Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Win32 Sirefef victim


  • This topic is locked This topic is locked
12 replies to this topic

#1 NiteMoque

NiteMoque

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 July 2012 - 05:22 AM

Hi,

Last week, my computer got the Win32 Sirefef and it just keeps on restarting after a few minutes.

I am using Windows 7 and Windows Security Essentials. I also ran Malwarebytes and nothing worked.

Pleases help me in removing the virus. Below is the FRST.txt.

Many Thanks,
NiteMoque

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 13-07-2012
Ran by SYSTEM at 21-07-2012 18:13:51
Running from H:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [] [x]
HKU\Micheru Wu\...\Run: [Google Update] "C:\Users\Micheru Wu\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-11-12] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

================================ Services (Whitelisted) ==================

2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [791488 2012-06-27] (Spigot, Inc.)
2 BBSvc; C:\Program Files\Microsoft\BingBar\7.1.364.0\BBSvc.exe [193816 2012-02-19] (Microsoft Corporation.)
3 BBUpdate; C:\Program Files\Microsoft\BingBar\7.1.364.0\SeaPort.exe [240408 2012-02-19] (Microsoft Corporation.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
3 npggsvc; C:\Windows\system32\GameMon.des -service [3992160 2011-12-12] (INCA Internet Co., Ltd.)
3 fsssvc; "C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [x]
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [x]
4 wlcrasvc; "C:\Program Files\Windows Live\Mesh\wlcrasvc.exe" [x]

========================== Drivers (Whitelisted) =============

0 DasBoot; C:\Windows\system32\drivers\DasBoot.SYS [20744 2012-01-17] ()
0 DasBootF; C:\Windows\system32\drivers\DasBootF.SYS [59272 2012-01-17] ()
3 hitmanpro36; \??\C:\Windows\system32\drivers\hitmanpro36.sys [27424 2012-07-14] ()
3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV32.sys [103424 2009-01-23] (QUALCOMM Incorporated)
3 LVUSBSta; C:\Windows\System32\DRIVERS\LVUSBSta.sys [41888 2007-05-09] (Logitech Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [1276832 2007-05-09] (Logitech Inc.)
3 PRSBDrvr; C:\Windows\System32\DRIVERS\PRSBDrvr.sys [28424 2012-01-17] ()
1 cmulliit; \??\C:\Windows\system32\drivers\cmulliit.sys [x]
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [x]
3 SirefefRemover; \??\C:\Users\MICHER~1\AppData\Local\Temp\62154ed0.tmp [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-21 01:48 - 2012-07-21 01:48 - 00000929 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-21 01:48 - 2012-07-21 01:48 - 00000000 ____D C:\Program Files\CCleaner
2012-07-21 01:45 - 2012-07-21 01:45 - 00000000 ____A C:\Users\Micheru Wu\defogger_reenable
2012-07-15 00:50 - 2012-07-15 00:50 - 00072969 ____A C:\Users\Micheru Wu\Desktop\yorkyt.exe.log
2012-07-15 00:50 - 2012-01-17 12:55 - 00028424 ____A C:\Windows\System32\Drivers\PRSBDrvr.sys
2012-07-15 00:47 - 2012-07-15 00:47 - 00218074 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-07-15 00:47 - 2012-07-15 00:35 - 01415784 ____A C:\Users\Micheru Wu\Desktop\yorkyt.exe
2012-07-15 00:44 - 2012-07-21 02:11 - 00188862 ____A C:\Windows\System32\PHOOKSmf.txt
2012-07-15 00:40 - 2012-07-21 02:10 - 00000000 ____D C:\Windows\System32\DBBK
2012-07-15 00:40 - 2012-03-22 08:17 - 00225664 ____A C:\Windows\System32\Drivers\DasBootS.SYS
2012-07-15 00:40 - 2012-01-17 12:55 - 00059272 ____A C:\Windows\System32\Drivers\DasBootF.SYS
2012-07-15 00:40 - 2012-01-17 12:55 - 00027528 ____A C:\Windows\System32\Drivers\DasBootK.SYS
2012-07-15 00:40 - 2012-01-17 12:55 - 00020744 ____A C:\Windows\System32\Drivers\DasBoot.SYS
2012-07-15 00:40 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootI.SYS
2012-07-15 00:40 - 2012-01-17 12:55 - 00009096 ____A C:\Windows\System32\Drivers\DasBootE.SYS
2012-07-15 00:40 - 2010-05-03 17:37 - 00003072 ____A C:\Windows\System32\Drivers\DasBootD.SYS
2012-07-15 00:24 - 2012-07-15 00:24 - 00100864 ____A (GMER) C:\pxldypoc.sys
2012-07-15 00:24 - 2012-07-15 00:03 - 00087040 ____A C:\Users\Micheru Wu\Desktop\inherit.exe
2012-07-15 00:24 - 2011-07-16 06:21 - 00302592 ____A C:\Users\Micheru Wu\Desktop\gmer.exe
2012-07-15 00:24 - 2010-09-06 23:39 - 00150392 ____A (Sysinternals - www.sysinternals.com) C:\Users\Micheru Wu\Desktop\junction.exe
2012-07-14 23:31 - 2012-07-14 23:31 - 00000000 ____D C:\Program Files\HitmanPro
2012-07-14 23:17 - 2012-07-14 23:31 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-07-14 23:17 - 2012-07-14 23:31 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-07-13 22:38 - 2012-07-13 22:38 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hwtahaou.sys
2012-07-13 22:31 - 2012-07-13 22:31 - 00001105 ____A C:\Users\Micheru Wu\Desktop\SpyHunter4 - Shortcut.lnk
2012-07-13 22:30 - 2012-07-13 22:30 - 00001490 ____A C:\Users\Micheru Wu\Desktop\mbam - Shortcut.lnk
2012-07-13 22:23 - 2012-07-13 22:23 - 00000000 ____D C:\Users\Micheru Wu\Desktop\SpyHunter
2012-07-13 21:56 - 2012-07-13 21:56 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\misljwwg.sys
2012-07-13 20:50 - 2012-07-13 20:50 - 00509440 ____A (iS3, Inc.) C:\Users\Micheru Wu\Downloads\SZSetupAV_offer01.exe
2012-07-13 20:49 - 2012-07-13 20:49 - 00137096 ____A (ESET) C:\Users\Micheru Wu\Downloads\ESETSirefefRemover.exe
2012-07-13 20:42 - 2012-07-13 20:43 - 00000000 ____D C:\FRST
2012-07-13 20:21 - 2012-07-13 20:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-13 20:20 - 2012-07-13 20:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Micheru Wu\Downloads\mseinstall.exe
2012-07-13 14:46 - 2012-07-13 14:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Micheru Wu\Downloads\MicrosoftFixit.wu.Run.exe
2012-07-13 14:37 - 2012-07-13 14:39 - 00000000 ____D C:\Users\All Users\Windows Codecs
2012-07-13 14:37 - 2012-07-13 14:37 - 00000000 ____D C:\Program Files\Mega Codec Pack
2012-07-13 05:41 - 2012-07-13 05:41 - 00031209 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net The Amazing Spider-Man 2012 [English] [DVDScr] [AC3] HOPE.torrent
2012-07-13 02:26 - 2012-07-13 02:26 - 00004664 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net Battleship 2012 DVD Rip XVid-DiAMOND.torrent
2012-07-13 01:27 - 2012-07-13 01:27 - 00000698 ____A C:\Users\Micheru Wu\Desktop\CDisplayEx.lnk
2012-07-13 01:26 - 2012-07-13 01:27 - 05749280 ____A (Henri Gourvest. ) C:\Users\Micheru Wu\Downloads\CDisplayEx_V1.8.exe
2012-07-11 04:50 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 04:50 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 04:50 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 04:50 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 04:50 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 04:50 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 04:50 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 04:50 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 04:50 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 04:50 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 04:50 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 04:50 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 04:50 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 04:50 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 04:43 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 04:42 - 2012-07-11 04:43 - 00258776 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 03:36 - 2012-07-11 03:36 - 00000204 ____A C:\Windows\System32\secustat.dat
2012-07-11 03:24 - 2012-07-11 03:25 - 00000000 ____D C:\Program Files\Counter-Strike 1.6
2012-07-11 03:18 - 2012-07-11 03:18 - 00000025 ____A C:\Windows\libem.INI
2012-07-11 03:17 - 2012-07-11 03:17 - 00000886 ____A C:\Users\Micheru Wu\Desktop\FlashGet3.lnk
2012-07-11 03:16 - 2012-07-13 22:13 - 00000000 ____D C:\Users\Micheru Wu\AppData\Roaming\BITS
2012-07-11 03:15 - 2012-07-11 03:15 - 00000000 ____D C:\Users\Micheru Wu\AppData\Roaming\FlashGetBHO
2012-07-10 13:55 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 13:55 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 13:55 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 13:55 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 13:55 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 13:55 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 13:55 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 13:55 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 13:54 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 13:54 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-08 01:01 - 2012-07-08 01:01 - 02685152 ____A (McAfee, Inc.) C:\Users\Micheru Wu\Downloads\McAfeeScanAndRepair1_Release.exe
2012-07-07 20:59 - 2012-07-07 21:01 - 00000000 ____D C:\Program Files\intellidownload
2012-07-07 20:59 - 2012-07-07 21:00 - 00000000 ____D C:\Program Files\TorrentSearch
2012-07-06 04:58 - 2012-07-06 04:58 - 00064832 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net The Amazing Spider-Man (2012) DVD-Rip.torrent
2012-07-05 14:46 - 2012-07-05 14:46 - 00172098 ____A C:\torrent.exe
2012-07-02 22:50 - 2012-07-02 22:50 - 00036150 ____A C:\Users\Micheru Wu\kimberly-geswein_sunshine-in-my-soul.zip
2012-07-02 22:50 - 2012-07-02 22:50 - 00026702 ____A C:\Users\Micheru Wu\kimberly-geswein_stars-from-our-eyes.zip
2012-07-02 22:50 - 2012-07-02 22:50 - 00025689 ____A C:\Users\Micheru Wu\kimberly-geswein_shelter-me.zip
2012-07-02 22:49 - 2012-07-02 22:49 - 00071762 ____A C:\Users\Micheru Wu\kimberly-geswein_throw-my-hands-up-in-the-air.zip
2012-07-02 22:49 - 2012-07-02 22:48 - 00026696 ____A C:\Users\Micheru Wu\kimberly-geswein_the-only-exception.zip
2012-07-02 22:48 - 2012-07-02 22:48 - 00032793 ____A C:\Users\Micheru Wu\kimberly-geswein_beautiful-every-time.zip
2012-07-02 22:47 - 2012-07-02 22:47 - 00040563 ____A C:\Users\Micheru Wu\kimberly-geswein_dawning-of-a-new-day.zip
2012-07-02 22:44 - 2012-07-02 22:45 - 00551848 ____A C:\Users\Micheru Wu\billy-argel_the-dreamer.zip
2012-07-02 22:44 - 2012-07-02 22:45 - 00424896 ____A C:\Users\Micheru Wu\m錸s-greb鋍k_many-weatz.zip
2012-07-02 22:44 - 2012-07-02 22:45 - 00363008 ____A C:\Users\Micheru Wu\jenna-sue-design-co_jenna-sue.zip
2012-07-02 22:43 - 2012-07-02 22:44 - 00730584 ____A C:\Users\Micheru Wu\billy-argel_blessed-day.zip
2012-07-02 22:43 - 2012-07-02 22:44 - 00317391 ____A C:\Users\Micheru Wu\billy-argel_bleep-happens.zip
2012-07-02 22:39 - 2012-07-02 22:39 - 00038853 ____A C:\Users\Micheru Wu\sffoxboro.zip
2012-07-02 00:53 - 2012-07-02 00:53 - 00000000 ____D C:\Program Files\YouTube Downloader Toolbar
2012-07-02 00:53 - 2012-07-02 00:53 - 00000000 ____D C:\Program Files\Common Files\Spigot
2012-07-02 00:53 - 2012-07-02 00:53 - 00000000 ____D C:\Program Files\Application Updater
2012-06-29 04:12 - 2012-06-29 04:12 - 00000000 ____D C:\PPS.tv
2012-06-29 03:26 - 2012-07-02 14:30 - 00000767 ____A C:\Users\Public\Desktop\PPS??.lnk
2012-06-29 03:08 - 2012-06-29 03:09 - 00463080 ____A (CNET Download.com) C:\Users\Micheru Wu\Downloads\cnet2_x-movie-maker6-cnet_exe.exe
2012-06-25 00:04 - 2012-06-25 00:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll


============ 3 Months Modified Files ========================

2012-07-21 02:11 - 2012-07-15 00:44 - 00188862 ____A C:\Windows\System32\PHOOKSmf.txt
2012-07-21 02:10 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-21 02:09 - 2009-07-13 20:39 - 00053903 ____A C:\Windows\setupact.log
2012-07-21 01:48 - 2012-07-21 01:48 - 00000929 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-07-21 01:45 - 2012-07-21 01:45 - 00000000 ____A C:\Users\Micheru Wu\defogger_reenable
2012-07-15 00:50 - 2012-07-15 00:50 - 00072969 ____A C:\Users\Micheru Wu\Desktop\yorkyt.exe.log
2012-07-15 00:47 - 2012-07-15 00:47 - 00218074 ____A C:\Windows\System32\PHOOKSmf2.TXT
2012-07-15 00:39 - 2011-11-12 19:32 - 00738000 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-15 00:35 - 2012-07-15 00:47 - 01415784 ____A C:\Users\Micheru Wu\Desktop\yorkyt.exe
2012-07-15 00:24 - 2012-07-15 00:24 - 00100864 ____A (GMER) C:\pxldypoc.sys
2012-07-15 00:03 - 2012-07-15 00:24 - 00087040 ____A C:\Users\Micheru Wu\Desktop\inherit.exe
2012-07-14 23:31 - 2012-07-14 23:17 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-07-14 23:27 - 2011-11-12 19:15 - 01769960 ____A C:\Windows\WindowsUpdate.log
2012-07-14 23:25 - 2011-11-12 19:54 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001UA.job
2012-07-14 23:16 - 2011-11-12 21:25 - 00157644 ____A C:\Windows\PFRO.log
2012-07-13 22:38 - 2012-07-13 22:38 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hwtahaou.sys
2012-07-13 22:31 - 2012-07-13 22:31 - 00001105 ____A C:\Users\Micheru Wu\Desktop\SpyHunter4 - Shortcut.lnk
2012-07-13 22:30 - 2012-07-13 22:30 - 00001490 ____A C:\Users\Micheru Wu\Desktop\mbam - Shortcut.lnk
2012-07-13 22:25 - 2011-11-12 19:54 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001Core.job
2012-07-13 21:56 - 2012-07-13 21:56 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\misljwwg.sys
2012-07-13 20:50 - 2012-07-13 20:50 - 00509440 ____A (iS3, Inc.) C:\Users\Micheru Wu\Downloads\SZSetupAV_offer01.exe
2012-07-13 20:49 - 2012-07-13 20:49 - 00137096 ____A (ESET) C:\Users\Micheru Wu\Downloads\ESETSirefefRemover.exe
2012-07-13 20:36 - 2009-07-13 20:34 - 00015168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-13 20:36 - 2009-07-13 20:34 - 00015168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-13 20:22 - 2012-04-25 11:02 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-13 20:20 - 2012-07-13 20:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Micheru Wu\Downloads\mseinstall.exe
2012-07-13 14:46 - 2012-07-13 14:46 - 00347424 ____A (Microsoft Corporation) C:\Users\Micheru Wu\Downloads\MicrosoftFixit.wu.Run.exe
2012-07-13 14:39 - 2011-12-08 22:21 - 00000361 ____A C:\rkill.log
2012-07-13 05:41 - 2012-07-13 05:41 - 00031209 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net The Amazing Spider-Man 2012 [English] [DVDScr] [AC3] HOPE.torrent
2012-07-13 02:26 - 2012-07-13 02:26 - 00004664 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net Battleship 2012 DVD Rip XVid-DiAMOND.torrent
2012-07-13 01:27 - 2012-07-13 01:27 - 00000698 ____A C:\Users\Micheru Wu\Desktop\CDisplayEx.lnk
2012-07-13 01:27 - 2012-07-13 01:26 - 05749280 ____A (Henri Gourvest. ) C:\Users\Micheru Wu\Downloads\CDisplayEx_V1.8.exe
2012-07-12 01:21 - 2011-11-12 20:44 - 00002423 ____A C:\Users\Micheru Wu\Desktop\Google Chrome.lnk
2012-07-11 13:41 - 2009-07-13 20:33 - 00418560 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 04:50 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-07-11 04:43 - 2012-07-11 04:42 - 00258776 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 04:43 - 2011-11-19 20:48 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-11 03:36 - 2012-07-11 03:36 - 00000204 ____A C:\Windows\System32\secustat.dat
2012-07-11 03:30 - 2012-05-17 22:25 - 00001835 ____A C:\Users\Micheru Wu\Desktop\Counter Strike 1.6 No Steam.lnk
2012-07-11 03:18 - 2012-07-11 03:18 - 00000025 ____A C:\Windows\libem.INI
2012-07-11 03:17 - 2012-07-11 03:17 - 00000886 ____A C:\Users\Micheru Wu\Desktop\FlashGet3.lnk
2012-07-08 01:01 - 2012-07-08 01:01 - 02685152 ____A (McAfee, Inc.) C:\Users\Micheru Wu\Downloads\McAfeeScanAndRepair1_Release.exe
2012-07-06 14:33 - 2009-07-13 20:53 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-06 04:58 - 2012-07-06 04:58 - 00064832 ____A C:\Users\Micheru Wu\Downloads\torrentdownloads net The Amazing Spider-Man (2012) DVD-Rip.torrent
2012-07-05 14:46 - 2012-07-05 14:46 - 00172098 ____A C:\torrent.exe
2012-07-04 18:36 - 2011-11-15 01:31 - 00026112 ____A C:\Users\Micheru Wu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-02 23:14 - 2011-11-12 19:36 - 00112560 ____A C:\Users\Micheru Wu\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-02 22:50 - 2012-07-02 22:50 - 00036150 ____A C:\Users\Micheru Wu\kimberly-geswein_sunshine-in-my-soul.zip
2012-07-02 22:50 - 2012-07-02 22:50 - 00026702 ____A C:\Users\Micheru Wu\kimberly-geswein_stars-from-our-eyes.zip
2012-07-02 22:50 - 2012-07-02 22:50 - 00025689 ____A C:\Users\Micheru Wu\kimberly-geswein_shelter-me.zip
2012-07-02 22:49 - 2012-07-02 22:49 - 00071762 ____A C:\Users\Micheru Wu\kimberly-geswein_throw-my-hands-up-in-the-air.zip
2012-07-02 22:48 - 2012-07-02 22:49 - 00026696 ____A C:\Users\Micheru Wu\kimberly-geswein_the-only-exception.zip
2012-07-02 22:48 - 2012-07-02 22:48 - 00032793 ____A C:\Users\Micheru Wu\kimberly-geswein_beautiful-every-time.zip
2012-07-02 22:47 - 2012-07-02 22:47 - 00040563 ____A C:\Users\Micheru Wu\kimberly-geswein_dawning-of-a-new-day.zip
2012-07-02 22:45 - 2012-07-02 22:44 - 00551848 ____A C:\Users\Micheru Wu\billy-argel_the-dreamer.zip
2012-07-02 22:45 - 2012-07-02 22:44 - 00424896 ____A C:\Users\Micheru Wu\m錸s-greb鋍k_many-weatz.zip
2012-07-02 22:45 - 2012-07-02 22:44 - 00363008 ____A C:\Users\Micheru Wu\jenna-sue-design-co_jenna-sue.zip
2012-07-02 22:44 - 2012-07-02 22:43 - 00730584 ____A C:\Users\Micheru Wu\billy-argel_blessed-day.zip
2012-07-02 22:44 - 2012-07-02 22:43 - 00317391 ____A C:\Users\Micheru Wu\billy-argel_bleep-happens.zip
2012-07-02 22:39 - 2012-07-02 22:39 - 00038853 ____A C:\Users\Micheru Wu\sffoxboro.zip
2012-07-02 14:30 - 2012-06-29 03:26 - 00000767 ____A C:\Users\Public\Desktop\PPS??.lnk
2012-06-29 03:09 - 2012-06-29 03:08 - 00463080 ____A (CNET Download.com) C:\Users\Micheru Wu\Downloads\cnet2_x-movie-maker6-cnet_exe.exe
2012-06-25 00:04 - 2012-06-25 00:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\System32\msxml4.dll
2012-06-16 03:51 - 2012-06-16 03:51 - 00003111 ____A C:\Users\Micheru Wu\Desktop\MP3 Album Artwork Tool.lnk
2012-06-12 03:10 - 2012-06-12 03:10 - 00001713 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-11 18:40 - 2012-07-11 04:43 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 19:53 - 2012-04-23 13:49 - 00000968 ____A C:\Users\Public\Desktop\YTD YouTube Downloader & Converter.lnk
2012-06-08 20:41 - 2012-07-10 13:54 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-10 13:55 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 13:55 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 13:54 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 17:30 - 2012-06-05 17:29 - 01012656 ____A C:\Users\Micheru Wu\Desktop\iExplore.exe
2012-06-04 22:23 - 2012-06-04 22:23 - 00000811 ____A C:\Users\Micheru Wu\Desktop\iKu.lnk
2012-06-04 22:23 - 2012-06-04 22:23 - 00000605 ____A C:\Users\Micheru Wu\Desktop\Revo Uninstaller.lnk
2012-06-02 14:19 - 2012-06-18 13:45 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 13:45 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 13:45 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 13:44 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 13:44 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-18 13:45 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-18 13:44 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 01:07 - 2012-07-11 04:50 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 04:50 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 04:50 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 04:50 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 04:50 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 04:50 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 04:50 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 04:50 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 04:50 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 04:50 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 04:50 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 04:50 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 04:50 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 04:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 23:19 - 2012-06-18 13:44 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-01 23:12 - 2012-06-18 13:44 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 20:45 - 2012-07-10 13:55 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 13:55 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 13:55 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 13:55 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 13:55 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-18 02:22 - 2012-05-18 02:22 - 00001096 ____A C:\Users\Micheru Wu\Desktop\PotPlayer.lnk
2012-05-17 22:25 - 2012-05-17 22:25 - 00001973 ____A C:\Users\Micheru Wu\Desktop\Dedicated Server.lnk
2012-04-30 20:44 - 2012-06-14 01:08 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 21:58 - 2012-04-27 21:56 - 14120634 ____A C:\Users\Micheru Wu\Desktop\06-06-2011-PotPlayer1.5.28025.EXE
2012-04-27 20:26 - 2012-02-11 01:46 - 00064240 ____A C:\Windows\DPINST.LOG
2012-04-27 19:17 - 2012-06-14 01:08 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 03:36 - 2012-04-27 03:35 - 00964447 ____A (GeoVid ) C:\Users\Micheru Wu\Downloads\video-mp3-extractor.exe
2012-04-26 23:06 - 2012-04-26 23:06 - 00001048 ____A C:\Users\Micheru Wu\Desktop\audacity - Shortcut.lnk
2012-04-25 20:45 - 2012-06-14 01:08 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 20:45 - 2012-06-14 01:08 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 20:41 - 2012-06-14 01:08 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-24 04:49 - 2012-04-24 04:49 - 00001318 ____A C:\Users\Micheru Wu\Documents\dxxd.txt
2012-04-23 20:36 - 2012-06-14 01:08 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 20:36 - 2012-06-14 01:08 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 20:36 - 2012-06-14 01:08 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll


ZeroAccess:
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}\@
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}\L
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}\n
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 30%
Total physical RAM: 1527.51 MB
Available physical RAM: 1056.41 MB
Total Pagefile: 1527.51 MB
Available Pagefile: 1058.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.2 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:34.18 GB) (Free:4.21 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:74.71 GB) (Free:68.65 GB) NTFS
3 Drive e: (MICHERU WU) (Fixed) (Total:40.35 GB) (Free:13.94 GB) NTFS
4 Drive f: () (Fixed) (Total:74.3 GB) (Free:72.78 GB) NTFS
6 Drive h: (MICHERU WU) (Removable) (Total:3.7 GB) (Free:0.92 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 74 GB 1024 KB
Disk 1 Online 149 GB 0 B
Disk 2 Online 3796 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 34 GB 31 KB
Partition 2 Primary 40 GB 34 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 34 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E MICHERU WU NTFS Partition 40 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 74 GB 31 KB
Partition 2 Primary 74 GB 74 GB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 74 GB Healthy

==================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F NTFS Partition 74 GB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3792 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H MICHERU WU FAT32 Removable 3792 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-11 04:27

======================= End Of Log ==========================

Edited by NiteMoque, 21 July 2012 - 05:24 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 21 July 2012 - 03:48 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2 Application Updater; "C:\Program Files\Application Updater\ApplicationUpdater.exe" [791488 2012-06-27] (Spigot, Inc.)
C:\Program Files\Application Updater\ApplicationUpdater.exe
HKLM\...\Run: [] [x]
1 cmulliit; \??\C:\Windows\system32\drivers\cmulliit.sys [x]
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}
C:\Windows\assembly\GAC\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 NiteMoque

NiteMoque
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 21 July 2012 - 09:33 PM

My computer no longer restarts now. Many thanks.

Below is the FRST Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 13-07-2012
Ran by SYSTEM at 2012-07-22 06:50:44 Run:2
Running from H:\

==============================================

Application Updater service deleted successfully.
C:\Program Files\Application Updater\ApplicationUpdater.exe moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
cmulliit service deleted successfully.
C:\Users\Micheru Wu\AppData\Local\{dc62a37e-03b4-727a-ca34-b92ff05d2efd} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

==== End of Fixlog ====


And this is the combofix log


ComboFix 12-07-21.01 - Micheru Wu 7/2012 Sun 7:16.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.936.86.1033.18.1528.938 [GMT 8:00]
执行位置: c:\users\Micheru Wu\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
G:\install.exe
.
.
((((((((((((((((((((((((( 2012-06-21 至 2012-07-21 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-07-21 09:48 . 2012-07-21 09:48 -------- d-----w- c:\program files\CCleaner
2012-07-15 08:50 . 2012-01-17 20:55 28424 ----a-w- c:\windows\system32\drivers\PRSBDrvr.sys
2012-07-15 08:45 . 2012-07-21 23:29 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6B5F5632-F8B0-4E87-BA56-FA93C76D66C5}\offreg.dll
2012-07-15 08:40 . 2012-07-21 23:30 -------- d-----w- c:\windows\system32\DBBK
2012-07-15 08:40 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-07-15 08:40 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-07-15 08:40 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-07-15 08:40 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-07-15 08:40 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-07-15 08:40 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-07-15 08:40 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-07-15 08:24 . 2012-07-15 08:24 100864 ----a-w- C:\pxldypoc.sys
2012-07-15 07:31 . 2012-07-15 07:31 -------- d-----w- c:\program files\HitmanPro
2012-07-15 07:17 . 2012-07-15 07:31 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-15 07:17 . 2012-07-15 07:31 -------- d-----w- c:\programdata\HitmanPro
2012-07-14 06:38 . 2012-07-14 06:38 43480 ----a-w- c:\windows\system32\drivers\hwtahaou.sys
2012-07-14 05:56 . 2012-07-14 05:56 43480 ----a-w- c:\windows\system32\drivers\misljwwg.sys
2012-07-14 04:42 . 2012-07-14 04:43 -------- d-----w- C:\FRST
2012-07-14 04:35 . 2012-02-09 06:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5B23CEC9-663C-4B5F-8E81-A68059028AD3}\gapaengine.dll
2012-07-14 04:34 . 2012-06-17 19:14 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6B5F5632-F8B0-4E87-BA56-FA93C76D66C5}\mpengine.dll
2012-07-14 04:21 . 2012-07-14 04:21 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-13 22:37 . 2012-07-13 22:39 -------- d-----w- c:\programdata\Windows Codecs
2012-07-13 22:37 . 2012-07-13 22:37 -------- d-----w- c:\program files\Mega Codec Pack
2012-07-11 12:43 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 11:24 . 2012-07-11 11:25 -------- d-----w- c:\program files\Counter-Strike 1.6
2012-07-11 11:16 . 2012-07-14 06:13 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\BITS
2012-07-11 11:16 . 2012-07-11 11:16 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\FlashgetSetup
2012-07-11 11:15 . 2012-07-11 11:15 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\FlashGetBHO
2012-07-10 21:55 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-10 21:55 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-10 21:55 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 21:55 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 21:55 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 21:55 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 21:55 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 21:55 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-10 21:54 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 21:54 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-10 21:54 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-10 21:54 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-10 21:54 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
2012-07-10 21:54 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-10 21:54 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-08 04:59 . 2012-07-08 05:01 -------- d-----w- c:\program files\OApps
2012-07-08 04:59 . 2012-07-08 05:00 -------- d-----w- c:\program files\TorrentSearch
2012-07-08 04:59 . 2012-07-08 05:01 -------- d-----w- c:\program files\intellidownload
2012-07-05 22:46 . 2012-07-05 22:46 172098 ----a-w- C:\torrent.exe
2012-07-02 08:53 . 2012-07-22 14:50 -------- d-----w- c:\program files\Application Updater
2012-07-02 08:53 . 2012-07-02 08:53 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2012-07-02 08:53 . 2012-07-02 08:53 -------- d-----w- c:\program files\Common Files\Spigot
2012-06-29 12:12 . 2012-06-29 12:12 -------- d-----w- C:\PPS.tv
2012-06-25 08:04 . 2012-06-25 08:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 22:19 . 2012-06-18 21:45 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-18 21:45 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-18 21:44 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-18 21:44 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-18 21:45 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-18 21:45 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-18 21:44 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 07:19 . 2012-06-18 21:44 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 07:12 . 2012-06-18 21:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-01 04:44 . 2012-06-14 09:08 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-14 09:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-14 09:08 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-14 09:08 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-14 09:08 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:36 . 2012-06-14 09:08 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:36 . 2012-06-14 09:08 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-14 09:08 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68DD98BF-9DE8-418C-89F0-E37AC61CC2D9}]
2012-07-03 16:06 92160 ----a-w- c:\program files\OApps\bho_project.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Windows Codecs]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-07-13 22:37 172032 ----a-w- c:\programdata\Windows Codecs\MediaShellOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
[HKLM\~\startupfolder\C:^Users^Micheru Wu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]
path=c:\users\Micheru Wu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 02:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 12:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 09:06 1612920 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashGet 3]
2012-03-15 02:05 3090056 ----a-w- e:\program files\FlashGet Network\FlashGet 3\Flashget3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 11:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 09:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2010-02-24 03:25 214408 ----a-w- c:\pps.tv\PPStream\PPSAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 12:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2012-06-27 09:11 1090440 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 01:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.364.0\SeaPort.exe [x]
R3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [x]
R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV32.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 PRSBDrvr;PRSBDrvr;c:\windows\system32\DRIVERS\PRSBDrvr.sys [x]
R3 SirefefRemover;SirefefRemover;c:\users\MICHER~1\AppData\Local\Temp\62154ed0.tmp [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
S0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.364.0\BBSvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
‘计划任务’ 文件夹 里的内容
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001Core.job
- c:\users\Micheru Wu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-13 03:54]
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001UA.job
- c:\users\Micheru Wu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-13 03:54]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all links by FlashGet3 - e:\program files\FlashGet Network\FlashGet 3\BHO\fdgetallurl.htm
IE: Download by FlashGet3 - e:\program files\FlashGet Network\FlashGet 3\BHO\fdgeturl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\ikutm.dll
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
MSConfigStartUp-HTC Sync Loader - c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - e:\malwarebytes' anti-malware\mbam.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
AddRemove-Avidemux 2.5 - e:\program files\Avidemux 2.5\uninstall.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\program files\Malwarebytes' Anti-Malware\unins000.exe
AddRemove-PPSGame - e:\pps.tv\PPSGame\unppsgame.exe
AddRemove-Video mp3 Extractor_is1 - e:\program files\Video mp3 Extractor\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SirefefRemover]
"ImagePath"="\??\c:\users\MICHER~1\AppData\Local\Temp\62154ed0.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
完成时间: 2012-07-22 07:39:02 - 电脑已重新启动
ComboFix-quarantined-files.txt 2012-07-21 23:38
.
Pre-Run: 3,988,963,328 bytes free
Post-Run: 4,368,072,704 bytes free
.
- - End Of File - - 0A335E18DD1C807E80D09F1FA5F80B57

Edited by NiteMoque, 21 July 2012 - 09:33 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 21 July 2012 - 09:47 PM

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 NiteMoque

NiteMoque
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 22 July 2012 - 02:26 AM

My dad removed some of the viruses first without my permission with MSE. Will it interfere with the process?

Anyways, the Malwarebytes log.


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.22.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Micheru Wu :: MW-PC [administrator]

22/7/2012 12:24:14 PM
mbam-log-2012-07-22 (12-24-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186056
Time elapsed: 11 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


And the ESETSCAN


C:\FRST\Quarantine\{dc62a37e-03b4-727a-ca34-b92ff05d2efd}\n a variant of Win32/Kryptik.AIEA trojan
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\intellidownload\vfd.exe Win32/BHO.OES trojan
C:\Program Files\OApps\bho_project.dll Win32/Adware.Facetheme.C application
C:\Program Files\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP237\A0282643.rbf probably a variant of Win32/Toolbar.Widgi application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP259\A0297573.exe Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP259\A0297583.dll a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP259\A0297589.exe a variant of Win32/Adware.WinPump.T application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP262\A0297710.exe Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP262\A0298577.exe probably a variant of Win32/Toolbar.Babylon application
C:\System Volume Information\_restore{B5AE19CA-0F41-435A-8682-03E6447AA4AB}\RP272\A0307102.exe probably a variant of Win32/Toolbar.Widgi application
C:\Users\Micheru Wu\Downloads\cnet2_x-movie-maker6-cnet_exe.exe a variant of Win32/InstallCore.D application
C:\Windows\Installer\5e913.msi a variant of Win32/Toolbar.Widgi application
C:\Windows\System32\DBBK\0BEEFAE1A46FF1DA1E2247279F6386CB Win32/Adware.Facetheme.C application
C:\Windows\System32\DBBK\7350C6432F977912A0C262E8A5D980B2 a variant of Win32/Toolbar.Widgi application
C:\Windows\System32\DBBK\980E90872EBCA3E14416747350E1F87B a variant of Win32/InstallCore.D application
C:\Windows\System32\DBBK\D18BEF36622511586E0347D3FFD94B35 a variant of Win32/Toolbar.Widgi application
C:\Windows.old\Program Files\Application Updater\ probably a variant of Win32/Toolbar.Widgi application
D:\Micheru Wu\The Last Olympian.txt.exe Win32/HiddenStart.A application

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 22 July 2012 - 10:29 AM

we should be ok now, the worst of the infection was already removed, so MSE probably found the items already in quarantine

please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe 
C:\Program Files\intellidownload\vfd.exe 
C:\Program Files\OApps\bho_project.dll 
C:\Program Files\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll 
C:\Users\Micheru Wu\Downloads\cnet2_x-movie-maker6-cnet_exe.exe 
C:\Windows\Installer\5e913.msi 
C:\Windows\System32\DBBK\0BEEFAE1A46FF1DA1E2247279F6386CB 
C:\Windows\System32\DBBK\7350C6432F977912A0C262E8A5D980B2 
C:\Windows\System32\DBBK\980E90872EBCA3E14416747350E1F87B 
C:\Windows\System32\DBBK\D18BEF36622511586E0347D3FFD94B35 
C:\Windows.old\Program Files\Application Updater\ probably 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Press the WinKey + R to open a run box, then copy/paste the bolded text below > press Enter. A text file will pop up, please post the contents of that file.


"C:\Qoobox\Add-Remove Programs.txt" > uninstall.txt& start uninstall.txt


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 NiteMoque

NiteMoque
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 23 July 2012 - 04:40 AM

My computer is mostly fine though it takes quite a longer time rebooting now.

And:

Combofix log


ComboFix 12-07-21.01 - Micheru Wu 7/2012 Mon 16:57:35.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.936.86.1033.18.1528.834 [GMT 8:00]
执行位置: c:\users\Micheru Wu\Desktop\ComboFix.exe
Command switches used :: c:\users\Micheru Wu\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\program files\intellidownload\vfd.exe"
"c:\program files\OApps\bho_project.dll"
"c:\program files\YouTube Downloader Toolbar\IE\6.0\youtubedownloaderToolbarIE.dll"
"c:\users\Micheru Wu\Downloads\cnet2_x-movie-maker6-cnet_exe.exe"
"c:\windows.old\Program Files\Application Updater\ probably"
"c:\windows\Installer\5e913.msi"
"c:\windows\System32\DBBK\0BEEFAE1A46FF1DA1E2247279F6386CB"
"c:\windows\System32\DBBK\7350C6432F977912A0C262E8A5D980B2"
"c:\windows\System32\DBBK\980E90872EBCA3E14416747350E1F87B"
"c:\windows\System32\DBBK\D18BEF36622511586E0347D3FFD94B35"
.
.
((((((((((((((((((((((((( 2012-06-23 至 2012-07-23 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-07-23 09:10 . 2012-07-23 09:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-23 00:50 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F797B1-9D47-4DD3-86C0-FCB183CF5F44}\mpengine.dll
2012-07-22 07:23 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-22 04:42 . 2012-07-22 04:42 -------- d-----w- c:\program files\ESET
2012-07-22 00:33 . 2012-07-15 18:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{443CC8CE-60F4-4C02-9517-4D2AA69A0FB1}\mpengine.dll
2012-07-21 23:28 . 2012-07-23 09:10 -------- d-----w- c:\users\Micheru Wu\AppData\Local\temp
2012-07-21 09:48 . 2012-07-21 09:48 -------- d-----w- c:\program files\CCleaner
2012-07-15 08:50 . 2012-01-17 20:55 28424 ----a-w- c:\windows\system32\drivers\PRSBDrvr.sys
2012-07-15 08:40 . 2012-07-23 09:11 -------- d-----w- c:\windows\system32\DBBK
2012-07-15 08:40 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-07-15 08:40 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-07-15 08:40 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-07-15 08:40 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-07-15 08:40 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-07-15 08:40 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-07-15 08:40 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-07-15 08:24 . 2012-07-15 08:24 100864 ----a-w- C:\pxldypoc.sys
2012-07-15 07:31 . 2012-07-15 07:31 -------- d-----w- c:\program files\HitmanPro
2012-07-15 07:17 . 2012-07-15 07:31 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-07-15 07:17 . 2012-07-15 07:31 -------- d-----w- c:\programdata\HitmanPro
2012-07-14 06:38 . 2012-07-14 06:38 43480 ----a-w- c:\windows\system32\drivers\hwtahaou.sys
2012-07-14 05:56 . 2012-07-14 05:56 43480 ----a-w- c:\windows\system32\drivers\misljwwg.sys
2012-07-14 04:42 . 2012-07-14 04:43 -------- d-----w- C:\FRST
2012-07-14 04:35 . 2012-02-09 06:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5B23CEC9-663C-4B5F-8E81-A68059028AD3}\gapaengine.dll
2012-07-14 04:21 . 2012-07-14 04:21 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-13 22:37 . 2012-07-13 22:39 -------- d-----w- c:\programdata\Windows Codecs
2012-07-13 22:37 . 2012-07-13 22:37 -------- d-----w- c:\program files\Mega Codec Pack
2012-07-11 12:43 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 11:24 . 2012-07-11 11:25 -------- d-----w- c:\program files\Counter-Strike 1.6
2012-07-11 11:16 . 2012-07-14 06:13 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\BITS
2012-07-11 11:16 . 2012-07-11 11:16 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\FlashgetSetup
2012-07-11 11:15 . 2012-07-11 11:15 -------- d-----w- c:\users\Micheru Wu\AppData\Roaming\FlashGetBHO
2012-07-10 21:55 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-10 21:55 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-10 21:55 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 21:55 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 21:55 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 21:55 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 21:55 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 21:55 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-10 21:54 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 21:54 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-10 21:54 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-10 21:54 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-10 21:54 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll
2012-07-10 21:54 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-10 21:54 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-08 04:59 . 2012-07-08 05:01 -------- d-----w- c:\program files\OApps
2012-07-08 04:59 . 2012-07-08 05:00 -------- d-----w- c:\program files\TorrentSearch
2012-07-08 04:59 . 2012-07-08 05:01 -------- d-----w- c:\program files\intellidownload
2012-07-05 22:46 . 2012-07-05 22:46 172098 ----a-w- C:\torrent.exe
2012-07-02 08:53 . 2012-07-22 14:50 -------- d-----w- c:\program files\Application Updater
2012-07-02 08:53 . 2012-07-02 08:53 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2012-07-02 08:53 . 2012-07-02 08:53 -------- d-----w- c:\program files\Common Files\Spigot
2012-06-29 12:12 . 2012-06-29 12:12 -------- d-----w- C:\PPS.tv
2012-06-25 08:04 . 2012-06-25 08:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 05:46 . 2011-11-16 04:30 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-18 21:45 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-18 21:45 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-18 21:44 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-18 21:44 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-18 21:45 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-18 21:45 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-18 21:44 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 07:19 . 2012-06-18 21:44 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 07:12 . 2012-06-18 21:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 04:25 . 2011-11-13 04:47 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 04:44 . 2012-06-14 09:08 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-14 09:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-14 09:08 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-14 09:08 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-14 09:08 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68DD98BF-9DE8-418C-89F0-E37AC61CC2D9}]
2012-07-03 16:06 92160 ----a-w- c:\program files\OApps\bho_project.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Windows Codecs]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-07-13 22:37 172032 ----a-w- c:\programdata\Windows Codecs\MediaShellOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SirefefRemover]
@=""
.
[HKLM\~\startupfolder\C:^Users^Micheru Wu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]
path=c:\users\Micheru Wu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 02:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 12:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09 2565520 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-08-04 09:06 1612920 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashGet 3]
2012-03-15 02:05 3090056 ----a-w- e:\program files\FlashGet Network\FlashGet 3\Flashget3.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 11:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 09:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]
2010-02-24 03:25 214408 ----a-w- c:\pps.tv\PPStream\PPSAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 12:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2012-06-27 09:11 1090440 ----a-w- c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 01:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.364.0\BBSvc.exe [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
R3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [x]
R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV32.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 PRSBDrvr;PRSBDrvr;c:\windows\system32\DRIVERS\PRSBDrvr.sys [x]
R3 SirefefRemover;SirefefRemover;c:\users\MICHER~1\AppData\Local\Temp\62154ed0.tmp [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
S0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.364.0\SeaPort.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
‘计划任务’ 文件夹 里的内容
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001Core.job
- c:\users\Micheru Wu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-13 03:54]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1041435734-4285072689-3168404971-1001UA.job
- c:\users\Micheru Wu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-13 03:54]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all links by FlashGet3 - e:\program files\FlashGet Network\FlashGet 3\BHO\fdgetallurl.htm
IE: Download by FlashGet3 - e:\program files\FlashGet Network\FlashGet 3\BHO\fdgeturl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\ikutm.dll
TCP: DhcpNameServer = 192.168.1.1
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SirefefRemover]
"ImagePath"="\??\c:\users\MICHER~1\AppData\Local\Temp\62154ed0.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2012-07-23 17:14:27
ComboFix-quarantined-files.txt 2012-07-23 09:14
ComboFix2.txt 2012-07-21 23:39
.
Pre-Run: 2,322,182,144 bytes free
Post-Run: 2,616,901,632 bytes free
.
- - End Of File - - 0A601F1B117BE443DBF3E46099801CB9



Also:

Add-Remove Programs log


Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.1 - Chinese Simplified
Aegisub 2.1.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bing Bar
Bonjour
Canon E500 series MP Drivers
Canon E500 series On-screen Manual
Canon Easy-PhotoPrint EX
Canon Easy-WebPrint EX
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
CDisplayEx 1.8
Counter-Strike 1.6
D3DX10
Daum PotPlayer 1.5.28025
Defraggler
DivX Browser Plug-In
ESET Online Scanner v3
FlashGet 1.8.2.1004
FlashGet3.7
Google Chrome
iKu 2
iTunes
Junk Mail filter update
Malwarebytes Anti-Malware version 1.62.0.1300
Meka MP3 Album Artwork Tool
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB973685)
My Tribe
PPS影音 V2.7.0.1488 正式版
QuickTime
Revo Uninstaller 1.93
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoFileDownload
VoiceOver Kit
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Mobile Device Center Driver Update
Windows Movie Maker 2.6
WinRAR 4.01 (32-bit)
YouTube Downloader Toolbar v6.0
YTD YouTube Downloader & Converter 3.7
酷我音乐盒 2011

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 23 July 2012 - 10:08 AM

please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


now try a defrag and clean out your temp files, let me know if that makes a difference

First open an elevated Command Prompt
  • Go to Start > All Programs > Accessories
  • right click on the Command Prompt and choose “Run as administrator”
  • Type the following see how much your hard drive is fragmented (in this example, your C:\ drive):
  • defrag c: -a (be patient, this can take a while)
  • The resulting analysis will tell you a “Percent file fragmentation” and at the bottom, if you need to defragment the drive or not.
  • To fully defragment your C:\ drive type the following:
  • defrag c: -w
  • Give it time to run (it can take a while, best to leave the computer alone) and then you’re done!

Temp File Cleaner

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 NiteMoque

NiteMoque
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 25 July 2012 - 03:59 AM

After defragging, removing the temp files and deleting some stuff, my computer is fine now.

Thank you very much for helping me.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 25 July 2012 - 10:18 AM

That's good to hear :)

We just have some housekeeping to do now,

Please do the following:


You can delete the FRST logs and program from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 NiteMoque

NiteMoque
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 27 July 2012 - 05:28 AM

Thank you very much too for the help you've given to me.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 27 July 2012 - 08:31 AM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:49 AM

Posted 27 July 2012 - 08:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users