB3D368117}
2012-05-09 00:40:48 -------- d-----w- C:\Users\x120\AppData\Local\{959B11CE-6E8D-4F2D-86EB-E64B4467816E}
2012-05-09 00:36:50 -------- d-----w- C:\Users\x120\AppData\Local\{511ACA7B-C8B2-438B-98DE-3890A8A56392}
2012-05-09 00:36:39 -------- d-----w- C:\Users\x120\AppData\Local\{7BC70757-526F-45CD-8628-DFA9EE81F93C}
2012-05-07 23:34:16 -------- d-----w- C:\Users\x120\AppData\Local\{5D37DAB5-0D41-4D52-BBA5-E11B65CA6CED}
2012-05-07 23:34:05 -------- d-----w- C:\Users\x120\AppData\Local\{0256C84E-748C-4118-8D7B-F640E03F89F0}
2012-05-07 22:54:42 -------- d-----w- C:\Users\x120\AppData\Local\{4D5E4DEF-121E-4FEA-B9BE-69276AF70A8C}
2012-05-07 22:54:27 -------- d-----w- C:\Users\x120\AppData\Local\{D1225C2A-A246-4EAB-8D10-65DF69E65DF2}
2012-05-06 22:59:43 -------- d-----w- C:\Users\x120\AppData\Local\{80B20303-C2D2-4C7D-BB7B-AB1575DFB7BF}
2012-05-06 22:59:31 -------- d-----w- C:\Users\x120\AppData\Local\{3A671C24-A31A-41E4-A832-AC374A2C6D2A}
2012-05-06 21:37:21 -------- d-----w- C:\Users\x120\AppData\Local\{A010E12F-AACB-40B6-A835-F0D866157CD7}
2012-05-06 21:37:05 -------- d-----w- C:\Users\x120\AppData\Local\{E76489B2-DF7E-406F-8699-F22387F30953}
2012-05-05 21:50:05 8769696 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-05-05 21:38:46 -------- d-----w- C:\Users\x120\AppData\Local\{2878DDC1-9E3E-49C2-AD90-0A8467967E70}
2012-05-05 21:38:32 -------- d-----w- C:\Users\x120\AppData\Local\{BF0EC19F-A5AE-42C9-9536-ECE7E41DF301}
2012-05-04 02:48:55 -------- d-----w- C:\Users\x120\AppData\Local\{448158AD-8464-4696-8364-960D2C45EC4F}
2012-05-04 02:48:42 -------- d-----w- C:\Users\x120\AppData\Local\{86F3259F-EF26-4ED1-B1CC-2C5A031B6CB1}
2012-05-04 01:24:01 -------- d-----w- C:\Users\x120\AppData\Local\{5A639BD8-C6AE-4F9B-806E-BCAB6B171A5F}
2012-05-04 01:23:49 -------- d-----w- C:\Users\x120\AppData\Local\{C08B925A-6AF9-4D72-A145-82092861CF25}
2012-05-04 01:06:28 -------- d-----w- C:\Users\x120\AppData\Local\{40B36310-D144-4FBF-8E9A-B67175254F81}
2012-05-04 01:06:16 -------- d-----w- C:\Users\x120\AppData\Local\{FB6E631F-B15C-4E91-9082-3AEBF3A4564D}
2012-05-03 23:13:42 -------- d-----w- C:\Users\x120\AppData\Local\{64257D77-CF9E-4A46-A284-78759A77E67D}
2012-05-03 23:13:31 -------- d-----w- C:\Users\x120\AppData\Local\{2CBE240E-D4BC-4853-B799-EAD1282C3C34}
2012-05-02 23:45:30 -------- d-----w- C:\Users\x120\AppData\Local\{C6226C57-8F69-435F-85AB-4B5FF7492BFE}
2012-05-02 23:45:18 -------- d-----w- C:\Users\x120\AppData\Local\{12893ACD-7E85-4AF8-8421-BD8322373539}
2012-05-02 20:36:26 -------- d-----w- C:\Users\x120\AppData\Local\{D387E069-1FFE-4E5E-BF65-B11CFF5B1675}
2012-05-02 20:36:03 -------- d-----w- C:\Users\x120\AppData\Local\{FD997CB3-8DB4-4750-9B25-BB5ED2D1DAE7}
2012-05-02 20:23:34 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-02 12:43:05 -------- d-----w- C:\Users\x120\AppData\Local\{0E8F2C4B-0099-45D8-8DF8-86A9D86B70C5}
2012-05-02 12:42:49 -------- d-----w- C:\Users\x120\AppData\Local\{4BC389D8-0E51-4534-A76C-B678E7046C75}
2012-05-01 23:52:28 -------- d-----w- C:\Users\x120\AppData\Local\{F94A2C20-807C-44D8-86C1-2FDFDBD0A25E}
2012-05-01 23:52:17 -------- d-----w- C:\Users\x120\AppData\Local\{B8AB081C-A7F0-4B1A-942B-A436FDDC5918}
2012-05-01 21:20:55 -------- d-----w- C:\Users\x120\AppData\Local\{087B1FAC-94A4-49BD-8983-12F13E90231F}
2012-05-01 21:20:33 -------- d-----w- C:\Users\x120\AppData\Local\{0E5351B0-9E7B-4032-8F79-999D216461AB}
2012-05-01 02:40:59 -------- d-----w- C:\Users\x120\AppData\Local\{A9FD7ED8-CA43-479C-8899-7DCB260161EA}
2012-05-01 02:40:48 -------- d-----w- C:\Users\x120\AppData\Local\{52722467-2FA3-4BB6-87FA-EF49CA19954B}
2012-04-30 22:42:38 -------- d-----w- C:\Users\x120\AppData\Local\{0FE57629-7F6E-4578-B76E-CC37932C44EA}
2012-04-30 22:42:25 -------- d-----w- C:\Users\x120\AppData\Local\{51116B4A-98ED-42A1-80F7-D37D309B0C6B}
2012-04-30 21:23:05 -------- d-----w- C:\Users\x120\AppData\Local\{36B975AB-F471-46B2-B780-2E2478AF4E14}
2012-04-30 21:22:39 -------- d-----w- C:\Users\x120\AppData\Local\{0FC80129-B3F2-49F3-9634-5137DBC25C74}
2012-04-29 20:24:55 -------- d-----w- C:\Users\x120\AppData\Local\{9E2CCCBE-91CE-4489-809A-F41D6F1F678E}
2012-04-29 20:24:43 -------- d-----w- C:\Users\x120\AppData\Local\{519D7007-EB00-44B8-930B-908675958DE2}
2012-04-29 19:44:15 -------- d-----w- C:\Users\x120\AppData\Local\{0837968D-EFBC-4A8E-AF80-0F2521D6D6B0}
2012-04-29 19:44:04 -------- d-----w- C:\Users\x120\AppData\Local\{FD6C4EB5-A481-4D99-B1A8-7E1BCD797B1C}
2012-04-29 19:00:24 -------- d-----w- C:\Users\x120\AppData\Local\{6650EC2C-768A-4719-AD4C-5E804A1CE03C}
2012-04-29 19:00:13 -------- d-----w- C:\Users\x120\AppData\Local\{3B2AEAF2-C127-4CB1-B06C-F6A1EAD67E4E}
2012-04-29 15:51:50 -------- d-----r- C:\Program Files (x86)\Skype
2012-04-29 14:36:15 -------- d-----w- C:\Users\x120\AppData\Local\{2D20ADE9-B2BE-4CFB-8F1A-BF2C1ECEA89E}
2012-04-29 14:36:03 -------- d-----w- C:\Users\x120\AppData\Local\{AA1F292C-91DA-48D8-95DF-00D9C8D36E2E}
2012-04-29 02:27:18 -------- d-----w- C:\Users\x120\AppData\Local\{31DA88F0-E732-4E28-8932-ACFFADDE6770}
2012-04-29 02:27:07 -------- d-----w- C:\Users\x120\AppData\Local\{96C2F52E-5A67-4195-8407-71B36ACD1720}
2012-04-28 19:18:51 -------- d-----w- C:\Users\x120\AppData\Local\{2A02F31B-F7EA-4D9C-BB70-2CD10EA40A20}
2012-04-28 19:18:39 -------- d-----w- C:\Users\x120\AppData\Local\{AD87C79E-EF97-4CD3-A738-75C857290962}
2012-04-28 00:05:36 -------- d-----w- C:\Users\x120\AppData\Local\{28A7AC52-F0A2-471A-BCAD-7A58F104D97B}
2012-04-28 00:05:25 -------- d-----w- C:\Users\x120\AppData\Local\{BAC93A6A-B058-431A-A3D1-35EFBC4A7EB2}
2012-04-27 17:26:15 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2012-04-27 16:44:24 -------- d-----w- C:\Users\x120\AppData\Local\{CFBCA945-710A-4F12-A2FD-8AD9E6C29A88}
2012-04-27 16:44:13 -------- d-----w- C:\Users\x120\AppData\Local\{1F43014D-99BB-48B6-BBAF-9328171A821C}
2012-04-27 01:07:04 -------- d-----w- C:\Users\x120\AppData\Local\{061B6F9D-F14C-4038-B14C-2AA895C72234}
2012-04-27 01:06:52 -------- d-----w- C:\Users\x120\AppData\Local\{58D2A044-7660-4182-9175-0E8894B9D5F9}
2012-04-26 16:49:15 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-04-26 16:49:15 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-04-26 16:49:15 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-04-26 16:49:14 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-04-25 22:39:13 -------- d-----w- C:\Users\x120\AppData\Local\{B2820905-87BA-4472-AF49-39C33149F95D}
2012-04-25 22:39:00 -------- d-----w- C:\Users\x120\AppData\Local\{0876B72D-4F6A-44B2-8014-BF7B12038899}
2012-04-25 16:13:15 -------- d-----w- C:\Users\x120\AppData\Local\{2776C8A0-0952-4C59-A0B1-145514D7A769}
2012-04-25 16:12:52 -------- d-----w- C:\Users\x120\AppData\Local\{5B0381F9-8399-4842-BEF2-49CA25E58908}
2012-04-24 21:20:39 -------- d-----w- C:\Users\x120\AppData\Roaming\SUPERAntiSpyware.com
2012-04-24 21:20:14 -------- d--h--w- C:\ProgramData\SUPERAntiSpyware.com
2012-04-24 21:20:14 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-04-24 16:45:54 -------- d--h--w- C:\Users\x120\AppData\Local\{113CE565-13DC-49B4-9AB2-B8489AF413FB}
2012-04-24 16:45:31 -------- d--h--w- C:\Users\x120\AppData\Local\{9EC1973B-6A58-4717-AD39-DCD081F1D4E4}
2012-04-24 01:15:08 -------- d--h--w- C:\Users\x120\AppData\Local\{C66BD6B5-7088-4C67-B538-D4E8FF80C9E0}
2012-04-24 01:14:57 -------- d--h--w- C:\Users\x120\AppData\Local\{7195696D-1B17-4A03-A5D7-88697DCF0E89}
2012-04-23 23:24:17 -------- d--h--w- C:\Users\x120\AppData\Local\{9C601A9C-1D13-477D-B4A3-BCEB214B8B7B}
2012-04-23 23:24:05 -------- d--h--w- C:\Users\x120\AppData\Local\{2AA20B01-472A-4FE7-B8A3-D3B3D39DDA9E}
2012-04-23 03:08:16 -------- d--h--w- C:\Users\x120\AppData\Local\{179EF6FA-3313-4861-B9BE-97BCA8B9295F}
2012-04-23 03:08:04 -------- d--h--w- C:\Users\x120\AppData\Local\{366B1A68-1A38-4675-BD0E-6FE01876473C}
2012-04-23 01:08:12 -------- d--h--w- C:\Users\x120\AppData\Local\{661DF8A4-424E-48A8-8832-4690222C05A0}
2012-04-23 01:08:00 -------- d--h--w- C:\Users\x120\AppData\Local\{4C58462E-4E2C-4F68-9700-E0679E4FF91A}
2012-04-21 17:02:27 -------- d--h--w- C:\Users\x120\AppData\Local\{75EF78A5-435E-4EAB-92CB-404E1CEC931D}
2012-04-21 17:02:16 -------- d--h--w- C:\Users\x120\AppData\Local\{A5D5F02F-F1CC-49A7-BD07-2EAC4CEAF12F}
2012-04-21 01:24:18 -------- d--h--w- C:\Users\x120\AppData\Local\{836F2A9C-08FB-4FDA-BD6E-2349C41871BB}
2012-04-21 01:24:05 -------- d--h--w- C:\Users\x120\AppData\Local\{9D378572-D4F0-4D62-94C4-B34A76DDC2E3}
2012-04-19 16:23:53 -------- d--h--w- C:\Users\x120\AppData\Local\{793B16DA-CB71-4BE4-BB91-92AEEA79B69F}
2012-04-19 16:23:42 -------- d--h--w- C:\Users\x120\AppData\Local\{6D21A004-9411-453A-9074-B10BE516F3C4}
2012-04-19 16:04:40 -------- d--h--w- C:\Users\x120\AppData\Local\{31171D94-AB1F-4338-A3E6-51E5887523AA}
2012-04-19 16:04:16 -------- d--h--w- C:\Users\x120\AppData\Local\{4AA1CFCA-B4CD-41BB-BA11-28CD23B14CDF}
2012-04-19 02:03:51 -------- d--h--w- C:\Users\x120\AppData\Local\{7E9AED5C-9F4A-4D1B-B243-EAFACEBB49A6}
2012-04-19 02:03:37 -------- d--h--w- C:\Users\x120\AppData\Local\{4081BE9A-3391-4AA5-A34D-7EFEA0EC7F4C}
2012-04-18 01:55:54 -------- d--h--w- C:\Users\x120\AppData\Local\{112ADE10-E257-4DC4-97CD-8A5256EBE695}
2012-04-18 01:55:43 -------- d--h--w- C:\Users\x120\AppData\Local\{7B77D943-38B0-48EC-8AF1-827153D877C6}
2012-04-17 23:02:48 -------- d--h--w- C:\Users\x120\AppData\Local\{22767D77-F370-43F4-8198-8AC9FD7AC300}
2012-04-17 19:18:35 -------- d--h--w- C:\Users\x120\AppData\Local\{E80355EF-D9C5-4CFD-82EE-3A7CEEE8EACB}
2012-04-17 19:18:15 -------- d--h--w- C:\Users\x120\AppData\Local\{68F0613C-584B-42A7-AB89-E98E19D6129B}
2012-04-17 02:11:35 -------- d--h--w- C:\Users\x120\AppData\Local\{49D51859-AEEC-46FF-8691-393AEFE6CAF8}
2012-04-17 02:11:24 -------- d--h--w- C:\Users\x120\AppData\Local\{BED36A4A-BD2B-4E0E-AA25-D381CF56832E}
2012-04-14 16:35:03 -------- d--h--w- C:\Users\x120\AppData\Local\{769F8A1B-641C-4527-AB84-0111EFEED6AF}
2012-04-14 16:34:51 -------- d--h--w- C:\Users\x120\AppData\Local\{84C686B9-2F68-464F-8AB9-852030D8B652}
.
==================== Find3M ====================
.
2012-05-05 21:51:02 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-06 06:53:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-06 05:59:47 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59:41 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-01 06:46:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-02-28 06:39:37 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 05:38:52 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 04:31:38 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 03:52:27 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-17 00:27:58 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-02-17 00:27:58 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2012-02-14 18:09:44 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
.
============= FINISH: 23:56:46.11 ===============

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 15 May 2012 - 03:24 PM

Hi,

My name is Casey and I will be helping you with your malware problems.

Whilst we work through the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

It looks like you've run ComboFix so I'd like to see the log please. It will be located at C:\ComboFix.txt

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 16 May 2012 - 07:54 AM

Casey,

Thanks for the quick response. My daughter left her computer at school yesterday, so I will post the ComboFix log this afternoon when she brings it home.

#4 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 16 May 2012 - 11:39 PM

ComboFix log:

ComboFix 12-05-13.03 - x120 05/13/2012 15:44:16.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1641.668 [GMT -6:00]
Running from: c:\users\x120\Desktop\ComboFix.exe
AV: Microsoft Forefront Endpoint Protection 2010 *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection 2010 *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\4mIbaEwdOD4UgI
c:\users\x120\Desktop\Internet Explorer.lnk
c:\windows\es.exe
c:\windows\pthreadGC2.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
.
.
2012-05-13 22:31 . 2012-05-13 22:31 -------- d-----w- c:\users\Test\AppData\Local\temp
2012-05-13 22:31 . 2012-05-13 22:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-05-13 20:05 . 2012-05-02 16:00 2075184 ----a-w- C:\TDSSKiller.exe
2012-05-13 18:36 . 2012-05-13 18:36 -------- d-----w- c:\users\x120\AppData\Roaming\PC Tools
2012-05-13 17:53 . 2012-05-13 17:53 -------- d-----w- c:\users\x120\AppData\Local\Threat Expert
2012-05-13 17:39 . 2012-05-13 17:40 -------- d-----w- c:\users\x120\AppData\Roaming\Resource Tuner
2012-05-13 17:39 . 2012-05-13 20:33 -------- d-----w- c:\program files (x86)\Resource Tuner
2012-05-13 17:12 . 2012-05-13 17:12 -------- d-----w- c:\program files (x86)\PC Tools
2012-05-13 16:45 . 2012-04-23 20:18 251528 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-05-13 16:44 . 2012-05-13 20:36 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-05-13 16:42 . 2012-05-13 17:14 -------- d-----w- c:\programdata\PC Tools
2012-05-13 16:42 . 2012-05-13 16:42 -------- d-----w- c:\users\x120\AppData\Roaming\TestApp
2012-05-12 21:47 . 2012-05-13 20:17 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1621E6D6-158C-4BF0-8FCD-DA76901A5DEB}\offreg.dll
2012-05-12 21:41 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1621E6D6-158C-4BF0-8FCD-DA76901A5DEB}\mpengine.dll
2012-05-05 21:50 . 2012-05-05 21:50 -------- d-----w- c:\windows\system32\Macromed
2012-05-05 21:50 . 2012-05-05 21:50 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-02 20:23 . 2012-05-05 21:51 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-29 15:52 . 2012-05-13 22:26 -------- d-----w- c:\users\x120\AppData\Roaming\Skype
2012-04-29 15:51 . 2012-04-29 15:51 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-04-29 15:51 . 2012-04-29 15:51 -------- d-----r- c:\program files (x86)\Skype
2012-04-29 15:51 . 2012-04-29 15:51 -------- d-----w- c:\programdata\Skype
2012-04-27 17:26 . 2012-04-27 17:26 -------- d-----w- c:\program files (x86)\Lame For Audacity
2012-04-26 16:49 . 2012-04-26 16:49 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-04-26 16:49 . 2012-04-26 16:49 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-04-26 16:49 . 2012-04-26 16:49 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-04-26 16:49 . 2012-04-26 16:49 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-04-24 21:20 . 2012-04-24 21:20 -------- d-----w- c:\users\x120\AppData\Roaming\SUPERAntiSpyware.com
2012-04-24 21:20 . 2012-04-24 22:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-24 21:20 . 2012-04-24 21:20 -------- d--h--w- c:\programdata\SUPERAntiSpyware.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 21:51 . 2011-07-22 18:11 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2011-08-19 00:41 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-27 00:18 . 2012-03-27 00:18 485576 ----a-w- c:\users\x120\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2012-03-06 06:53 . 2012-04-11 09:06 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-06 05:59 . 2012-04-11 09:06 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59 . 2012-04-11 09:06 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-01 06:46 . 2012-04-11 09:02 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-11 09:02 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-11 09:02 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-11 09:02 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-11 09:02 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-11 09:02 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-11 09:02 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:39 . 2012-04-11 03:23 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 05:38 . 2012-04-11 03:23 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 04:31 . 2012-04-11 03:23 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 03:52 . 2012-04-11 03:23 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-17 06:38 . 2012-03-13 22:41 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 22:41 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 22:41 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 22:41 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-17 00:27 . 2009-10-22 05:09 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2012-02-17 00:27 . 2009-10-22 05:09 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-02-14 18:09 . 2012-02-14 18:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-22 39408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-04-05 17356424]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-02-17 296056]
"Teacher"="c:\program files (x86)\LanSchool\student.exe" [2011-05-17 1591168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-01 336384]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2011-05-10 1553256]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\x120\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-22 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-22 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2011-05-10 83304]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 LanSchoolStudent;LanSchool Student Service;c:\program files (x86)\LanSchool\student.exe [2011-05-17 1591168]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-05-31 41320]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-04-04 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-05-31 59240]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe [2007-02-02 566192]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2011-05-10 148840]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-04-20 144232]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-03-29 64952]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 usbsmi;Integrated Camera Service Display Name V1;c:\windows\system32\DRIVERS\SMIksdrv.sys [x]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 21:51]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-22 18:09]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-22 18:09]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3263427060-3182314109-2832525399-1000Core.job
- c:\users\x120\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20 00:12]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3263427060-3182314109-2832525399-1000UA.job
- c:\users\x120\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20 00:12]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
"lxcimon.exe"="c:\program files (x86)\Lexmark 7300 Series\lxcimon.exe" [2007-05-11 205744]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-05-31 40808]
"EzPrint"="c:\program files (x86)\Lexmark 7300 Series\ezprint.exe" [2007-05-11 103344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://americanacademyk8.org/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1 8.8.4.4
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
FF - ProfilePath - c:\users\x120\AppData\Roaming\Mozilla\Firefox\Profiles\0vx13l41.default\
FF - prefs.js: browser.startup.homepage - hxxp://americanacademyk8.org/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-13 16:56:52
ComboFix-quarantined-files.txt 2012-05-13 22:56
.
Pre-Run: 271,259,443,200 bytes free
Post-Run: 271,173,791,744 bytes free
.
- - End Of File - - 64646C1F835B890777B037943DC755BA


Thanks again for your help.

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 17 May 2012 - 07:17 AM

Hi,

A few bits got removed with that ComboFix scan, but that obviously hasn't fixed it, so let's have a look at your partition structure.

ListParts
For x64 bit systems please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 May 2012 - 07:47 AM

ListParts64 log:

ListParts by Farbar Version: 12-03-2012 03
Ran by x120 (administrator) on 17-05-2012 at 06:33:50
Windows 7 (X64)
Running From: C:\Users\x120\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 60%
Total physical RAM: 1640.17 MB
Available physical RAM: 644.88 MB
Total Pagefile: 3280.34 MB
Available Pagefile: 1989.64 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:287.15 GB) (Free:245.42 GB) NTFS
2 Drive d: (Lenovo_Recovery) (Fixed) (Total:9.76 GB) (Free:2.47 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1200 MB 1024 KB
Partition 2 Primary 287 GB 1201 MB
Partition 3 Primary 9 GB 288 GB
Partition 4 Primary 1016 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM_DRV NTFS Partition 1200 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 287 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Lenovo_Reco NTFS Partition 9 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

Thank you.

#7 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 17 May 2012 - 08:22 AM

Looks like we might have found the culprit :)

  • Please open notepad (Start =>All Programs => Accessories => Notepad) and copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
    Disk=0 Partition=1 active
    bcdedit
    Disk=0 Partition=4 type=07
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Save it on to a USB flashdrive as fix.txt
  • Save ListParts (32bit) or ListParts64 (64bit) onto your flash drive.
  • Plug the flashdrive into the infected PC.
  • Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

[*]On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]A Notepad window will open. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and then close Notepad.
[*]In the command window type e:\listparts (32bit) or e:\listparts64 (64bit) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]Press Fix button.
[*]When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive. [/list]
Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#8 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 May 2012 - 09:26 PM

Casey,

I wasn't able to boot into System Recovery. I was able to select it from the Boot Options menu, but all I got was a "Windows is loading files..." message and a progress bar. The bar filled in solid white very quickly, but then nothing else happened. I tried several times and even let it sit for about 30 minutes, but I could never get past that message.

It did boot Windows 7 normally when I was finished.

Thank you.

#9 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 18 May 2012 - 05:48 AM

I don't suppose you have Windows 7 installation CD do you?

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#10 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 18 May 2012 - 11:51 AM

I've been looking, but it doesn't appear that this laptop came with an installation CD. Could I download the Windows 7 Pro SP1 ISO, burn it to a DVD, and use that?

Thanks again.

#11 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 18 May 2012 - 01:09 PM

Could I download the Windows 7 Pro SP1 ISO, burn it to a DVD, and use that?


Not 100& sure what you mean here, but the SP1 download won't work. A full disc would, but you'd probably have to pay for that.

We can use another method though :)

1. Preferably from a clean computer, please download the following: gparted-live-0.10.0-3.iso (115 MB)

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.


2. Now, please boot off of the newly created GParted CD. See How to Set BIOS to Boot from CDROM for information on how to boot from the CD.

You should arrive to the following screen:
Posted Image
Press the ENTER key

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and press the ENTER key.

Posted Image
Next, choose your language and press the ENTER key. English is the default setting [33]

Posted Image
Once again, at this prompt, press the ENTER key.

You will now be taken to the main GUI screen below
Posted Image

Please take a picture of this screen (camera or phone pictures will work just fine), and post it here for me to see. It is very important that you complete this step.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#12 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 18 May 2012 - 01:30 PM

The ISO I was referring to is a full Windows 7 Professional installation disk with SP1 incorporated, available legally from Digital River, Microsoft's electronic distribution partner. The infected computer has a valid Windows 7 Professional license key, so there is no legal issue with downloading and using this ISO on this computer. However, if you would prefer, I can download and burn the ISO in your most recent reply.

Please let me know which direction you would prefer me to go.

Thank you.

Kevin

#13 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 18 May 2012 - 02:59 PM

Hi Kevin,

I don't mind either way - we'll get the job done with which ever method. The gparted method is a smaller download, but the windows cd download means that you'll have a copy lying around if you ever need it.

Your choice :)

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#14 Kev_the_Ref

Kev_the_Ref
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 18 May 2012 - 03:44 PM

Great. Let's go with the Windows 7 ISO. What's next?

#15 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:29 AM

Posted 18 May 2012 - 04:49 PM

So you'll need to burn the iso to disc (instructions in step 1 of post #11) and then follow the instructions in post #7.

Casey

Edited by Casey_boy, 18 May 2012 - 04:49 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users