Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blank page virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Tswan4027

Tswan4027

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 19 July 2012 - 02:10 PM

Hello,

I have a Windows 7 laptop that recently has had problems. I cannot connect to website like Youtube, Facebook, Yahoo, and a few more. But I can connect to others. I have tried reseting the browser, reseting IP, and even other browsers but nothing works. Although my daughter has a user on the laptop, and hers seems to work fine on all of the sites mine wont load.
When I try to go to one of those sites it starts out as if its loading, then either gives me a "About:Blank" page or just stays at the site it was on before trying to change sites.
I am not 100% what this is, but if its a virus I would really appreciate it if someone could help me remove it.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by User at 12:45:15 on 2012-07-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2909.1638 [GMT -5:00]
.
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Windows\System32\ico.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\FSRremoS.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\ico.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Windows\System32\FSRremoS.EXE
C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\chrome_frame_helper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: Updater For Comcast Toolbar 3.5: {164d3751-cac6-4a6d-becd-ea67df61d232} - c:\program files\comcasttb\auxi\comcastAu.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.4.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.4.0.12\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: ArcadeCandy Games: {ab6bd08c-db6b-4f02-8a22-4bd343e990ff} - c:\users\user\appdata\local\arcadecandy\candyEX.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.4.0.12\coIEPlg.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater\AdobeUpdater.exe
uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ChromeFrameHelper] "c:\users\user\appdata\local\google\chrome\application\20.0.1132.57\chrome_frame_helper.exe" --startup
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11f_ActiveX.exe -update activex
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: facebook.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{756F531D-33B6-4E1A-9E09-C93D08398CBC} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{756F531D-33B6-4E1A-9E09-C93D08398CBC}\25F6765627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{756F531D-33B6-4E1A-9E09-C93D08398CBC}\F54527166756C65627370275966496 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{756F531D-33B6-4E1A-9E09-C93D08398CBC}\F54527166756C65627370275966496 : DhcpNameServer = 64.250.243.37 64.250.243.42
TCP: Interfaces\{899366EE-429D-4F92-8738-963CBE4C7262} : DhcpNameServer = 192.168.1.1
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\users\user\appdata\local\google\chrome\application\20.0.1132.57\npchrome_frame.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0404000.00c\symds.sys [2011-10-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0404000.00c\symefa.sys [2011-10-31 173176]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-12 821920]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0404000.00c\cchpx86.sys [2011-10-31 485512]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20120718.001\IDSvix86.sys [2012-7-18 382624]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0404000.00c\ironx86.sys [2011-10-31 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0404000.00c\symtdiv.sys [2011-10-31 340088]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2011-6-28 34320]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.4.0.12\ccsvchst.exe [2011-10-31 126400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-2 106656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2008-12-25 167936]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2008-12-25 862208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-24 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-24 136176]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-7-24 9472]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-22 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-18 1343400]
.
=============== Created Last 30 ================
.
2012-07-19 15:40:49 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6f1dcd1f-81a9-4e9c-8e9e-76bad14349be}\mpengine.dll
2012-07-18 13:43:18 6891424 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-16 02:51:12 307200 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzppw72.dll
2012-07-14 19:24:25 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-07-14 01:45:42 -------- d-----w- c:\users\user\appdata\local\NPE
2012-07-14 01:42:49 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-13 06:21:56 -------- d-----w- c:\users\user\appdata\roaming\Merscom
2012-07-13 06:21:56 -------- d-----w- c:\programdata\Merscom
2012-07-13 06:21:18 -------- d-----w- c:\users\user\appdata\roaming\Oberon Media
2012-07-13 06:20:45 -------- d-----w- c:\program files\Oberon Media SIDR
2012-07-13 06:20:36 -------- d-----w- c:\program files\common files\Oberon Media
2012-07-13 06:14:03 -------- d-----w- c:\programdata\Oberon Media
2012-07-13 06:13:22 -------- d-----w- c:\users\user\appdata\local\ArcadeCandy
2012-07-12 08:01:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 03:29:54 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b7af9277-b742-47d7-b935-1814ed66c90f}\gapaengine.dll
2012-06-25 21:23:33 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 21:23:16 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 21:22:57 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-25 21:22:57 171904 ----a-w- c:\windows\system32\wuwebv.dll
.
==================== Find3M ====================
.
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-01 04:44:12 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36:42 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
============= FINISH: 12:46:08.82 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-19 14:09:56
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS545025B9A300 rev.PB2OC64G
Running: j8yoo3es.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

SSDT 86F8B350 ZwAlertResumeThread
SSDT 86FCC750 ZwAlertThread
SSDT 870AF3A0 ZwAllocateVirtualMemory
SSDT 86600AE8 ZwAlpcConnectPort
SSDT 86F98410 ZwAssignProcessToJobObject
SSDT 870B7390 ZwCreateMutant
SSDT 870B7D48 ZwCreateSymbolicLinkObject
SSDT 870BBA30 ZwCreateThread
SSDT 870B7E18 ZwCreateThreadEx
SSDT 86F9A0C0 ZwDebugActiveProcess
SSDT 870AFF80 ZwDuplicateObject
SSDT 870AF948 ZwFreeVirtualMemory
SSDT 86F915D0 ZwImpersonateAnonymousToken
SSDT 86F909D0 ZwImpersonateThread
SSDT 8660A958 ZwLoadDriver
SSDT 870AF868 ZwMapViewOfSection
SSDT 86F92190 ZwOpenEvent
SSDT 8664A440 ZwOpenProcess
SSDT 86EE0478 ZwOpenProcessToken
SSDT 86F9A048 ZwOpenSection
SSDT 870972A8 ZwOpenThread
SSDT 870B7EF8 ZwProtectVirtualMemory
SSDT 86FA00D0 ZwResumeThread
SSDT 86F1D790 ZwSetContextThread
SSDT 870AF710 ZwSetInformationProcess
SSDT 86F97890 ZwSetSystemInformation
SSDT 86F94CD0 ZwSuspendProcess
SSDT 86F8A190 ZwSuspendThread
SSDT 86F673C0 ZwTerminateProcess
SSDT 86F72048 ZwTerminateThread
SSDT 86F470B0 ZwUnmapViewOfSection
SSDT 870AFA18 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C773C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82CB7D90 8 Bytes [50, B3, F8, 86, 50, C7, FC, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CB7DA8 4 Bytes [A0, F3, 0A, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CB7DB4 4 Bytes CALL 8151DDC3
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CB7E08 4 Bytes [10, 84, F9, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CB7E84 4 Bytes [90, 73, 0B, 87]
.text ...
? C:\Users\User\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 C252C000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 C252C123 629 Bytes [75, 52, C2, FE, 05, 34, 75, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 C252C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F C252C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B C252C4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
.text autochk.exe 002911D2 1 Byte [72]
.text autochk.exe 002911D2 3 Bytes [72, 00, 3D]
.text autochk.exe 002911D6 1 Byte [43]
.text autochk.exe 002911D6 3 Bytes [43, 00, 3A] {INC EBX; ADD [EDX], BH}
.text autochk.exe 002911DA 1 Byte [5C]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1068] kernel32.dll!CreateThread 7580DCC2 5 Bytes JMP 6C2275CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!EnableWindow 76CF8D02 5 Bytes JMP 6C269EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!GetAsyncKeyState 76CFA256 5 Bytes JMP 6C20DEAD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CallNextHookEx 76CFABE1 5 Bytes JMP 6C287FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!UnhookWindowsHookEx 76CFADF9 5 Bytes JMP 6C2AECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DefWindowProcA 76CFBB1C 7 Bytes JMP 6C2297F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateWindowExA 76CFBF40 5 Bytes JMP 6C23362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!SetWindowsHookExW 76CFE30C 5 Bytes JMP 6C2625AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateWindowExW 76CFEC7C 5 Bytes JMP 6C2903B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!GetKeyState 76D02B4D 5 Bytes JMP 6C20DD87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!IsDialogMessageW 76D04104 5 Bytes JMP 6C3B9855 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DefWindowProcW 76D0507D 7 Bytes JMP 6C288042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateDialogParamA 76D11F42 5 Bytes JMP 6C3B90B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!IsDialogMessage 76D12019 5 Bytes JMP 6C3B982D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DialogBoxParamW 76D13B9B 5 Bytes JMP 6C1C187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateDialogIndirectParamA 76D1721D 5 Bytes JMP 6C3B9128 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateDialogIndirectParamW 76D1EA10 5 Bytes JMP 6C3B9160 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DialogBoxIndirectParamW 76D23B7F 5 Bytes JMP 6C3B8D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!EndDialog 76D23BA3 5 Bytes JMP 6C3B9B01 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!CreateDialogParamW 76D25630 5 Bytes JMP 6C3B90F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!SetKeyboardState 76D2695A 5 Bytes JMP 6C3BA11D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!SendInput 76D27019 5 Bytes JMP 6C3BA0C5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!SetCursorPos 76D3C1B0 5 Bytes JMP 6C3BA19E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DialogBoxParamA 76D3CF42 5 Bytes JMP 6C3B8D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!DialogBoxIndirectParamA 76D3D274 5 Bytes JMP 6C3B8DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!MessageBoxIndirectA 76D4E869 5 Bytes JMP 6C3B8CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!MessageBoxIndirectW 76D4E963 5 Bytes JMP 6C3B8C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!MessageBoxExA 76D4E9C9 5 Bytes JMP 6C3B8BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!MessageBoxExW 76D4E9ED 5 Bytes JMP 6C3B8B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] USER32.dll!keybd_event 76D4EC3B 5 Bytes JMP 6C3BA082 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] SHELL32.dll!RealDriveType + 173D 75D6FE30 4 Bytes [CF, 01, 50, 73] {IRET ; ADD [EAX+0x73], EDX}
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] SHELL32.dll!RealDriveType + 1745 75D6FE38 8 Bytes [E0, 61, 4F, 73, 79, F7, 4F, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[1068] ole32.dll!OleLoadFromStream 76AF6143 5 Bytes JMP 6C3B955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!EnableWindow 76CF8D02 5 Bytes JMP 6C269EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!DialogBoxParamW 76D13B9B 5 Bytes JMP 6C1C187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!DialogBoxIndirectParamW 76D23B7F 5 Bytes JMP 6C3B8D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!DialogBoxParamA 76D3CF42 5 Bytes JMP 6C3B8D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!DialogBoxIndirectParamA 76D3D274 5 Bytes JMP 6C3B8DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!MessageBoxIndirectA 76D4E869 5 Bytes JMP 6C3B8CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!MessageBoxIndirectW 76D4E963 5 Bytes JMP 6C3B8C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!MessageBoxExA 76D4E9C9 5 Bytes JMP 6C3B8BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3276] USER32.dll!MessageBoxExW 76D4E9ED 5 Bytes JMP 6C3B8B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] kernel32.dll!CreateThread 7580DCC2 5 Bytes JMP 6C2275CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!EnableWindow 76CF8D02 5 Bytes JMP 6C269EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!GetAsyncKeyState 76CFA256 5 Bytes JMP 6C20DEAD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CallNextHookEx 76CFABE1 5 Bytes JMP 6C287FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!UnhookWindowsHookEx 76CFADF9 5 Bytes JMP 6C2AECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DefWindowProcA 76CFBB1C 7 Bytes JMP 6C2297F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateWindowExA 76CFBF40 5 Bytes JMP 6C23362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!SetWindowsHookExW 76CFE30C 5 Bytes JMP 6C2625AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateWindowExW 76CFEC7C 5 Bytes JMP 6C2903B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!GetKeyState 76D02B4D 5 Bytes JMP 6C20DD87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!IsDialogMessageW 76D04104 5 Bytes JMP 6C3B9855 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DefWindowProcW 76D0507D 7 Bytes JMP 6C288042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateDialogParamA 76D11F42 5 Bytes JMP 6C3B90B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!IsDialogMessage 76D12019 5 Bytes JMP 6C3B982D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxParamW 76D13B9B 5 Bytes JMP 6C1C187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateDialogIndirectParamA 76D1721D 5 Bytes JMP 6C3B9128 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateDialogIndirectParamW 76D1EA10 5 Bytes JMP 6C3B9160 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxIndirectParamW 76D23B7F 5 Bytes JMP 6C3B8D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!EndDialog 76D23BA3 5 Bytes JMP 6C3B9B01 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!CreateDialogParamW 76D25630 5 Bytes JMP 6C3B90F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!SetKeyboardState 76D2695A 5 Bytes JMP 6C3BA11D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!SendInput 76D27019 5 Bytes JMP 6C3BA0C5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!SetCursorPos 76D3C1B0 5 Bytes JMP 6C3BA19E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxParamA 76D3CF42 5 Bytes JMP 6C3B8D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!DialogBoxIndirectParamA 76D3D274 5 Bytes JMP 6C3B8DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxIndirectA 76D4E869 5 Bytes JMP 6C3B8CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxIndirectW 76D4E963 5 Bytes JMP 6C3B8C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxExA 76D4E9C9 5 Bytes JMP 6C3B8BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!MessageBoxExW 76D4E9ED 5 Bytes JMP 6C3B8B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] USER32.dll!keybd_event 76D4EC3B 5 Bytes JMP 6C3BA082 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] SHELL32.dll!RealDriveType + 173D 75D6FE30 4 Bytes [CF, 01, 50, 73] {IRET ; ADD [EAX+0x73], EDX}
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] SHELL32.dll!RealDriveType + 1745 75D6FE38 8 Bytes [E0, 61, 4F, 73, 79, F7, 4F, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4276] ole32.dll!OleLoadFromStream 76AF6143 5 Bytes JMP 6C3B955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Tswan4027

Tswan4027
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 19 July 2012 - 02:11 PM

Sorry, the first post didnt attach the .txt

Attached Files



#3 Tswan4027

Tswan4027
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 24 July 2012 - 12:13 AM

So I take it noone can help me?

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 PM

Posted 24 July 2012 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

#5 Tswan4027

Tswan4027
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 25 July 2012 - 02:30 PM

Hello,

Thank you for respoinding. I have done what you asked, but ComboFix would not run. It would load up extracting then say "Error saving file. c:\windows\erdnt\Hiv-backup\BCD" and "RegCreateKeyEx: 5 - Access Denied".
Then it continues and say's MSE is still running when its not, and even if I hit ok to continue it just closes.

But here is the Security Check log

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Norton Security Suite
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.5 Flash Player out of Date!
Adobe Reader X (10.1.3)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 PM

Posted 26 July 2012 - 07:48 AM

Will take care of the SecurityCheck later.

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#7 Tswan4027

Tswan4027
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 28 July 2012 - 04:54 PM

Hello,

Here are the results

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 28-07-2012 16:46:07
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h [34336 2011-06-28] (MyWebSearch.com)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Destinee Bieber\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-04-24] (Google Inc.)
HKU\User\...\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide [1589208 2009-08-19] ()
HKU\User\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-04-24] (Google Inc.)
HKU\User\...\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 [1652736 2010-10-29] (AWS Convergence Technologies, Inc.)
HKU\User\...\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe [970752 2005-03-16] (Adobe Systems Incorporated)
HKU\User\...\Run: [Facebook Update] "C:\Users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-18] (Google Inc.)
HKU\User\...\Run: [ChromeFrameHelper] "C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\chrome_frame_helper.exe" --startup [96792 2012-07-09] (Google Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [26624 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Startup: C:\Users\User\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

================================ Services (Whitelisted) ==================

2 AntiSpywareService; C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [616408 2009-06-17] ()
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 MyWebSearchService; C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe [34320 2011-06-28] (MyWebSearch.com)
2 N360; "C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\4.4.0.12\diMaster.dll" /prefetch:1 [135032 2010-04-29] (Symantec Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [821920 2012-06-18] (Symantec Corporation)
1 ccHP; C:\Windows\system32\drivers\N360\0404000.00C\ccHPx86.sys [485512 2011-08-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-05-31] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-31] (Symantec Corporation)
3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20120727.001\IDSvix86.sys [382624 2012-06-14] (Symantec Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120727.033\NAVENG.SYS [87928 2012-05-16] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120727.033\NAVEX15.SYS [1589752 2012-05-16] (Symantec Corporation)
3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)
3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
3 SRTSP; C:\Windows\System32\Drivers\N360\0404000.00C\SRTSP.SYS [325680 2010-04-21] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0404000.00C\SRTSPX.SYS [43696 2010-04-21] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0404000.00C\SYMDS.SYS [328752 2009-10-14] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0404000.00C\SYMEFA.SYS [173176 2011-08-21] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2011-01-26] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0404000.00C\Ironx86.SYS [116784 2010-04-28] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\0404000.00C\SYMTDIV.SYS [340088 2011-08-21] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-28 16:45 - 2012-07-28 16:46 - 00000000 ____D C:\FRST
2012-07-25 11:34 - 2012-07-25 11:34 - 00000000 ____D C:\ComboFix
2012-07-25 11:10 - 2012-07-25 11:34 - 00000000 ___SD C:\32788R22FWJFW
2012-07-25 11:10 - 2012-07-25 11:19 - 00000000 ____D C:\Windows\erdnt
2012-07-25 11:10 - 2012-07-25 11:11 - 00000000 ____D C:\Qoobox
2012-07-25 11:07 - 2012-07-25 11:07 - 00881494 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-25 11:05 - 2012-07-25 11:05 - 04585817 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-19 11:09 - 2012-07-19 11:09 - 00024981 ____A C:\Users\User\Desktop\art.txt
2012-07-19 09:55 - 2012-07-19 09:55 - 00302592 ____A C:\Users\User\Desktop\j8yoo3es.exe
2012-07-19 09:46 - 2012-07-19 09:46 - 00016345 ____A C:\Users\User\Desktop\DDS.txt
2012-07-19 09:46 - 2012-07-19 09:46 - 00005335 ____A C:\Users\User\Desktop\Attach.txt
2012-07-19 09:44 - 2012-07-19 09:44 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-19 09:43 - 2012-07-19 09:43 - 00000444 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-19 09:43 - 2012-07-19 09:43 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-19 09:40 - 2012-07-19 09:40 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-07-14 11:26 - 2012-07-14 11:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-14 11:26 - 2012-07-14 11:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-14 11:26 - 2012-07-14 11:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-07-14 11:26 - 2012-07-14 11:26 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-07-14 11:26 - 2012-07-14 11:26 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-07-14 11:24 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-07-13 17:45 - 2012-07-13 17:51 - 00000000 ____D C:\Users\User\AppData\Local\NPE
2012-07-13 17:42 - 2012-07-13 17:42 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-13 17:33 - 2012-07-13 17:51 - 00000000 ____D C:\Users\User\Desktop\-Virus P
2012-07-12 22:21 - 2012-07-12 22:21 - 00002317 ____A C:\Users\User\Desktop\Nat Geo Adventure Lost City of Z.lnk
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\User\AppData\Roaming\Oberon Media
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\User\AppData\Roaming\Merscom
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\All Users\Merscom
2012-07-12 22:20 - 2012-07-12 22:20 - 00001212 ____A C:\Users\User\Desktop\Games of the Month.lnk
2012-07-12 22:20 - 2012-07-12 22:20 - 00000000 ____D C:\Program Files\Oberon Media SIDR
2012-07-12 22:20 - 2012-07-12 22:20 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2012-07-12 22:14 - 2012-07-12 22:21 - 00000000 ____D C:\Users\All Users\Oberon Media
2012-07-12 22:13 - 2012-07-28 11:34 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
2012-07-12 22:13 - 2012-07-12 22:13 - 00000000 ____D C:\Users\User\AppData\Local\ArcadeCandy
2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 02:08 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 02:08 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 02:08 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 02:08 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 02:08 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 02:08 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 02:08 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 02:08 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 02:08 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 02:08 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

============ 3 Months Modified Files ========================

2012-07-28 13:39 - 2011-01-29 22:14 - 00000292 ____A C:\Windows\Tasks\iMeshNAG.job
2012-07-28 13:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-28 13:39 - 2009-07-13 20:39 - 00048113 ____A C:\Windows\setupact.log
2012-07-28 13:38 - 2011-01-29 19:58 - 00104956 ____A C:\Windows\PFRO.log
2012-07-28 13:38 - 2008-12-25 10:04 - 01525677 ____A C:\Windows\WindowsUpdate.log
2012-07-28 13:36 - 2008-12-25 10:11 - 00729816 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-28 13:29 - 2011-04-24 16:58 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-28 13:28 - 2011-04-24 16:58 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-28 13:19 - 2011-11-14 14:08 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000UA.job
2012-07-28 13:19 - 2011-11-14 14:08 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000Core.job
2012-07-28 12:59 - 2011-12-14 17:33 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000UA.job
2012-07-28 11:34 - 2012-07-12 22:13 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
2012-07-28 05:44 - 2011-12-14 17:33 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000Core.job
2012-07-27 13:57 - 2009-07-13 20:34 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-27 13:57 - 2009-07-13 20:34 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 11:07 - 2012-07-25 11:07 - 00881494 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-25 11:05 - 2012-07-25 11:05 - 04585817 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-19 11:09 - 2012-07-19 11:09 - 00024981 ____A C:\Users\User\Desktop\art.txt
2012-07-19 09:55 - 2012-07-19 09:55 - 00302592 ____A C:\Users\User\Desktop\j8yoo3es.exe
2012-07-19 09:46 - 2012-07-19 09:46 - 00016345 ____A C:\Users\User\Desktop\DDS.txt
2012-07-19 09:46 - 2012-07-19 09:46 - 00005335 ____A C:\Users\User\Desktop\Attach.txt
2012-07-19 09:44 - 2012-07-19 09:44 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-19 09:43 - 2012-07-19 09:43 - 00000444 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-19 09:43 - 2012-07-19 09:43 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-19 09:40 - 2012-07-19 09:40 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-07-14 11:26 - 2012-07-14 11:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-14 11:26 - 2012-07-14 11:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-14 11:26 - 2012-07-14 11:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-07-14 11:26 - 2012-07-14 11:26 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-07-14 11:26 - 2012-07-14 11:26 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-07-14 11:26 - 2011-08-10 06:13 - 00005666 ____A C:\Windows\IE9_main.log
2012-07-12 22:21 - 2012-07-12 22:21 - 00002317 ____A C:\Users\User\Desktop\Nat Geo Adventure Lost City of Z.lnk
2012-07-12 22:20 - 2012-07-12 22:20 - 00001212 ____A C:\Users\User\Desktop\Games of the Month.lnk
2012-07-12 05:39 - 2011-06-10 18:04 - 00352968 ____A (Softonic) C:\Users\Public\Desktop\Play More Great Games!.url
2012-07-12 00:21 - 2009-07-13 20:53 - 00032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-12 00:21 - 2009-07-13 20:33 - 00267496 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 00:01 - 2011-01-18 07:49 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 15:59 - 2011-12-14 17:37 - 00002395 ____A C:\Users\User\Desktop\Google Chrome.lnk
2012-06-19 00:10 - 2012-06-19 00:10 - 00000201 ____A C:\Users\User\Desktop\merrill lynch benefits.url
2012-06-16 07:58 - 2012-06-16 07:58 - 00000157 ____A C:\Users\User\Desktop\Chrysler Dashboard Anywhere.url
2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 02:08 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-11 02:08 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 02:08 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 02:08 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 13:23 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-25 13:23 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-25 13:23 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-25 13:22 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-25 13:22 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 20:45 - 2012-07-11 02:08 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 02:08 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 02:08 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 02:08 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 02:08 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-04 01:59 - 2012-07-14 11:24 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-02 16:39 - 2012-05-02 16:39 - 00001251 ____A C:\Users\Destinee Bieber\Desktop\Windows Live Movie Maker.lnk
2012-05-02 16:38 - 2012-05-02 16:38 - 00000020 ____A C:\Windows\
2012-04-30 20:44 - 2012-06-13 03:45 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 3932.88 MB
Available physical RAM: 3448.48 MB
Total Pagefile: 3931.15 MB
Available Pagefile: 3454.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.79 GB) (Free:151.98 GB) NTFS
3 Drive f: (KINGSTON) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 1906 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1905 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 1905 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 07:12

======================= End Of Log ==========================Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 28-07-2012 16:46:07
Running from F:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h [34336 2011-06-28] (MyWebSearch.com)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Destinee Bieber\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-04-24] (Google Inc.)
HKU\User\...\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide [1589208 2009-08-19] ()
HKU\User\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-04-24] (Google Inc.)
HKU\User\...\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 [1652736 2010-10-29] (AWS Convergence Technologies, Inc.)
HKU\User\...\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe [970752 2005-03-16] (Adobe Systems Incorporated)
HKU\User\...\Run: [Facebook Update] "C:\Users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-10-18] (Google Inc.)
HKU\User\...\Run: [ChromeFrameHelper] "C:\Users\User\AppData\Local\Google\Chrome\Application\20.0.1132.57\chrome_frame_helper.exe" --startup [96792 2012-07-09] (Google Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [26624 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Startup: C:\Users\User\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

================================ Services (Whitelisted) ==================

2 AntiSpywareService; C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [616408 2009-06-17] ()
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 MyWebSearchService; C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe [34320 2011-06-28] (MyWebSearch.com)
2 N360; "C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\4.4.0.12\diMaster.dll" /prefetch:1 [135032 2010-04-29] (Symantec Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [821920 2012-06-18] (Symantec Corporation)
1 ccHP; C:\Windows\system32\drivers\N360\0404000.00C\ccHPx86.sys [485512 2011-08-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-05-31] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-05-31] (Symantec Corporation)
3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20120727.001\IDSvix86.sys [382624 2012-06-14] (Symantec Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120727.033\NAVENG.SYS [87928 2012-05-16] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20120727.033\NAVEX15.SYS [1589752 2012-05-16] (Symantec Corporation)
3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [9472 2009-07-24] (Primax Ltd)
3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16384 2003-01-10] (Primax Electronics Ltd.)
3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [9216 2003-02-11] (Primax Electronics Ltd.)
3 SRTSP; C:\Windows\System32\Drivers\N360\0404000.00C\SRTSP.SYS [325680 2010-04-21] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0404000.00C\SRTSPX.SYS [43696 2010-04-21] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0404000.00C\SYMDS.SYS [328752 2009-10-14] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0404000.00C\SYMEFA.SYS [173176 2011-08-21] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2011-01-26] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0404000.00C\Ironx86.SYS [116784 2010-04-28] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\0404000.00C\SYMTDIV.SYS [340088 2011-08-21] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-28 16:45 - 2012-07-28 16:46 - 00000000 ____D C:\FRST
2012-07-25 11:34 - 2012-07-25 11:34 - 00000000 ____D C:\ComboFix
2012-07-25 11:10 - 2012-07-25 11:34 - 00000000 ___SD C:\32788R22FWJFW
2012-07-25 11:10 - 2012-07-25 11:19 - 00000000 ____D C:\Windows\erdnt
2012-07-25 11:10 - 2012-07-25 11:11 - 00000000 ____D C:\Qoobox
2012-07-25 11:07 - 2012-07-25 11:07 - 00881494 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-25 11:05 - 2012-07-25 11:05 - 04585817 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-19 11:09 - 2012-07-19 11:09 - 00024981 ____A C:\Users\User\Desktop\art.txt
2012-07-19 09:55 - 2012-07-19 09:55 - 00302592 ____A C:\Users\User\Desktop\j8yoo3es.exe
2012-07-19 09:46 - 2012-07-19 09:46 - 00016345 ____A C:\Users\User\Desktop\DDS.txt
2012-07-19 09:46 - 2012-07-19 09:46 - 00005335 ____A C:\Users\User\Desktop\Attach.txt
2012-07-19 09:44 - 2012-07-19 09:44 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-19 09:43 - 2012-07-19 09:43 - 00000444 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-19 09:43 - 2012-07-19 09:43 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-19 09:40 - 2012-07-19 09:40 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-07-14 11:26 - 2012-07-14 11:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-14 11:26 - 2012-07-14 11:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-14 11:26 - 2012-07-14 11:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-07-14 11:26 - 2012-07-14 11:26 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-07-14 11:26 - 2012-07-14 11:26 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-07-14 11:24 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-07-13 17:45 - 2012-07-13 17:51 - 00000000 ____D C:\Users\User\AppData\Local\NPE
2012-07-13 17:42 - 2012-07-13 17:42 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-13 17:33 - 2012-07-13 17:51 - 00000000 ____D C:\Users\User\Desktop\-Virus P
2012-07-12 22:21 - 2012-07-12 22:21 - 00002317 ____A C:\Users\User\Desktop\Nat Geo Adventure Lost City of Z.lnk
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\User\AppData\Roaming\Oberon Media
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\User\AppData\Roaming\Merscom
2012-07-12 22:21 - 2012-07-12 22:21 - 00000000 ____D C:\Users\All Users\Merscom
2012-07-12 22:20 - 2012-07-12 22:20 - 00001212 ____A C:\Users\User\Desktop\Games of the Month.lnk
2012-07-12 22:20 - 2012-07-12 22:20 - 00000000 ____D C:\Program Files\Oberon Media SIDR
2012-07-12 22:20 - 2012-07-12 22:20 - 00000000 ____D C:\Program Files\Common Files\Oberon Media
2012-07-12 22:14 - 2012-07-12 22:21 - 00000000 ____D C:\Users\All Users\Oberon Media
2012-07-12 22:13 - 2012-07-28 11:34 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
2012-07-12 22:13 - 2012-07-12 22:13 - 00000000 ____D C:\Users\User\AppData\Local\ArcadeCandy
2012-07-12 00:01 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 02:08 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 02:08 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 02:08 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 02:08 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 02:08 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 02:08 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 02:08 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 02:08 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 02:08 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 02:08 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll

============ 3 Months Modified Files ========================

2012-07-28 13:39 - 2011-01-29 22:14 - 00000292 ____A C:\Windows\Tasks\iMeshNAG.job
2012-07-28 13:39 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-28 13:39 - 2009-07-13 20:39 - 00048113 ____A C:\Windows\setupact.log
2012-07-28 13:38 - 2011-01-29 19:58 - 00104956 ____A C:\Windows\PFRO.log
2012-07-28 13:38 - 2008-12-25 10:04 - 01525677 ____A C:\Windows\WindowsUpdate.log
2012-07-28 13:36 - 2008-12-25 10:11 - 00729816 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-28 13:29 - 2011-04-24 16:58 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-28 13:28 - 2011-04-24 16:58 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-28 13:19 - 2011-11-14 14:08 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000UA.job
2012-07-28 13:19 - 2011-11-14 14:08 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000Core.job
2012-07-28 12:59 - 2011-12-14 17:33 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000UA.job
2012-07-28 11:34 - 2012-07-12 22:13 - 00000266 ____A C:\Windows\Tasks\CandyUpdater.job
2012-07-28 05:44 - 2011-12-14 17:33 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4254701997-3986342860-1539197049-1000Core.job
2012-07-27 13:57 - 2009-07-13 20:34 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-27 13:57 - 2009-07-13 20:34 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 11:07 - 2012-07-25 11:07 - 00881494 ____A C:\Users\User\Desktop\SecurityCheck.exe
2012-07-25 11:05 - 2012-07-25 11:05 - 04585817 ____R (Swearware) C:\Users\User\Desktop\ComboFix.exe
2012-07-19 11:09 - 2012-07-19 11:09 - 00024981 ____A C:\Users\User\Desktop\art.txt
2012-07-19 09:55 - 2012-07-19 09:55 - 00302592 ____A C:\Users\User\Desktop\j8yoo3es.exe
2012-07-19 09:46 - 2012-07-19 09:46 - 00016345 ____A C:\Users\User\Desktop\DDS.txt
2012-07-19 09:46 - 2012-07-19 09:46 - 00005335 ____A C:\Users\User\Desktop\Attach.txt
2012-07-19 09:44 - 2012-07-19 09:44 - 00607260 ____R (Swearware) C:\Users\User\Desktop\dds.scr
2012-07-19 09:43 - 2012-07-19 09:43 - 00000444 ____A C:\Users\User\Desktop\defogger_disable.log
2012-07-19 09:43 - 2012-07-19 09:43 - 00000000 ____A C:\Users\User\defogger_reenable
2012-07-19 09:40 - 2012-07-19 09:40 - 00050477 ____A C:\Users\User\Desktop\Defogger.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 03695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2012-07-14 11:26 - 2012-07-14 11:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-14 11:26 - 2012-07-14 11:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-14 11:26 - 2012-07-14 11:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00580608 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00434176 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00367104 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-07-14 11:26 - 2012-07-14 11:26 - 00353792 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00353584 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00227840 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00223232 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00203776 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00162304 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00150528 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00130560 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00123392 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00118784 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00110592 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00101888 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00086528 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00078848 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00076800 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00074752 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00074240 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00066048 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00063488 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2012-07-14 11:26 - 2012-07-14 11:26 - 00054272 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00035840 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00031744 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00023552 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-07-14 11:26 - 2012-07-14 11:26 - 00011776 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2012-07-14 11:26 - 2012-07-14 11:26 - 00010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-07-14 11:26 - 2011-08-10 06:13 - 00005666 ____A C:\Windows\IE9_main.log
2012-07-12 22:21 - 2012-07-12 22:21 - 00002317 ____A C:\Users\User\Desktop\Nat Geo Adventure Lost City of Z.lnk
2012-07-12 22:20 - 2012-07-12 22:20 - 00001212 ____A C:\Users\User\Desktop\Games of the Month.lnk
2012-07-12 05:39 - 2011-06-10 18:04 - 00352968 ____A (Softonic) C:\Users\Public\Desktop\Play More Great Games!.url
2012-07-12 00:21 - 2009-07-13 20:53 - 00032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-12 00:21 - 2009-07-13 20:33 - 00267496 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 00:01 - 2011-01-18 07:49 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 15:59 - 2011-12-14 17:37 - 00002395 ____A C:\Users\User\Desktop\Google Chrome.lnk
2012-06-19 00:10 - 2012-06-19 00:10 - 00000201 ____A C:\Users\User\Desktop\merrill lynch benefits.url
2012-06-16 07:58 - 2012-06-16 07:58 - 00000157 ____A C:\Users\User\Desktop\Chrysler Dashboard Anywhere.url
2012-06-11 18:40 - 2012-07-12 00:01 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-11 02:08 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-11 02:08 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 02:08 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 02:08 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-25 13:23 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-25 13:23 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-25 13:23 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-25 13:23 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-25 13:22 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-25 13:22 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 20:45 - 2012-07-11 02:08 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 02:08 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 02:08 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 02:08 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 02:08 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-04 01:59 - 2012-07-14 11:24 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-02 16:39 - 2012-05-02 16:39 - 00001251 ____A C:\Users\Destinee Bieber\Desktop\Windows Live Movie Maker.lnk
2012-05-02 16:38 - 2012-05-02 16:38 - 00000020 ____A C:\Windows\
2012-04-30 20:44 - 2012-06-13 03:45 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 3932.88 MB
Available physical RAM: 3448.48 MB
Total Pagefile: 3931.15 MB
Available Pagefile: 3454.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.79 GB) (Free:151.98 GB) NTFS
3 Drive f: (KINGSTON) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 1906 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 232 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 232 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1905 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 1905 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 07:12

======================= End Of Log ==========================

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 PM

Posted 29 July 2012 - 08:39 AM

If you have a CD Emulator Software (Daemon Tools, Alcohol etc) installed, the drivers this software uses can interfere with the Anti-Rootkit tools we use. These interferences can take a few forms, like GMER crashing or causing BSODs, or Rootkit scans produces large amounts of FPs and general dross. This 'dross' often makes it hard to differentiate between genuine malicious Rootkits, and the legitimate drivers used by CM Emulators.

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

HOW TO: Enable the CD Emulators... < restore only when we are finished.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#9 Tswan4027

Tswan4027
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 31 July 2012 - 04:19 PM

Hello,

Nothing has seemed to changed. Here's the logs

15:43:25.0160 0712 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
15:43:27.0174 0712 ============================================================
15:43:27.0174 0712 Current date / time: 2012/07/31 15:43:27.0174
15:43:27.0174 0712 SystemInfo:
15:43:27.0174 0712
15:43:27.0174 0712 OS Version: 6.1.7601 ServicePack: 1.0
15:43:27.0174 0712 Product type: Workstation
15:43:27.0174 0712 ComputerName: USER-PC
15:43:27.0174 0712 UserName: User
15:43:27.0174 0712 Windows directory: C:\Windows
15:43:27.0174 0712 System windows directory: C:\Windows
15:43:27.0174 0712 Processor architecture: Intel x86
15:43:27.0174 0712 Number of processors: 2
15:43:27.0174 0712 Page size: 0x1000
15:43:27.0174 0712 Boot type: Normal boot
15:43:27.0174 0712 ============================================================
15:43:29.0077 0712 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:43:29.0077 0712 ============================================================
15:43:29.0077 0712 \Device\Harddisk0\DR0:
15:43:29.0077 0712 MBR partitions:
15:43:29.0077 0712 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:43:29.0077 0712 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D192800
15:43:29.0077 0712 ============================================================
15:43:29.0108 0712 C: <-> \Device\Harddisk0\DR0\Partition1
15:43:29.0108 0712 ============================================================
15:43:29.0108 0712 Initialize success
15:43:29.0108 0712 ============================================================
15:43:41.0635 4308 Deinitialize success


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-31 15:48:02
-----------------------------
15:48:02.203 OS Version: Windows 6.1.7601 Service Pack 1
15:48:02.203 Number of processors: 2 586 0x170A
15:48:02.203 ComputerName: USER-PC UserName: User
15:48:05.604 Initialize success
15:49:07.584 AVAST engine defs: 12073102
15:49:16.585 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
15:49:16.585 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OC64G Size: 238475MB BusType: 11
15:49:16.601 Disk 0 MBR read successfully
15:49:16.617 Disk 0 MBR scan
15:49:16.617 Disk 0 Windows 7 default MBR code
15:49:16.632 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:49:16.648 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238373 MB offset 206848
15:49:16.663 Disk 0 scanning sectors +488394752
15:49:16.726 Disk 0 scanning C:\Windows\system32\drivers
15:49:31.374 Service scanning
15:50:17.194 Modules scanning
15:50:33.559 Disk 0 trace - called modules:
15:50:33.574 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
15:50:34.089 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860a7030]
15:50:34.089 3 CLASSPNP.SYS[8b02959e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85fa9338]
15:50:34.885 AVAST engine scan C:\Windows
15:50:38.067 AVAST engine scan C:\Windows\system32
15:55:07.097 AVAST engine scan C:\Windows\system32\drivers
15:55:30.553 AVAST engine scan C:\Users\User
16:06:11.900 AVAST engine scan C:\ProgramData
16:10:12.788 Scan finished successfully
16:17:27.967 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
16:17:27.967 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   559bytes   0 downloads


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 PM

Posted 01 August 2012 - 08:43 AM

Sorry for this long delay.
I had some techincal difficulties. I'm back.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users