Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I´m looking for jntkwx or Jason - I have the same problem as tutankhamon


  • This topic is locked This topic is locked
41 replies to this topic

#1 Yucatán Man

Yucatán Man

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 19 June 2012 - 05:39 PM

Hello Everyone,

While I was looking for solutions to my sirefef.y I found this forum. I hope you don´t think it forward of me to have registered and posted with my problem, considering that I'm new here and you don't know me. But I noticed that a new user posted yesterday about this same trojan and I have almost the exact same system as he does. So I thought I might just follow the steps Jason outlined for that user, until I saw his message that the script writen was for that user only. Even though our systems are very similar I thought it best to post and ask for specific help based on my system. I also thought that, perhaps, Jason wouldn´t mind helping me because he could just refer me to the before mentioned tread for advice that he thought reasonable.

But, before we get started, I would just like to mention one "caveat." I noticed a request that you made to tutankhamon yesterday to get rid of all keygen, crack, ect. programs from his computer before you would help him anymore. I understand the reason that they might be the cause of his infection. But I also think that it is easy from an "american" point of view to say that piracy is ileagal and moraly wrong and based on that assumpsion feel that the rest of the world should comply the your own moral standards. But, perhaps, it is dificult for the average american (please don´t feel attaced, we could replace the word "american" with "european" or "canadian" or any country or group that is not from the third world, and the sentence would have the same meaning) to understand the economic dificulties that the rest of the world (third world) suffers. While many americans and europeans have felt the economic crisis and suffered from it, well, let´s just say that they are still eating. Maybe many lost homes in forclosures, but they have found where to live. Many have lost one or more of their cars but they still have the other. But, on the contrary, the economic crisis takes a much greater toll on third world societies that already had so many problems that thier people didn´t have a enough to eat. Or clean drinking water. Can you imagine living on $5 a day. Becuase that´s all the average worker makes here. Try to calculate it, how long would the average worker here have to save his "centavos" (cents - which are worth 1/15 that of an american cent) to afford a legitimate version of windows 7 ultimate 64 bit. The cost of the operating system can make a PC unreachable for a mexican. And if one was able to pay the already higher cost of the hardware (which can be as much as twice what you pay there, becuase of tarrifs, taxes, and the great profit made by the importers) you're still faced with the great cost of the operating system. Then, if you save enough to buy it, you have to start saving again for Microsoft Office. If after a couple of years you have been able to build your PC and install Windows and buy Office, then your faced with the need of paying recuring amouts for antivirus. You´d have to word varios days in the month just to pay for antivirus. Can you really imagine that? Please, don´t take me wrong. I believe in the rights of the authors. The problem here is one of misunderstanding of the world markets and also greed from the large corporations. There should be a structuring change of pricing to appeal the latin american market by microsoft and all other large companies. Sony and entertainment companys would benefit from this also. The average Mexican would have to work for 5 days without eating, feeding his family, or spending any money to be albe to save enough to buy one blu-ray. Based on that kind of economy, how many blu rays will Sony sell here. But what If they changed the pricing to reflect a price point accesable to the mexican population. Don´t you think everyone would stop buying pirated Dvd´s in the town square if originales where availible for just a little bit more? And how many millions more copys would the disc companys sell if they made the change? Here´s one example, look how i tunes changed the music industry. And that was in the U.S. where the people had the buying power to buy whole CD's. Now, with much more reason, in a third world country that marketing strategy would win millions of customers and it has (in the case of i tunes), we just need the software and movie companys to do the same.

Well, I´m sorry. It looks like I wrote much more than I had planned. The point I was trying to make is please don´t ask me or anyone from a third world county (like user tutankhamon, from Greece) to stop using warez, becuase many times it is the only thing available to us or within our economic reach. You know, there's no walmart here for hundreds of miles. When you live in the jungle your shopping options are very limited. So please, offer me the help you would anyone else without the economic predujice. I noticed that tutankhamon had not responded to Jasons last post. Don´t you think that´s odd considering how much he wanted to eliminate this trojan from his PC? Could it be that he did´nt want to get rid of those key gens? Or is he saving them to anothe hard disk so he can pass the scan and recieve aid?

Well, thank you before hand for any help that you might be willing to give.

If instructed to do so, I will send system data and a description of what I have done so far. (I´ve been recieving help from a spanish speaking latin american forum, but even though I have faithfully followed all their advice and Used Panda and TDSSKILLER and Malwarebytes antimalware and Ccleaner I still have the infection. Just as the user tutankhamon I installed MSE (microsoft sercurity essentials) when my ESET 5 stoped working and that caused a cycle to begin of where my Pc would boot up, MSE would find sirefef.Y and the trojan, I assume would send an order to turn off my Pc and it would reboot and happen all over again.

Thank you,

Andres
Yucatán Man

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:54 AM

Posted 19 June 2012 - 06:51 PM

Hi Yucatán Man,

Our goal at Bleeping Computer is to provide guidance and recommendations to fix computer problems (including, but not limited to malware removal). We can't (and don't) force people we're helping to do what we tell them to do. In the cases of cracked software/keygens/pirated software (for example), we may strongly recommend that they stop using such software. The point being that cracked software/keygens/pirated software are notorious for bundling with them viruses and malware, and so there are two purposes behind asking the user to stop using such software - it will be easier for the person helping to remove malware (since the chance of a reinfection by any additional malware would be low), and it likely would help the user in the long term, since they wouldn't risk reinfecting their computer. However, it is completely and entirely up to the user whether they decide to follow any advice given on Bleeping Computer, no matter how strongly worded the suggestions/recommendations are. Also see Bleeping Computer's User Agreement for aditional details.

 

Please note:

  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below, I will review your topic and do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


I also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Edited by jntkwx, 19 June 2012 - 06:57 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 12:06 AM

Hola Jason. Thank you for answering and for your kind words and your understanding.

There is an appology waiting for you here: http://www.bleepingcomputer.com/forums/topic457577.html

This is the second time I am responding to your post. The first time was VERY detailed and VERY long. But I hit wrong button on my browser and it disapeared when I was almost finished with it. It seemed to make me look not so stupid, following what logic dictated I should do in every turn. But the eraseing of it all makes me look much more foolish. I will try to summerize the most important points.

Two "Information Systems" students came into my Internet cafe. They used 2 of the clients and I noticed that they opened their documents from their flash drives and then the pcs froze up. I went to help and could not do anything, so I rebooted the PC's. I use Deep Freeze on all the clientes in my LAN, just for this reason, and when they rebooted they were fine. (also saw that the firewall blocked something) But the young men seemed molested (bothered) and were leaving when they ask me to print a Word documento for them. I did not suspect anything at that time, but now I do. I think they brought the trojan on purpose from their school to try it out. Like some wanna be hackers. But, I might be wrong. It's just that looking back now thier attitudes seem strange. When I inserted their USB flash drive en my server there was no message from my antivirus. I proceeded to open the document that they indicated that they wanted printed. As I double clicked the icon (it looked like a normal MS Word document, talking about the icon) but then I noticed that it was an application, not a doc. Even though it looked like a document and it opened word and a document apperared and I even printed it and gave it to them. But I noticed that it was described in Windows explorer as executable application, even though I noticed it too late to not double click it. So I ask them about it and I was starting to get a little suspicous and it did strange things when I opened it. It also opened a red window like all Adobe instalations, and ask to install some adobe product. I don´t remember which one, I just clicked the no button and after I printed the document, closed Word and tried to "expulsar" (how do you say, expulse?) thier USB Flash drive. I first tried from the tray icon and was told by windows that thier USB was bieng used be some program and was not available. So I went to "Equipo" (my pc) and tried to expulse it directly as drive E:, but that did not work either. Almost imeadiatley after, my antivirus (ESET 5) gave me the first warning message, that it found a threat, but I clicked on eliminate so fast that I didn't get to see what virus or trojan it was. After I hit the eliminate button, I imeadiately removed their USB physicaly and without delay from my server. But it was too late, I was infected. I knew it instinctively becuase I lost control of the other PCs en my network and also the printer and my program of contol of the Inertet Cafe stopped working. I had no network communication with my LAN, but the clients still had Internet access and the server did also. I opened my antivirus and it was giving me some red error messages. It could not update the database of virus definitions. It also said something about reduced ability or funcions of the antivirus that were deactivated or not able to start or something of that sort. Even though I felt that I had gotten a virus, I did not know the details or gravity of the problem. I thought that my ESET antivirus was not working becuase I use a user id/password finder program to keep it updated and I assumed that it had updated recently and found the search program as a threat and elimnated it, as it did a few months ago. At this point I think I have a virus, but I don´t know how bad and I think it´s not that bad and that I can control it. So, thinking that ESET turned against the searcher of passwords/user ids, I download Microsoft Security Essentials, uninstall ESET and Install MSE. While I´m looking for MSE I find there is a update availible for Window 7 and I download it and install it. This was just before I installed MSE. This fact becomes important a little further down. So now that I have installed MSE, it starts off updateding its database. It completes the process and starts a scan. It finds "Sirefef.Y" and I click the button to eliminate, but then a message appears from windows saying that the system will shut down in one minute. And I´m watching and hoping that MSE will elimnate it before windows shuts down. But the trojan won. I belive it was the trojan that sent the command to shutdown the PC. And it did before MSE had a chance to eliminate it. At this point I still don't know what I'm dealing with. I know its name, but I still hadn´t googled it. So I try a few things, becuase the PC starts cycling boot up/MSE detect trojan/Trojan shut down PC. And then all over again. So, I try "shutdown -a" from the command line after the message appears again and I get an error(1116). So I try opening my "contol de ciber" program en another cycle becuase it has the funcion of inhibiting the close of windows for unauthorized users. But it doesn´t work either. So now I´m starting to feel really lost and I unplug my PC for a while. Then I tried F8 from the boot up and got into windows 7 recouperacion o what ever you call it in English. Ha ... Restore Windows ... Right? So I look for restore points before the incident, but there are none, which is odd becase now that I have researched the Sirefef, I havn´t seen anything about it eraseing restore points. But anways, I chose the only one available, which was the one created when I updated windows after the infection but before the install of MSE. Y que bueno ... or how good it was that it happened before the install of MSE or I wouldn´t have been albe to regain control of my PC. At least it was not cycleing on and off like before. The trojan was still there, but I could now start trying other things that I could not do when I only had one minute to work like before.

I now started to investigate more and talked to some friends en a latino forum for internet and spyware issuses. I recieved much advice and followed much also, some good and some bad. Some of the I tried were (in this order) run Ccleaner, first ajusting its opciones), then Malwarebytes antimalware, (first updateing it and adjusting its options), then TDSSKILLER (at this point I still didn´t understand the difference between sirefef and its cousins), then I tried Panda "yorkyt.exe".

If I remember correctly, I ran Ccleaner scan varios times until everything was good. Fixed cookies and everthing. Malwarebytes found something I think and I told it to eliminate everything, but the report says many things were not eliminated. Below I will paste the report if I still have it. I remember that some of the reports generated by some of these programs would over write the one from before. Then malwarebytes asked to restart windows, before I could say yes, malwarebytes notified me of a occurence of the trojan and asked to repress it. I said yes. Then it restarted and I ran TDSSKILLER and it found nothing. Which makes sense only now that I know that sirefef eliminates all footprints of its other rootkit cousins from the PC. Then because I thought it was eliminated I installed MSE again, but I made a restore point before I installed it. Then like before, MSE found the trojan and began cycleing the PC on/off. So I rebooted with F8 and set the restore point to just before. Then more investigation and more advice and then I ran Pandas "yorkyt." I followed the instrucions and eliminated the trojan. (I thoght) Because I ran malwarebytes and Panda agian and malwarebytes always found something and panda sometines found something and since then I haven't been able to beat it. Oh ... I forgot to tell you, before I did the restore point the first time, before I installed MSE the first time, I tried ESET's Sysrescue 5 live disc and it did boot up ok, but was unable to update its database. It took varias hours to scan and found nothing execpt those patch, key gen, loader, activater, etc. programs.

I know this has been alot to read, so I'm thanking you right now. It has also been alot to write (especialy since its not my native tounge) And the fact that this is the second time to write it has me very tired. Its almost midnight here. Below I'm pasting the report you ask for and the ones that were generated on previous attempts to rid myself of this pest. Again, thank you very much and I hope you read the apology. I'll be waiting to hear from you.

Gracias, Andres

Oh, yeah, I forgot .. I also tried the ESET sirefef removal tool at some point in all this.

Here is the DDS report. I ran it twice, becuase I dont know where I put the first report. I don´t know what a script blocking tool is, so I don´t know if I have one that needs to be turned off. I have no antivirus installed right now.

As to you questions:

1. I can now boot up my Pc. and here is the log.
2. I don´t have the original cd or dvd of windows (its pirate like most of my software)
3. I think I am following all of the steps. You let me know.
4. I think number 4 es answered en the text above.
5. Thank you.
6. I pasted it below, I have other reports that I zipped, but I don´t see an attach button on this editor. I'll keep looking.
7. I guess I just found it.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Howard at 23:40:51 on 2012-06-19
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.52.3082.18.4094.2531 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 5.0 *Enabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Firewall personal de ESET *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\system32\spool\drivers\x64\3\NetFaxServer64.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Microsoft Encarta\Encarta 2009 Biblioteca Premium DVD\EDICT.EXE
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = https://www.google.com.mx/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
uURLSearchHooks: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files (x86)\mipony-plugin\tbmipo.dll
uURLSearchHooks: tjutilbarra Toolbar: {c6bf3bc4-0101-4782-ab1e-63a072bced3c} - C:\Program Files (x86)\tjutilbarra\tbtjut.dll
uURLSearchHooks: H - No File
mURLSearchHooks: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files (x86)\mipony-plugin\tbmipo.dll
mURLSearchHooks: tjutilbarra Toolbar: {c6bf3bc4-0101-4782-ab1e-63a072bced3c} - C:\Program Files (x86)\tjutilbarra\tbtjut.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Aplicación auxiliar de inicio de sesión de Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files (x86)\mipony-plugin\tbmipo.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: tjutilbarra Toolbar: {c6bf3bc4-0101-4782-ab1e-63a072bced3c} - C:\Program Files (x86)\tjutilbarra\tbtjut.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files (x86)\mipony-plugin\tbmipo.dll
TB: tjutilbarra Toolbar: {c6bf3bc4-0101-4782-ab1e-63a072bced3c} - C:\Program Files (x86)\tjutilbarra\tbtjut.dll
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [E09EXLRD_6214362] "C:\Program Files (x86)\Microsoft Encarta\Encarta 2009 Biblioteca Premium DVD\EDICT.EXE" -m
uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
uRun: [Google Update] "C:\Users\Howard\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [MediaFire Tray] "C:\Users\Howard\AppData\Local\MediaFire Express\mf_systray.exe" --boot-start
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [pajon] C:\Users\Howard\pajon.exe /y
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [AGEIA PhysX SysTray] C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Howard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$Diario 2011.doc
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Enviar a OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Descargar con Mipony - file://C:\Program Files (x86)\MiPony\Browser\IEContext.htm
IE: E&xportar a Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - C:\Program Files (x86)\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{1BB95B3C-6486-43AE-8A5C-62B54645DE1F} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E0D4622A-E3C2-4C07-A568-DAE54439AC65} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
IFEO: notepad.exe - "C:\Program Files\Notepad2\Notepad2.exe" /z
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{3049C3E9-B461-4BC5-8870-4C09146192CA}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{90d46c30-9f25-4104-aea9-35c3f84477ff}
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{c6bf3bc4-0101-4782-ab1e-63a072bced3c}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{90d46c30-9f25-4104-aea9-35c3f84477ff}
{c6bf3bc4-0101-4782-ab1e-63a072bced3c}
TB-X64: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [AGEIA PhysX SysTray] C:\Program Files (x86)\AGEIA Technologies\TrayIcon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
IFEO-X64: notepad.exe - "C:\Program Files\Notepad2\Notepad2.exe" /z
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Howard\AppData\Roaming\Mozilla\Firefox\Profiles\fp5mgr5g.default\
FF - prefs.js: browser.startup.homepage - www.google.com.mx
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=2&q=
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Howard\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-9 365568]
R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-12-11 219360]
R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2010-12-11 68136]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-6-18 654408]
R2 Samsung Network Fax Server;Samsung Network Fax Server;C:\Windows\System32\spool\drivers\x64\3\NetFaxServer64.exe [2012-5-19 229888]
R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-5-28 275968]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?]
S2 gupdate;Google Update Servicio (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-14 116648]
S2 KMService;KMService;C:\Windows\System32\srvany.exe [2011-8-1 8192]
S3 gupdatem;Google Update Servicio (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-14 116648]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2012-06-20 02:43:29 -------- d-----w- C:\Users\Howard\AppData\Local\{93B8BED9-1BF0-4906-BD5D-F6627CA75363}
2012-06-20 02:43:18 -------- d-----w- C:\Users\Howard\AppData\Local\{445C167F-71A9-427C-8A8C-DC0646ACA0B0}
2012-06-19 14:42:50 -------- d-----w- C:\Users\Howard\AppData\Local\{87FAF23E-C881-45C1-9B7A-EE81CAAFA573}
2012-06-19 14:42:37 -------- d-----w- C:\Users\Howard\AppData\Local\{1FB5F1D6-FC46-45E9-8536-E558531E3BE4}
2012-06-19 14:10:20 -------- d-----w- C:\Users\Howard\AppData\Local\{E4CB5B0E-4F22-4FC5-A2C8-04071E5D5AA3}
2012-06-19 14:10:08 -------- d-----w- C:\Users\Howard\AppData\Local\{D8A95E9E-A99D-420E-AA1A-A3B67D9CC347}
2012-06-19 03:08:26 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-06-19 01:49:47 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-18 23:27:26 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-06-18 23:13:47 -------- d-----w- C:\Users\Howard\AppData\Roaming\Malwarebytes
2012-06-18 23:13:42 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-18 23:13:41 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-18 23:13:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 23:03:15 -------- d-----w- C:\Program Files\CCleaner
2012-06-18 22:21:36 -------- d-----w- C:\Users\Howard\AppData\Local\{4F9C1548-0C92-4E14-9998-9598B3EEDA25}
2012-06-18 15:53:32 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-06-18 15:28:11 40960 ----a-w- C:\Users\Howard\zesoz.com
2012-06-18 15:27:33 40960 ----a-w- C:\Users\Howard\nabor.com
2012-06-18 15:27:21 40960 ----a-w- C:\Users\Howard\fvoc.com
2012-06-18 15:27:11 40960 ----a-w- C:\Users\Howard\daicop.com
2012-06-18 15:27:03 40960 ----a-w- C:\Users\Howard\zuudl.com
2012-06-18 15:25:23 40960 ----a-w- C:\Users\Howard\mcom.com
2012-06-18 15:24:09 40960 ----a-w- C:\Users\Howard\bpz.com
2012-06-18 15:21:45 -------- d-----w- C:\Users\Howard\AppData\Roaming\updates
2012-06-18 15:21:27 -------- d-----w- C:\Users\Howard\AppData\Roaming\xkqnvvxfv1he3ofaaqwxfjsczzlyrcd12
2012-06-18 15:21:13 40960 ----a-w- C:\Users\Howard\sailon.com
2012-06-18 04:02:04 -------- d-----w- C:\Users\Howard\AppData\Roaming\Subtitle Edit
2012-06-18 04:02:02 -------- d-----w- C:\Program Files (x86)\Subtitle Edit
2012-06-18 02:07:19 -------- d-----w- C:\Users\Howard\AppData\Local\WMTools Downloaded Files
2012-06-16 15:50:27 -------- d-----w- C:\Users\Howard\AppData\Local\{93011004-55B4-4FA6-B5B4-433B6D1ED93D}
2012-06-16 15:28:48 -------- d-----w- C:\Users\Howard\AppData\Roaming\Hive Cluster
2012-06-16 15:28:27 -------- d-----w- C:\Program Files (x86)\Bang Bang Racing
2012-06-16 15:16:30 -------- d-----w- C:\Users\Howard\AppData\Roaming\com.cipherprime.auditorium
2012-06-16 15:15:35 -------- d-----w- C:\Program Files (x86)\Auditorium
2012-06-15 10:09:33 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{54CD45CD-32C5-4340-B77C-E1298646AE9E}\mpengine.dll
2012-06-14 15:49:19 -------- d-----w- C:\Users\Howard\AppData\Local\{1FC4D725-BABA-4EB5-974F-6EDBFAF5EB85}
2012-06-14 03:48:53 -------- d-----w- C:\Users\Howard\AppData\Local\{88074373-67B9-462A-AFFE-D23DB026408D}
2012-06-13 20:16:49 -------- d-s---w- C:\Users\Howard\Google Drive
2012-06-13 15:48:27 -------- d-----w- C:\Users\Howard\AppData\Local\{3DC36133-7B90-4ED7-A024-0EF2A7E9AB48}
2012-06-13 15:48:11 -------- d-----w- C:\Users\Howard\AppData\Local\{F84E2439-745D-43F0-93CA-CA3E4EA0D3CF}
2012-06-13 03:47:43 -------- d-----w- C:\Users\Howard\AppData\Local\{CD5F9DD6-DCC3-4F1C-81F2-AE60B041A1DF}
2012-06-13 01:09:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-13 01:09:59 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-13 01:09:59 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-13 01:09:31 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-13 01:09:23 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-13 01:09:21 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 01:09:20 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 01:08:03 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-13 01:07:59 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-13 01:07:59 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-06-13 01:07:57 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-13 01:07:56 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-13 01:07:51 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-13 01:07:50 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-13 01:07:50 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 01:07:50 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-13 01:07:50 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 01:07:50 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-12 15:47:19 -------- d-----w- C:\Users\Howard\AppData\Local\{7DFFD017-9E66-492C-BCB5-963C1B598EF4}
2012-06-12 03:46:54 -------- d-----w- C:\Users\Howard\AppData\Local\{8CAAF6D1-8C87-40F1-9537-D93DA1BA1AD7}
2012-06-12 01:13:09 -------- d-----w- C:\Users\Howard\.gnome2
2012-06-12 01:12:01 -------- d-----w- C:\Program Files (x86)\Planner
2012-06-11 15:46:28 -------- d-----w- C:\Users\Howard\AppData\Local\{8BEB821E-685F-4506-A39F-8076CF775C90}
2012-06-11 03:46:02 -------- d-----w- C:\Users\Howard\AppData\Local\{EBBA0999-0808-4F49-8B90-A5994E0673FA}
2012-06-10 15:45:40 -------- d-----w- C:\Users\Howard\AppData\Local\{9712B221-D0FE-4129-A672-D66D955E53D0}
2012-06-10 03:45:17 -------- d-----w- C:\Users\Howard\AppData\Local\{A2C4CA56-7A0F-4DEB-A120-C8416F0C55DE}
2012-06-09 15:44:54 -------- d-----w- C:\Users\Howard\AppData\Local\{246CB2D1-B820-4830-9D16-702CD530B7DB}
2012-06-09 03:44:31 -------- d-----w- C:\Users\Howard\AppData\Local\{C04A59D9-4176-4D7C-8D31-F539B6037857}
2012-06-09 03:44:18 -------- d-----w- C:\Users\Howard\AppData\Local\{E11BBD36-0537-4BC6-9214-70890644EC30}
2012-06-08 15:43:52 -------- d-----w- C:\Users\Howard\AppData\Local\{BE5219C5-FD1B-4004-88E9-9DF6837F787C}
2012-06-08 15:43:42 -------- d-----w- C:\Users\Howard\AppData\Local\{9CE5328F-D6C4-47B7-B4A4-CF250DDC26DC}
2012-06-08 03:43:16 -------- d-----w- C:\Users\Howard\AppData\Local\{8A6BCA08-02B9-42F4-BBF8-CCC3BC43D04F}
2012-06-08 03:43:06 -------- d-----w- C:\Users\Howard\AppData\Local\{C19D0809-4A2E-431E-B469-FA62F2BAB11F}
2012-06-07 15:42:40 -------- d-----w- C:\Users\Howard\AppData\Local\{14C74658-8EA7-469F-9177-4951BCE9458C}
2012-06-07 15:42:28 -------- d-----w- C:\Users\Howard\AppData\Local\{68893B60-303E-4C1C-BDDE-6F006318D646}
2012-06-07 03:42:03 -------- d-----w- C:\Users\Howard\AppData\Local\{F7EC440E-2AB8-4B47-A1BD-B08C22F1DF51}
2012-06-07 03:41:51 -------- d-----w- C:\Users\Howard\AppData\Local\{D8CED821-A253-4B93-BDFA-58967FB81F7C}
2012-06-06 15:41:25 -------- d-----w- C:\Users\Howard\AppData\Local\{547B2D32-839D-4FB3-B179-4661D013D825}
2012-06-06 03:40:59 -------- d-----w- C:\Users\Howard\AppData\Local\{E2221455-8AC0-4528-8143-7F07AF5F58FF}
2012-06-06 03:40:48 -------- d-----w- C:\Users\Howard\AppData\Local\{ABC0C874-538F-4F48-86DD-E61F5EB0F572}
2012-06-05 15:40:15 -------- d-----w- C:\Users\Howard\AppData\Local\{AF33A874-8245-4D88-A20B-D14ED3B7CD31}
2012-06-05 15:40:00 -------- d-----w- C:\Users\Howard\AppData\Local\{62E74EB6-A3B8-4AA5-B023-889579B60D7A}
2012-06-05 03:39:32 -------- d-----w- C:\Users\Howard\AppData\Local\{1FFBBC65-11C7-4A5F-ADE9-97B711B5EED6}
2012-06-05 03:39:20 -------- d-----w- C:\Users\Howard\AppData\Local\{FA5680C7-54EE-4B0C-8BA2-E94B901AD6CA}
2012-06-04 15:38:53 -------- d-----w- C:\Users\Howard\AppData\Local\{21A4EA31-7632-410B-B558-0C1AC4A98114}
2012-06-04 03:38:27 -------- d-----w- C:\Users\Howard\AppData\Local\{9487DC4E-C259-4E2F-94F7-643FF440D836}
2012-06-03 15:38:00 -------- d-----w- C:\Users\Howard\AppData\Local\{8CA13281-F499-4003-9567-00F92F5A516D}
2012-06-03 03:37:34 -------- d-----w- C:\Users\Howard\AppData\Local\{9A497DE0-DCF4-4B3F-AC11-CC1B26249402}
2012-06-03 03:37:22 -------- d-----w- C:\Users\Howard\AppData\Local\{8824A582-2DDE-42A5-B446-3FFCD79710D0}
2012-06-02 15:36:56 -------- d-----w- C:\Users\Howard\AppData\Local\{D6FBCC2C-CFAA-4F7C-A178-5B0FF99A5838}
2012-06-02 15:36:44 -------- d-----w- C:\Users\Howard\AppData\Local\{27C8A56D-A8D7-4865-B89B-80D3CADDCCDA}
2012-06-02 03:36:30 -------- d-----w- C:\Users\Howard\AppData\Local\{93EB6625-E572-4BE8-8CAD-A7BFE73D6445}
2012-06-02 03:36:19 -------- d-----w- C:\Users\Howard\AppData\Local\{2FD67E0E-2C23-45E1-A4AF-252C25907134}
2012-06-01 15:35:52 -------- d-----w- C:\Users\Howard\AppData\Local\{92B3A62E-E6D2-4D84-AC99-3E1304975C78}
2012-06-01 15:35:41 -------- d-----w- C:\Users\Howard\AppData\Local\{B06D653F-0568-4613-9AF5-31CD2C96EC8C}
2012-06-01 03:35:13 -------- d-----w- C:\Users\Howard\AppData\Local\{CA7298F3-7575-4AD2-B046-24DDE19A97BE}
2012-05-31 15:34:46 -------- d-----w- C:\Users\Howard\AppData\Local\{D3BA0E8A-CDC1-448D-A483-2293CCF3D874}
2012-05-31 03:34:20 -------- d-----w- C:\Users\Howard\AppData\Local\{0525D4ED-E319-4C13-8455-5C8A0F32BC54}
2012-05-30 15:33:55 -------- d-----w- C:\Users\Howard\AppData\Local\{AA7C050F-3BBC-451A-8B5E-5A412F792780}
2012-05-30 15:33:43 -------- d-----w- C:\Users\Howard\AppData\Local\{A752FF61-AE80-47F8-981B-CC9CCCD9E6C5}
2012-05-30 03:33:16 -------- d-----w- C:\Users\Howard\AppData\Local\{E43FACF3-3CC1-4258-93B7-70CECD449A2A}
2012-05-29 15:32:51 -------- d-----w- C:\Users\Howard\AppData\Local\{64C05C1B-ED55-42D7-8217-089CEBC6739E}
2012-05-29 03:32:25 -------- d-----w- C:\Users\Howard\AppData\Local\{1AFD03E8-C915-4151-BCE2-F9DA38FBD198}
2012-05-28 15:31:57 -------- d-----w- C:\Users\Howard\AppData\Local\{47CC6780-062E-4A9A-B5FD-0044B4110E6B}
2012-05-28 15:31:44 -------- d-----w- C:\Users\Howard\AppData\Local\{D562475B-D010-4ACB-B19A-35C828F04F18}
2012-05-28 03:31:17 -------- d-----w- C:\Users\Howard\AppData\Local\{B5E51B5E-E32D-4EC7-9C13-3BBD5F53BDE4}
2012-05-28 03:31:06 -------- d-----w- C:\Users\Howard\AppData\Local\{10B5DAAA-EACB-4FB8-8F9D-DA3F5B000AEC}
2012-05-27 15:30:52 -------- d-----w- C:\Users\Howard\AppData\Local\{E6CDA03B-4C1C-4562-A0E9-B83ACA061ED0}
2012-05-27 15:30:40 -------- d-----w- C:\Users\Howard\AppData\Local\{EA2E4362-1D4D-456C-827C-18D5492E8291}
2012-05-27 03:30:27 -------- d-----w- C:\Users\Howard\AppData\Local\{D23406AE-89D6-47E5-B49A-532CABDA13C7}
2012-05-27 03:30:15 -------- d-----w- C:\Users\Howard\AppData\Local\{5EB18B54-7815-448E-A999-5777CE407D2F}
2012-05-26 15:29:55 -------- d-----w- C:\Users\Howard\AppData\Local\{CBE596CB-FCCE-4ADF-B442-362820EFCEAB}
2012-05-26 15:29:41 -------- d-----w- C:\Users\Howard\AppData\Local\{706FA9B9-1CBA-4C03-8600-390051DEACEE}
2012-05-26 03:29:25 -------- d-----w- C:\Users\Howard\AppData\Local\{6A12F4B2-4330-4DF2-8D64-416728BB8743}
2012-05-26 03:29:13 -------- d-----w- C:\Users\Howard\AppData\Local\{4F78F542-9759-410F-A946-0BD76854C2CF}
2012-05-25 15:28:59 -------- d-----w- C:\Users\Howard\AppData\Local\{FDA01291-8081-472F-9AD9-42120F820969}
2012-05-25 15:28:48 -------- d-----w- C:\Users\Howard\AppData\Local\{DC5AB246-FD8B-4CF8-A346-DFF626889F29}
2012-05-25 03:28:21 -------- d-----w- C:\Users\Howard\AppData\Local\{175701F1-B67E-41E6-A99E-47435CEE0919}
2012-05-25 03:28:09 -------- d-----w- C:\Users\Howard\AppData\Local\{5A35B409-C394-4EE0-890E-A6A23BD6EACB}
2012-05-24 15:27:55 -------- d-----w- C:\Users\Howard\AppData\Local\{28F21FE4-A406-4B38-8819-90B5DF737913}
2012-05-24 15:27:44 -------- d-----w- C:\Users\Howard\AppData\Local\{217F084F-5434-4B2B-90C3-3E339C441A52}
2012-05-24 03:27:30 -------- d-----w- C:\Users\Howard\AppData\Local\{6FD0E626-6BC8-4B5D-A2AB-5508A3882617}
2012-05-24 03:27:18 -------- d-----w- C:\Users\Howard\AppData\Local\{4D9BCAB6-922D-43A2-A9AB-C361D1A109E1}
2012-05-23 15:27:04 -------- d-----w- C:\Users\Howard\AppData\Local\{A272A2ED-0B4E-43AC-B7FB-48B8B65A23DE}
2012-05-23 15:26:52 -------- d-----w- C:\Users\Howard\AppData\Local\{6ECDCD7A-6DB5-4E1B-82CE-903EF5633E2E}
2012-05-23 03:26:38 -------- d-----w- C:\Users\Howard\AppData\Local\{465D35F7-455C-4096-950C-2EC8F8C5F1A3}
2012-05-23 03:26:27 -------- d-----w- C:\Users\Howard\AppData\Local\{83138CEF-B8A7-4DD7-9CCB-5B001E56C038}
2012-05-22 15:26:00 -------- d-----w- C:\Users\Howard\AppData\Local\{F5F83719-32E2-4034-B865-DCCD91ED4C22}
2012-05-22 15:25:49 -------- d-----w- C:\Users\Howard\AppData\Local\{5B35BEB8-5F20-4C97-8963-51B5C0703A7A}
2012-05-22 03:25:33 -------- d-----w- C:\Users\Howard\AppData\Local\{53A168AA-AA18-4A1C-9464-9744A3EE6421}
2012-05-22 03:25:15 -------- d-----w- C:\Users\Howard\AppData\Local\{6ECFB0AE-C934-4A97-A132-74FD26EC3A70}
2012-05-21 15:24:59 -------- d-----w- C:\Users\Howard\AppData\Local\{2EBDAA9C-A048-4323-BDD5-D8DAF59E0EC6}
2012-05-21 15:24:47 -------- d-----w- C:\Users\Howard\AppData\Local\{68D694FE-EC6E-4554-86DF-07CD3450ED07}
.
==================== Find3M ====================
.
2012-06-19 20:42:22 25640 ----a-w- C:\Windows\gdrv.sys
2012-06-13 14:08:33 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-13 14:08:33 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-07 20:01:16 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2012-05-07 20:01:16 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2012-05-05 18:17:20 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-03-31 22:59:06 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-03-31 22:59:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-03-28 23:17:25 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-22 19:12:12 4435968 ----a-w- C:\Windows\SysWow64\GPhotos.scr
.
============= FINISH: 23:41:05.42 ===============

Here are the other reports I have:

I just saw how big the panda report was and thought bettr to attach them in a zip file.

#4 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 12:21 AM

Ok. I found it. Attached below is the zip file of all my reports.

Thank you again,

Andres

Attached Files



#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:54 AM

Posted 20 June 2012 - 03:09 PM

Yucatán Man,

I didn't take your first post personally. Thank you for your apology, and the very detailed explanation of what has happened on your computer. :thumbup2:

You said "your server" - is this your computer that your logs are from? (Just for my own understanding.) Your English is very good. If you do not understand how I write something, please let me know and I'll try to explain it better.


Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Please download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick Combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 03:36 PM

Yes, Jason. Those logs are from the server en my internet cafe. It is the one that controls the network and gives permision to the clients or slaves or whatever you call the other PC's en a network. They are not "thin clients" without HDD's. They are normal PC's, all running Windows 7 ultimate 32 bit. Two are AMD Athon X2 2.8 Ghz with 2 GB RAM. One es Intel Atom 330 with 2 GB Ram. Three are Intel Atom 230 w/ 2 GB RAM. One is AMD's Fussion platform (APU) with Dual core procesor and GPU intergrated into one. Also has 2 GB RAM.

I just wanted to answer your question before I proceeded. Becuase I'm about to shut down everthing and run combofix. Did you check my other reports that I attached?

Thank you for your help.

#7 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 03:41 PM

Jason, one quick question before I run combo fix. Did you notice in my reports if I have any anti-virus anti-malware anti-scripting software that needs to be turned off. I ask becuase, like I wrote before, I'm not sure.

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:54 AM

Posted 20 June 2012 - 05:26 PM

Yucatán Man,

Okay, and the server is the only computer that is infected, correct?

Yes, I did look over your other logs. You do not have an antivirus program or other anti-scripting software installed.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 08:05 PM

... I went to help and could not do anything, so I rebooted the PC's. I use Deep Freeze on all the clientes in my LAN, just for this reason, and when they rebooted they were fine. (also saw that the firewall blocked something) ...


Thank you for resoponding, Jason. Yes, the server is the only one infected. The clientes use Deep Freeze to restore them to the same state every time they a restarted.

But, I have to admit that I got a little desperate and did not wait for this new post to run combofix, as you had already instructed me to do so. It is good that you say I have no antivirus/antiscripting software. Becuase I already ran combofix. I did turn off malwarebytes completley, and took the check marks out where it said to in the tutorial. And I shut down all windows and programas, even dictinary from Encarta which is always open and stiky notes and mesenger which are always open also. Then I ran combofix. I did not touch the mouse during the time it ran, except to click on accept so it would start. I noticed that it ran something on a black screen for a little while and then it turned itself off. It did not show me any report. I thought perhaps it had saved it in documents, so I looked and found nothing. I ran a search for the word combofix and found only the aplication and a reference en Hirens´s boot CD.

Please tell me where do I find the report. Or do I need to run combofix again. I did not see anything about the error you mentioned of registery keys that have been marked for deletion. I did restart my PC after waiting about 9 o 10 minutes and not seeing anything.

Please respond quickly if you can, because I am not going to do anything with my PC util I hear from you.

Thank you,

Andres

#10 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 20 June 2012 - 08:17 PM

It looks like I lied. I said I wasn´t going to do anything until you responded, but since you told me to tell you how my computer is working I decided to turn on the program that controls the network and internet cafe. It is POS system intergrated with control of the the network. And it started up O.K. and at this moment is working fine. I can charge customers for the time used and cokes and chips. I can also turn on and off the clientes from the server. I also have my printer funcions back.

But I'm still concerned about the missing report from combofix.

Please advise me.

Andres

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:54 AM

Posted 20 June 2012 - 09:53 PM

Yucatán Man,

Try running Combofix again (following my previous instructions). It may take some time to scan. It should create a log located at C:\Combofix.txt. If you don't see this file, there are some other tools we can run (the infection may be blocking Combofix from completing successfully).
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 June 2012 - 10:13 AM

Good Morning Jason,

I looked in the root of C:/ drive and found no report fro combofix. But I did notice that there were many things wrong there. There folders or directories that had the icon changed to some other type of file. There was a video file that I never put there and many strange things. So I ran combofix, following your instruciones. This time it had different results from the first time. It started the same execpt I didn´t have to clic accept for it to start. Then a window with black screen and green letters and green bar which did not advance very far and a new window opened with a blue progress bar and a red progress bar. It then closed and the original window of combofix kept working for a little while, then the green progress bar, stoped working and the text stoped advancing. But it was not done. I think only half way. Then my PC restarted. When windows tried to restart, I saw the screen where updates to windows are applied. It said "aplicando actulizacion 59/59", it means applying update 59 of 59. Then a window ask me for permision to execute the editor of combofix. Then my desktop appeared and then a blue window opened that was titled in the upper left hand corner: C:/ Administrador (My key board can´t make the other slash for dos directories) It used a black icon similar to the one for the command prompt to show the "C:/" (remember it was the other slash, I just cant type it). Then a new smaler window opened and said: "There's a new version of combofix availible. Would you like to update combofix?" And there is are two buttons availible to click. One says "Si" and the other says "no". What should I do? Do I click yes and update combofix, I have read nothing in your website about this step.

Thank you,

Andres

#13 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 June 2012 - 10:18 AM

Without clicking either yes or no to the question I went to c: drive and there was still no report. There was a text file called csb and when I tried to open it to see what it said. I recieved an error message in spanish about a registry key marked for deletion.

Help!

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:54 AM

Posted 21 June 2012 - 11:32 AM

Yucatán Man,

I think the infections are still causing Combofix problems.

FRST
Please download Farbar Recovery Scan Tool 64-Bit and save it to a USB flash drive.

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

- OR -

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Yucatán Man

Yucatán Man
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 June 2012 - 12:35 PM

Jason, please look at the foto I sent you. It is of my screen en dos. It is very hard for me to type in dos becuase the forward slash and back slash and colan are not in the right place. I chose a US keyboard from the list like you said but my keyboard is not US. I mentioned this problem with the back/forward slash en a previous post. This is the slash I have availible "/" en my spanish keyboard. As you see from the foto I found the colan and slashes after some work. But my flash drive was never recognized.

Please help. I fear that as my computer is left on while I wait for you to respond that the virus is propagating itself.

Thank you.

Andres

Edited by Yucatán Man, 21 June 2012 - 04:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users