Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit.0access / trojan.small / trojan.sifef infection


  • This topic is locked This topic is locked
28 replies to this topic

#1 kj891

kj891

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 16 June 2012 - 08:20 PM

hi, I have a possible Rootkit Zero access virus that Malwarebytes is picking up as rootkit.0access It's also picking up a trojan.small and trojan.sifef . Malwarebytes hasn't been able to remove them after several scans, removals and reboots. Recently I have also experienced unwanted audio playing in the background on my computer.

I have run SpyBot and Malwarebytes. but the files remain after a reboot.

As requested in the preparation guide I have done the following:

CD Emulators disabled with DeFogger
DDS has been run and the .txt file is copied below Attach file is attached
Attempted to create a GMER Log but was unsuccessful. GMER ended in a stack dump on two occasions so I quit while I think I was ahead

Thanks in advance for your help on this! I work shifts, so I may not always get back immediately following your posts


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27
Run by User at 20:48:59 on 2012-06-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3327.1760 [GMT -3:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Windows\system32\NLSSRV32.EXE
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Windows\Explorer.EXE
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\.\globalroot\systemroot\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\4.0\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [HydraVisionDesktopManager] "c:\program files\ati technologies\hydravision\HydraDM.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [<NO NAME>]
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [NPSStartup]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: greatwestlife.com\groupnet
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{697954D5-DB29-4302-854C-31E23875DE0F} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\turbotax 2011\ic2011pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: acaptuser32.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\qq95b4b3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.71\npGoogleUpdate3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.71\npGoogleUpdate3.dll
FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
FF - user.js: extensions.autoDisableScopes - 14
.
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2011-5-8 19120]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-13 176128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-16 654408]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2010-10-20 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-20 67904]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-4-20 7772160]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-4-20 243712]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-3 22344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-5-13 30312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-12-15 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-11 136176]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 25112]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [2011-5-8 23728]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
.
=============== Created Last 30 ================
.
2012-06-12 23:10:15 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-12 23:10:14 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-12 23:10:12 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-12 23:10:11 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-12 23:10:11 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-12 23:10:11 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-12 23:10:10 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-12 23:10:01 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-12 23:10:01 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-12 23:10:01 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
==================== Find3M ====================
.
2012-06-11 00:16:25 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-11 00:16:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-18 23:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 23:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 18:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 04:39:37 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39:37 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23:11 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-26 13:00:41 112056 ----a-w- c:\windows\system32\acaptuser32.dll
.
============= FINISH: 20:49:39.98 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 16 June 2012 - 08:27 PM

download Farbar Recovery Scan Tool and save it to a flash drive.
(you need the 32bit version)
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 17 June 2012 - 07:42 PM

Hope you dont think Im ignoring your reply (which was very quick by the way!)

I'm very embarrassed to say that I am having difficulty finding my install disc. Still looking though

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 17 June 2012 - 08:30 PM

check to see if you have the advanced boot options already installed on your computer

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 17 June 2012 - 09:04 PM

as it turns out ABO is already installed...

"...how will we ever get this door open? Of course! The knob!...."

#6 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 17 June 2012 - 10:26 PM

Ok heres the frst.txt

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 17-06-2012
Ran by SYSTEM at 18-06-2012 00:18:43
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6707744 2008-12-26] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2008-12-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-13] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [153136 2007-03-01] (Nero AG)
HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [71216 2007-03-14] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [52256 2007-01-08] ()
HKLM\...\Run: [Standby] "c:\Program Files\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-01-07] (Corel)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM\...\Run: [] [x]
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1387288 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [NPSStartup] [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-04] (Malwarebytes Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\User\...\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe" [380928 2009-08-13] (AMD)
HKU\User\...\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [x]
HKU\User\...\Run: [] [x]
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-09-08] (Google Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1
AppInit_DLLs: acaptuser32.dll

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2011-04-19] (AMD)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
2 BBSvc; C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [193816 2012-02-10] (Microsoft Corporation.)
3 BBUpdate; C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [240408 2012-02-10] (Microsoft Corporation.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 hkmsvc; C:\Windows\System32\kmsvc.dll [71168 2010-11-20] (Microsoft Corporation)
3 LBTServ; C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe [295192 2011-09-27] (Logitech, Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-04] (Malwarebytes Corporation)
3 NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [800040 2007-09-17] (Nero AG)
2 NitroDriverReadSpool; "C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe" [196928 2010-10-20] (Nitro PDF Software)
2 nlsX86cc; C:\Windows\system32\NLSSRV32.EXE [67904 2010-10-20] (Nalpeiron Ltd.)
3 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [279848 2007-06-27] (Nero AG)
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2007-05-13] ()
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
2 WDDMService; "C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe" [238592 2011-03-09] (WDC)
2 WDFME; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe" [1060864 2011-03-09] ()
2 WDSC; "C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe" [484352 2011-03-09] ()
2 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]

========================== Drivers (Whitelisted) =============

3 androidusb; C:\Windows\System32\Drivers\ssadadb.sys [30312 2011-05-12] (Google Inc)
3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [108104 2010-12-01] (SlySoft, Inc.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134736 2011-07-10] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-04] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [230608 2011-10-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [40016 2011-08-08] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [295248 2011-07-10] (AVG Technologies CZ, s.r.o.)
1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
3 FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
3 iirsp; C:\Windows\system32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-03-10] (Initio Corporation)
3 LHidFilt; C:\Windows\System32\DRIVERS\LHidFilt.Sys [41240 2011-09-01] (Logitech, Inc.)
3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [39192 2011-09-01] (Logitech, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-04-04] (Malwarebytes Corporation)
1 OxFWLF; \??\C:\Windows\system32\drivers\OxFWLF.sys [19120 2009-10-29] (OEM)
3 OXUDIDRV; \??\C:\Windows\system32\Drivers\OXUDIDRV_X32.sys [23728 2009-10-29] ()
3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfd.sys [18816 2008-08-26] (Nokia)
3 ROOTMODEM; C:\Windows\System32\Drivers\RootMdm.sys [8192 2009-07-13] (Microsoft Corporation)
3 ssadbus; C:\Windows\System32\DRIVERS\ssadbus.sys [121064 2011-05-12] (MCCI Corporation)
3 ssadmdfl; C:\Windows\System32\DRIVERS\ssadmdfl.sys [12776 2011-05-12] (MCCI Corporation)
3 ssadmdm; C:\Windows\System32\DRIVERS\ssadmdm.sys [136808 2011-05-12] (MCCI Corporation)
3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltj.sys [7936 2009-12-30] (Nokia)
3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2009-07-13] (Microsoft Corporation)
3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [186592 2011-12-23] (Jungo)
3 GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-18 00:18 - 2012-06-18 00:18 - 00000000 ____D C:\FRST
2012-06-16 17:39 - 2012-06-16 17:39 - 00874418 ____A C:\Users\User\Downloads\FRST.exe
2012-06-16 16:38 - 2012-06-16 16:38 - 00144120 ____A C:\Windows\Minidump\061612-29343-01.dmp
2012-06-16 15:58 - 2012-06-16 15:58 - 00302592 ____A C:\Users\User\Downloads\rs3l44gc.exe
2012-06-16 15:56 - 2012-06-16 15:56 - 00001071 ____A C:\Users\User\Desktop\dds - Shortcut.lnk
2012-06-16 15:55 - 2012-06-16 15:55 - 00607260 ____R (Swearware) C:\Users\User\Downloads\dds.scr
2012-06-16 15:47 - 2012-06-16 15:48 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2012-06-16 15:47 - 2012-06-16 15:47 - 00000000 ____A C:\Users\User\defogger_reenable
2012-06-12 16:31 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-12 16:31 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-12 16:31 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-12 16:31 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-12 16:31 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-12 16:31 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-12 16:31 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-12 16:31 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-12 16:31 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-12 16:31 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-12 16:31 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-12 16:31 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-12 16:31 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-12 16:31 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-12 15:10 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 15:10 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-12 15:10 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 15:10 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-12 15:10 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-12 15:10 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-12 15:10 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 15:10 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 15:10 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 15:10 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-08 08:27 - 2012-06-08 08:26 - 00018944 __ASH C:\Users\Public\Documents\Thumbs.db
2012-06-08 04:12 - 2012-06-08 04:12 - 00401384 ____A (WorldTimeServer.com) C:\Users\User\Downloads\atomic.exe
2012-05-26 03:11 - 2012-05-26 03:11 - 00001815 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-26 03:11 - 2012-05-26 03:11 - 00000000 ____D C:\Program Files\QuickTime

============ 3 Months Modified Files and Folders ===============

2012-06-18 00:18 - 2012-06-18 00:18 - 00000000 ____D C:\FRST
2012-06-17 19:15 - 2010-01-21 02:45 - 01192881 ____A C:\Windows\WindowsUpdate.log
2012-06-17 19:15 - 2009-07-13 20:34 - 00015360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-17 19:15 - 2009-07-13 20:34 - 00015360 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-17 19:12 - 2010-05-11 16:51 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-17 19:12 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-17 19:12 - 2009-07-13 20:39 - 00134976 ____A C:\Windows\setupact.log
2012-06-17 18:19 - 2010-05-11 16:51 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-17 18:07 - 2010-01-20 10:57 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-17 17:12 - 2011-09-30 03:51 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3585512416-3480817480-546283429-1000UA.job
2012-06-17 13:01 - 2010-10-20 04:13 - 00000000 ____D C:\Users\All Users\MFAData
2012-06-17 03:07 - 2010-10-20 04:28 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-06-16 23:12 - 2011-09-30 03:51 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3585512416-3480817480-546283429-1000Core.job
2012-06-16 17:39 - 2012-06-16 17:39 - 00874418 ____A C:\Users\User\Downloads\FRST.exe
2012-06-16 16:38 - 2012-06-16 16:38 - 00144120 ____A C:\Windows\Minidump\061612-29343-01.dmp
2012-06-16 16:38 - 2010-07-23 03:47 - 419041945 ____A C:\Windows\MEMORY.DMP
2012-06-16 16:38 - 2010-07-23 03:47 - 00000000 ____D C:\Windows\Minidump
2012-06-16 15:58 - 2012-06-16 15:58 - 00302592 ____A C:\Users\User\Downloads\rs3l44gc.exe
2012-06-16 15:56 - 2012-06-16 15:56 - 00001071 ____A C:\Users\User\Desktop\dds - Shortcut.lnk
2012-06-16 15:55 - 2012-06-16 15:55 - 00607260 ____R (Swearware) C:\Users\User\Downloads\dds.scr
2012-06-16 15:48 - 2012-06-16 15:47 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2012-06-16 15:48 - 2011-06-21 17:52 - 00000000 ____D C:\Users\User\Calibre Library
2012-06-16 15:47 - 2012-06-16 15:47 - 00000000 ____A C:\Users\User\defogger_reenable
2012-06-16 15:47 - 2010-01-20 10:54 - 00000000 ____D C:\users\User
2012-06-16 02:51 - 2010-04-03 04:18 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-16 02:50 - 2010-01-22 03:03 - 00069998 ____A C:\Windows\PFRO.log
2012-06-16 02:50 - 2009-07-13 20:56 - 00000000 ____D C:\Windows\DigitalLocker
2012-06-15 18:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Speech
2012-06-15 18:20 - 2010-09-30 01:36 - 00382428 ____A C:\Windows\ntbtlog.txt
2012-06-15 17:16 - 2010-01-21 14:05 - 00000000 ____D C:\Users\User\Desktop\Old Local Disk
2012-06-15 17:01 - 2010-06-18 17:56 - 00007620 ____A C:\Users\User\AppData\Local\Resmon.ResmonCfg
2012-06-15 16:52 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\TAPI
2012-06-15 15:42 - 2010-04-02 04:14 - 00000000 ___HD C:\Windows\msdownld.tmp
2012-06-15 01:25 - 2011-10-16 14:30 - 00000000 ____D C:\Program Files\MALWAREBYTES ANTI-MALWARE
2012-06-14 18:54 - 2012-01-10 22:18 - 00000000 __SHD C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
2012-06-14 18:54 - 2009-07-13 18:37 - 00000000 __RSD C:\Windows\Media
2012-06-14 13:07 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-06-14 10:58 - 2010-01-21 17:55 - 00000000 ____D C:\Users\User\AppData\Roaming\BitTorrent
2012-06-12 18:30 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-06-12 18:01 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-06-12 17:31 - 2009-07-13 20:33 - 00407552 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-12 16:42 - 2012-04-06 18:35 - 00000000 __SHD C:\Config.Msi
2012-06-12 16:34 - 2010-01-20 11:19 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-11 20:14 - 2011-09-30 03:51 - 00002391 ____A C:\Users\User\Desktop\Google Chrome.lnk
2012-06-11 01:05 - 2011-10-14 04:43 - 00000000 ____D C:\Users\All Users\AVG2012
2012-06-11 01:05 - 2011-10-03 10:30 - 00000396 _RASH C:\Users\All Users\ntuser.pol
2012-06-10 16:16 - 2012-04-01 07:27 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-06-10 16:16 - 2011-10-16 15:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-06-09 20:00 - 2010-01-22 15:27 - 00000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
2012-06-08 08:26 - 2012-06-08 08:27 - 00018944 __ASH C:\Users\Public\Documents\Thumbs.db
2012-06-08 04:12 - 2012-06-08 04:12 - 00401384 ____A (WorldTimeServer.com) C:\Users\User\Downloads\atomic.exe
2012-06-06 01:47 - 2010-04-17 11:51 - 00000000 ____D C:\Users\User\Documents\Ken's Documents
2012-06-05 17:05 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2012-05-26 03:11 - 2012-05-26 03:11 - 00001815 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-26 03:11 - 2012-05-26 03:11 - 00000000 ____D C:\Program Files\QuickTime
2012-05-24 02:06 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Cursors
2012-05-24 02:02 - 2012-05-11 18:12 - 00000000 ____D C:\Users\User\Downloads\BBLOGGER
2012-05-24 02:02 - 2012-05-11 05:00 - 00000000 ____D C:\Users\User\Downloads\X-Ways.WinHex.v15.6.Incl.Keymaker-ZWT
2012-05-17 15:11 - 2012-06-12 16:31 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-12 16:31 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-12 16:31 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-12 16:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-12 16:31 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-12 16:31 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-12 16:31 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-12 16:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-12 16:31 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-12 16:31 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-12 16:31 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-12 16:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-12 16:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-12 16:31 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-15 14:16 - 2012-05-14 16:26 - 00000000 ____D C:\Program Files\CrackUtil
2012-05-15 14:15 - 2011-10-11 05:48 - 00002079 ____A C:\Users\User\AppData\Roaming\Rim.DesktopHelper.Exception.log
2012-05-15 14:15 - 2010-10-29 02:53 - 00016064 ____A C:\Users\User\AppData\Roaming\Rim.Desktop.Exception.log
2012-05-14 17:05 - 2012-06-12 15:10 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-14 17:04 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-05-14 16:59 - 2010-10-29 08:50 - 00000000 ____D C:\Users\User\AppData\Roaming\Blackberry Desktop
2012-05-14 16:55 - 2012-05-14 16:51 - 47735320 ____A C:\Users\User\Downloads\421_b017_english.exe
2012-05-14 16:53 - 2012-05-13 17:20 - 00003461 ____A C:\Users\User\Downloads\ATT_Service_Books.zip
2012-05-14 16:28 - 2012-05-14 16:26 - 00000977 ____A C:\Users\Public\Desktop\CrackUtil.lnk
2012-05-14 16:26 - 2012-05-14 16:26 - 00790121 ____A C:\Users\User\Downloads\CrackUtil.zip
2012-05-14 16:26 - 2012-05-14 16:26 - 00000000 ____D C:\Users\User\Downloads\CrackUtil
2012-05-13 13:55 - 2010-01-24 08:00 - 00000000 ____D C:\Users\User\Documents\Josée
2012-05-11 18:11 - 2012-05-11 18:11 - 00275579 ____A C:\Users\User\Downloads\BBLOGGER.zip
2012-05-11 17:56 - 2012-05-11 17:56 - 00098304 ____A C:\Users\User\Downloads\blackberry_reader.exe
2012-05-11 17:22 - 2012-05-11 17:22 - 00000000 ____D C:\Users\User\Downloads\bbtoolfreecode
2012-05-11 17:21 - 2012-05-11 17:21 - 01108672 ____A C:\Users\User\Downloads\bbtoolfreecode.zip
2012-05-11 11:42 - 2012-05-11 04:45 - 00000000 ____D C:\Users\All Users\Tarma Installer
2012-05-11 08:21 - 2010-04-02 04:19 - 00019456 ____A C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-05-11 07:30 - 2012-05-11 07:28 - 117036144 ____A (Research In Motion Ltd. ) C:\Users\User\Downloads\9530AMEA_PBr5.0.0_rel808_PL4.2.0.179_A5.0.0.419_Bell_Mobility_Inc.exe
2012-05-11 06:41 - 2012-03-17 06:46 - 00000000 ____D C:\Users\User\AppData\Local\Downloaded Installations
2012-05-11 06:24 - 2012-05-11 06:24 - 00000033 ____A C:\Users\User\Desktop\Text Storm.bin.txt
2012-05-11 06:15 - 2012-05-11 05:37 - 00524288 ____A C:\Users\User\Desktop\Storm.bin
2012-05-11 06:01 - 2012-05-11 06:01 - 00001258 ____A C:\Users\Public\Desktop\Hex Workshop Hex Editor (32 bit).lnk
2012-05-11 06:01 - 2012-05-11 06:01 - 00000000 ____D C:\Program Files\BreakPoint Software
2012-05-11 06:00 - 2012-05-11 05:59 - 18133056 ____A (BreakPoint Software) C:\Users\User\Downloads\hw_v661.exe
2012-05-11 06:00 - 2012-05-11 05:59 - 00000371 ____A C:\Users\User\Downloads\Unicdma_098.rar
2012-05-11 05:08 - 2012-05-11 04:49 - 00000000 ____D C:\Program Files\WinHex
2012-05-11 05:00 - 2012-05-11 05:00 - 01793245 ____A C:\Users\User\Downloads\X-Ways.WinHex.v15.6.Incl.Keymaker-ZWT.rar
2012-05-11 04:55 - 2012-05-11 04:55 - 00227096 ____A C:\Users\User\Downloads\WinHex_16.exe
2012-05-11 04:24 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-05-11 03:39 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\ModemLogs
2012-05-11 03:19 - 2012-05-11 02:44 - 107831400 ____A (Research In Motion Ltd. ) C:\Users\User\Downloads\Storm OS47.exe
2012-05-10 19:40 - 2012-05-10 18:10 - 00000000 ____A C:\Users\User\Documents\storm.bin
2012-05-10 19:31 - 2012-05-10 19:31 - 00318464 ____A C:\Users\User\Downloads\UNI_CDMA.exe
2012-05-08 22:31 - 2010-01-22 04:51 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-08 22:31 - 2009-07-13 23:50 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-08 22:04 - 2009-07-13 18:04 - 00000610 ____A C:\Windows\win.ini
2012-05-08 18:07 - 2012-05-08 18:07 - 00000000 ____D C:\Program Files\Unlock-Blackberry
2012-05-08 03:14 - 2012-05-08 03:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimUsb_01007.Wdf
2012-05-08 03:10 - 2012-05-08 03:10 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimSerial_01007.Wdf
2012-05-08 03:10 - 2010-02-21 06:45 - 00000000 ____D C:\Program Files\Research In Motion
2012-05-08 03:10 - 2010-02-21 06:45 - 00000000 ____D C:\Program Files\Common Files\Research In Motion
2012-05-03 13:27 - 2012-05-03 13:27 - 00936072 ____A (Timo Esser ) C:\Users\User\Downloads\TTG_Setup_en.exe
2012-05-02 16:34 - 2012-05-02 15:59 - 00000000 ____D C:\Users\User\AppData\Roaming\Audacity
2012-05-02 16:09 - 2012-05-02 16:09 - 00000000 ____D C:\Program Files\Lame For Audacity
2012-05-02 15:59 - 2012-05-02 15:59 - 00000965 ____A C:\Users\User\Desktop\Audacity.lnk
2012-05-02 15:59 - 2012-05-02 15:59 - 00000000 ____D C:\Program Files\Audacity
2012-04-30 20:44 - 2012-06-12 15:10 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-12 15:10 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 20:45 - 2012-06-12 15:10 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-12 15:10 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-12 15:10 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-23 20:36 - 2012-06-12 15:10 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-12 15:10 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-12 15:10 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-18 15:56 - 2012-04-18 15:56 - 00094208 ____A (Apple Inc.) C:\Windows\System32\QuickTimeVR.qtx
2012-04-18 15:56 - 2012-04-18 15:56 - 00069632 ____A (Apple Inc.) C:\Windows\System32\QuickTime.qts
2012-04-16 09:50 - 2010-04-03 04:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-04-14 18:39 - 2012-04-14 18:39 - 00195205 ____A C:\Users\User\Downloads\Yince_Flynn_-_Mitch_Rapp_series.exe
2012-04-14 03:53 - 2012-04-14 03:53 - 00001753 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-04-14 03:53 - 2012-04-14 03:52 - 00000000 ____D C:\Program Files\iTunes
2012-04-14 03:52 - 2012-04-14 03:52 - 00000000 ____D C:\Program Files\iPod
2012-04-14 03:52 - 2010-02-21 15:40 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-04-12 05:49 - 2012-03-16 07:50 - 00001984 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-04-08 05:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\config\TxR
2012-04-08 05:17 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2012-04-08 05:16 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-04-08 05:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-04-08 05:15 - 2010-04-18 05:05 - 00000000 ____D C:\Users\All Users\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-04-07 03:26 - 2012-06-12 15:10 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-04 10:56 - 2010-04-03 04:18 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-01 07:23 - 2012-04-01 07:23 - 00920232 ____A C:\Windows\Minidump\040112-43265-01.dmp
2012-03-31 08:31 - 2012-03-31 08:31 - 00000000 ____D C:\Users\User\AppData\Local\{00754A15-7B4F-11E1-826D-B8AC6F996F26}
2012-03-30 20:39 - 2012-05-08 16:43 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-03-30 20:39 - 2012-05-08 16:43 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-30 02:23 - 2012-05-08 16:43 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-26 05:00 - 2012-04-12 05:36 - 00112056 ____A (Adobe Systems Incorporated) C:\Windows\System32\acaptuser32.dll
2012-03-24 16:37 - 2011-02-18 17:07 - 00000000 ____D C:\FU_Backup
2012-03-22 16:31 - 2012-03-22 16:31 - 00000000 ____D C:\Program Files\ToneGen
2012-03-21 05:06 - 2012-03-16 06:33 - 00000000 ____D C:\Program Files\TurboTax 2011

ZeroAccess:
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\@
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\L
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U\00000001.@
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U\80000000.@
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U\800000cb.@

ZeroAccess:
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\@
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\L
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3327.3 MB
Available physical RAM: 2826.51 MB
Total Pagefile: 3323.52 MB
Available Pagefile: 2824.19 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.31 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:549.88 GB) NTFS
2 Drive e: (Malwarebytes) (CDROM) (Total:0.69 GB) (Free:0.65 GB) UDF
3 Drive f: (PENDRIVE) (Removable) (Total:3.72 GB) (Free:0.99 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 3816 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 931 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3812 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PENDRIVE FAT32 Removable 3812 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-07 19:14

======================= End Of Log ==========================

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 18 June 2012 - 09:21 AM

Hi,

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM\...\Run: [] [x]
HKU\User\...\Run: [] [x]
2012-06-14 18:54 - 2012-01-10 22:18 - 00000000 __SHD C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
2012-05-11 05:00 - 2012-05-11 05:00 - 01793245 ____A C:\Users\User\Downloads\X-Ways.WinHex.v15.6.Incl.Keymaker-ZWT.rar
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 18 June 2012 - 09:30 AM

Good morning and thanks for the efforts.

Just for clarification, FRST64? I have the 32bit version.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 18 June 2012 - 09:37 AM

sorry, I meant FRST.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 18 June 2012 - 09:41 AM

just checking - no worries.

If I were truely smart, I wouldnt be in this mess :)

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 18 June 2012 - 09:50 AM

It can happen to anybody :(

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 18 June 2012 - 09:50 AM

all seemed to go well for step 1

FIXLOG is below

Do you want me to wait before running COMBOFIX or proceed with the next step?

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 17-06-2012
Ran by SYSTEM at 2012-06-18 11:43:57 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_USERS\User\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\User\...\Run: [] [x] Value not found.
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088} moved successfully.
C:\Users\User\Downloads\X-Ways.WinHex.v15.6.Incl.Keymaker-ZWT.rar moved successfully.
C:\Windows\Installer\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088} moved successfully.
C:\Users\User\AppData\Local\{328ceeb6-00cc-bfc9-eb7b-06d535cf3088} not found.

==== End of Fixlog ====

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 18 June 2012 - 09:58 AM

please move on to ComboFix

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 kj891

kj891
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 18 June 2012 - 10:44 AM

ok, here it is.

I had a couple of issues related to AVG (dang free software). ComboFix indicated that it was still enabled after I had disabled it. I did get a couple of warnings from AVG about ComboFix files being infected but I allowed them to remain as they were.

ComboFix 12-06-16.02 - User 06/18/2012 12:10:10.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3327.2162 [GMT -3:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\DE07E56909.sys
c:\users\User\AppData\Roaming\vso_ts_preview.xml
c:\windows\system32\avisynth.dll
c:\windows\system32\devil.dll
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 15:18 . 2012-06-18 15:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 08:18 . 2012-06-18 08:19 -------- d-----w- C:\FRST
2012-06-12 23:10 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-12 23:10 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-12 23:10 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-12 23:10 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-12 23:10 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-12 23:10 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-12 23:10 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-12 23:10 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-12 23:10 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-12 23:10 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-11 00:16 . 2012-04-01 15:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-11 00:16 . 2011-10-16 23:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-11 15:44 . 2012-05-11 15:44 53248 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
2012-04-18 23:56 . 2012-04-18 23:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 23:56 . 2012-04-18 23:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-04 18:56 . 2010-04-03 12:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 04:39 . 2012-05-09 00:43 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-09 00:43 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23 . 2012-05-09 00:43 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-26 13:00 . 2012-04-12 13:36 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2003-03-19 00:20 . 2011-10-16 13:20 1060864 ----a-w- c:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 07:42 . 2011-10-16 13:20 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
2011-09-29 06:53 . 2011-10-16 12:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\HydraVision\HydraDM.exe" [2009-08-14 380928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-12-26 6707744]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-26 1833504]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2010-01-07 105632]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2012-03-26 12:00 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2012-03-27 08:40 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 00:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSDAppUpdater]
2010-09-08 00:19 1660232 ----a-w- c:\program files\Common Files\BSD\AppUpdater\BSDChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2009-12-30 21:47 523408 ----a-w- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-09-09 06:57 136176 ----atw- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 08:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-12-05 16:30 2295072 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-04-04 18:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 18:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 18:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 23:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rim.DesktopHelper.exe]
2011-06-07 11:06 744280 ----a-w- c:\program files\Research In Motion\BlackBerry Desktop\Rim.DesktopHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-11-02 05:00 90448 ----a-w- c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 16:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 136176]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-05-13 30312]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-10 25112]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X32.sys [2009-10-29 23728]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-13 121064]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-13 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-13 136808]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2009-10-29 19120]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2010-10-20 196928]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2010-10-20 67904]
S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 238592]
S2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1060864]
S2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 484352]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 243712]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 16:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 00:51]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 00:51]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3585512416-3480817480-546283429-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-30 06:57]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3585512416-3480817480-546283429-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-30 06:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: greatwestlife.com\groupnet
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files\TurboTax 2011\ic2011pp.dll
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\qq95b4b3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 0
FF - user.js: general.useragent.extra.brc - BRI/1
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-NPSStartup - (no file)
MSConfigStartUp-cftil - c:\users\User\AppData\Local\Temp\cftil.dll
MSConfigStartUp-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
MSConfigStartUp-wkrtf - c:\users\User\AppData\Local\Temp\wkrtf.dll
AddRemove-A9CD4C7D-6D93-4B56-A226-1D28DB060A87_is1 - o:\test tone generator\unins000.exe
AddRemove-The KMPlayer - m:\the kmplayer\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5664)
c:\program files\ATI Technologies\HydraVision\HydraDMH.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-06-18 12:32:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 15:32
.
Pre-Run: 592,212,541,440 bytes free
Post-Run: 592,534,102,016 bytes free
.
- - End Of File - - 7DFA8469A66C3AB52A77493165DF1CDC

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:32 AM

Posted 18 June 2012 - 10:58 AM

Hi,

Please do the following:


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users