Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Zaccess/Rootkit.Boot.Pihar.c, Trojan.Dropper.BCMiner


  • This topic is locked This topic is locked
21 replies to this topic

#1 bigt0242000

bigt0242000

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 24 July 2012 - 02:56 PM

I'm working on a friend's laptop and they believe one of the kids went somewhere they didn't need to be going. They said they started noticing issues on 7-20. I was going to try and clean it my self and did a little research on the rootkit and decided I needed to ask for some help. I attached the logs from malwarebytes and TDSSkiller. When using TDSSkiller I had it skip trying to "cure" the infection.


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:50 on 24/07/2012 (Elizabeth)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Elizabeth at 14:51:40 on 2012-07-24
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2286 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: TBSB07898 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Coupons.com CouponBar: {8660e5b3-6c41-44de-8503-98d99bbecd41} - c:\program files\coupons.com couponbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: !{95B7759C-8C7F-4BF1-B163-73684A933233} - No File
TB: !{D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 208.67.220.220 208.67.222.222 75.75.75.75
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83} : DhcpNameServer = 208.67.220.220 208.67.222.222 75.75.75.75
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\13535333343434 : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\84F4D454D213132423 : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\84F4D454D213132423 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\E4544574541425 : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-22 655944]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2010-7-13 65640]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-22 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-3-5 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-5 1343400]
S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-22 250056]
S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-11 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-11 136176]
S4 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\11.2.0\ToolbarUpdater.exe [2012-7-18 935008]
.
=============== Created Last 30 ================
.
2012-07-22 23:57:19 -------- d-----w- c:\windows\pss
2012-07-22 23:43:41 -------- d-----w- c:\users\elizabeth\temp
2012-07-22 23:43:40 -------- d-----w- c:\users\elizabeth\appdata\roaming\TeamViewer
2012-07-22 21:26:27 -------- d-----w- c:\users\elizabeth\appdata\roaming\Malwarebytes
2012-07-22 21:26:17 -------- d-----w- c:\programdata\Malwarebytes
2012-07-22 21:26:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-22 21:26:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-22 19:16:53 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-22 17:17:57 -------- d-----w- c:\users\elizabeth\appdata\roaming\Mysteryville2
2012-07-22 17:05:22 -------- d-----w- c:\program files\AVG Secure Search
2012-07-22 16:48:29 -------- d-----w- c:\windows\system32\appmgmt
2012-07-21 09:44:53 114176 ----a-w- c:\programdata\microsoft\windows\drm\FC62.tmp
2012-07-21 09:19:46 -------- d-----w- c:\users\elizabeth\appdata\roaming\ooVoo Details
2012-07-19 23:08:29 -------- d-----w- c:\users\elizabeth\appdata\local\AVG Secure Search
2012-07-18 00:24:31 -------- d--h--w- C:\$AVG
2012-07-17 23:51:08 -------- d-----w- c:\users\elizabeth\appdata\roaming\AVG2012
2012-07-17 23:49:38 -------- d-----w- c:\programdata\AVG Secure Search
2012-07-17 23:49:35 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-07-17 23:48:14 -------- d-----w- c:\windows\system32\drivers\AVG
2012-07-17 23:48:14 -------- d-----w- c:\programdata\AVG2012
2012-07-17 23:47:29 -------- d-----w- c:\program files\AVG
2012-07-17 23:45:01 -------- d--h--w- c:\programdata\Common Files
2012-07-17 23:44:50 -------- d-----w- c:\programdata\MFAData
2012-07-14 19:33:21 -------- d-----w- c:\users\elizabeth\appdata\roaming\Gogii Games
2012-07-14 19:33:21 -------- d-----w- c:\programdata\Gogii Games
2012-07-14 17:34:11 -------- d-----w- c:\users\elizabeth\appdata\roaming\LegacyInteractive
2012-07-13 23:09:06 -------- d-----w- c:\programdata\SpecialBit Games
2012-07-11 23:35:05 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-11 22:46:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-11 22:46:02 194560 ----a-w- c:\program files\internet explorer\ieproxy.dll
2012-07-11 22:46:02 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2012-07-11 22:46:02 140920 ----a-w- c:\program files\internet explorer\sqmapi.dll
2012-07-11 22:46:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-07-11 22:46:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-07-11 22:46:00 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-07-11 22:45:59 748664 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-07-11 22:45:59 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-07-11 22:45:59 387584 ----a-w- c:\program files\internet explorer\jsdbgui.dll
2012-07-11 22:45:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-11 22:42:18 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-26 20:58:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-26 20:57:55 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-26 20:57:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-26 20:57:44 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-25 01:42:48 -------- d-----w- c:\programdata\301BA
.
==================== Find3M ====================
.
2012-07-11 23:35:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-11 23:35:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-01 04:44:12 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
============= FINISH: 14:52:51.05 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 12:01 PM

please go ahead and re-run TDSSKiller and allow it to "cure" what it finds

NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 02:11 PM

I ran TDSSkiller and let it cure what it needed to. I ran ComboFix. after running ComboFix, I noticed a catchme.log file on the desktop.


ComboFix 12-07-26.03 - Elizabeth 07/25/2012 14:40:26.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2145 [GMT -4:00]
Running from: c:\users\Elizabeth\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\L\00000004.@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\L\201d3dde
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\00000004.@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\00000008.@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\000000cb.@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\80000000.@
c:\windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\80000032.@
.
c:\windows\system32\services.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 18:45 . 2012-07-25 18:50 -------- d-----w- c:\users\Elizabeth\AppData\Local\temp
2012-07-25 18:45 . 2012-07-25 18:45 -------- d-----w- c:\users\DJ\AppData\Local\temp
2012-07-25 18:44 . 2012-07-25 18:44 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{46F8E9D5-E0DA-4A7E-B448-786BF8A4A556}\offreg.dll
2012-07-25 18:27 . 2012-07-25 18:27 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 23:43 . 2012-07-22 23:43 -------- d-----w- c:\users\Elizabeth\temp
2012-07-22 23:43 . 2012-07-22 23:43 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\TeamViewer
2012-07-22 21:26 . 2012-07-22 21:26 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Malwarebytes
2012-07-22 21:26 . 2012-07-22 22:06 -------- d-----w- c:\programdata\Malwarebytes
2012-07-22 21:26 . 2012-07-22 21:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-22 21:26 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-22 19:16 . 2012-07-22 19:16 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-22 19:10 . 2012-07-22 19:10 -------- d-----w- c:\windows\Sun
2012-07-22 17:17 . 2012-07-22 17:19 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Mysteryville2
2012-07-22 17:05 . 2012-07-22 17:05 -------- d-----w- c:\program files\AVG Secure Search
2012-07-21 09:44 . 2012-07-21 09:44 114176 ----a-w- c:\programdata\Microsoft\Windows\DRM\FC62.tmp
2012-07-21 09:19 . 2012-07-21 09:21 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\ooVoo Details
2012-07-19 23:08 . 2012-07-19 23:08 -------- d-----w- c:\users\Elizabeth\AppData\Local\AVG Secure Search
2012-07-18 00:24 . 2012-07-18 00:24 -------- d-----w- C:\$AVG
2012-07-17 23:51 . 2012-07-17 23:51 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\AVG2012
2012-07-17 23:49 . 2012-07-19 00:32 -------- d-----w- c:\programdata\AVG Secure Search
2012-07-17 23:49 . 2012-07-19 00:32 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-07-17 23:48 . 2012-07-22 17:04 -------- d-----w- c:\windows\system32\drivers\AVG
2012-07-17 23:48 . 2012-07-18 00:01 -------- d-----w- c:\programdata\AVG2012
2012-07-17 23:47 . 2012-07-17 23:47 -------- d-----w- c:\program files\AVG
2012-07-17 23:45 . 2012-07-17 23:45 -------- d--h--w- c:\programdata\Common Files
2012-07-17 23:44 . 2012-07-22 23:45 -------- d-----w- c:\programdata\MFAData
2012-07-14 19:33 . 2012-07-14 19:33 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Gogii Games
2012-07-14 19:33 . 2012-07-14 19:33 -------- d-----w- c:\programdata\Gogii Games
2012-07-14 17:34 . 2012-07-14 17:34 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\LegacyInteractive
2012-07-14 00:56 . 2012-07-14 00:56 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\PlayFirst
2012-07-14 00:56 . 2012-07-14 00:56 -------- d-----w- c:\programdata\PlayFirst
2012-07-13 23:09 . 2012-07-13 23:09 -------- d-----w- c:\programdata\SpecialBit Games
2012-07-11 23:35 . 2012-07-11 23:35 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-11 22:46 . 2012-06-02 08:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-11 22:46 . 2012-06-02 09:08 140920 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-07-11 22:46 . 2012-06-02 08:22 194560 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-07-11 22:46 . 2012-06-02 08:21 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-07-11 22:46 . 2012-06-02 08:25 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-07-11 22:46 . 2012-06-02 08:20 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-07-11 22:46 . 2012-06-02 08:33 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-07-11 22:45 . 2012-06-02 09:08 748664 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2012-07-11 22:45 . 2012-06-02 08:27 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-07-11 22:45 . 2012-06-02 08:26 387584 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2012-07-11 22:45 . 2012-06-02 08:25 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-11 22:42 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-26 20:58 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-26 20:58 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-26 20:58 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-26 20:58 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-26 20:57 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-26 20:57 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-26 20:57 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-26 20:57 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-26 20:57 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 23:35 . 2012-06-22 10:30 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-11 23:35 . 2012-03-11 17:00 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 04:44 . 2012-06-17 12:21 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-17 12:21 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-22 17:05 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-07-22 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Elizabeth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 14:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 02:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-27 23:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-24 21:24 2416480 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-03-25 02:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-04-02 14:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-12 00:26 171032 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-12 00:26 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 17:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-12 00:26 172568 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2012-03-11 15:54 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2012-07-22 17:05 939872 ----a-w- c:\program files\AVG Secure Search\vprot.exe
.
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
R4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 23:35]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-11 15:54]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-11 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.67.220.220 208.67.222.222 75.75.75.75
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\84F4D454D213132423: NameServer = 208.67.222.222,208.67.220.220
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\Coupons.com CouponBar\tbcore3.dll
Toolbar-10 - (no file)
Toolbar-!{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{8660E5B3-6C41-44DE-8503-98D99BBECD41} - c:\program files\Coupons.com CouponBar\tbcore3.dll
MSConfigStartUp-HF_G_Jul - c:\program files\AVG Secure Search\HF_G_Jul.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-07-25 14:54:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-25 18:54
.
Pre-Run: 283,126,554,624 bytes free
Post-Run: 285,224,751,104 bytes free
.
- - End Of File - - 1000DEE2105DD4A0A2677C0A7330D63D

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 02:28 PM

I just want to make certain that ComboFix was able to replace the infected services.exe on reboot, so please do the following:

(your machine was heavily infected, it may take several rounds with different tools to eradicate)

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 02:45 PM

Here you go.


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 15:38:00
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKU\DJ\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-03-11] (Google Inc.)
HKU\DJ\...\Policies\system: [LogonHoursAction] 2
HKU\DJ\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Elizabeth\...\Policies\system: [LogonHoursAction] 2
HKU\Elizabeth\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 208.67.220.220 208.67.222.222 75.75.75.75
Tcpip\..\Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}: [NameServer]208.67.222.222,208.67.220.220

================================ Services (Whitelisted) ==================

4 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
4 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [116104 2010-04-05] ()
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
4 vToolbarUpdater11.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-18] ()

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134736 2011-07-10] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-04] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [230608 2011-10-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [40016 2011-08-08] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [295248 2011-07-10] (AVG Technologies CZ, s.r.o.)
3 itecir; C:\Windows\System32\DRIVERS\itecir.sys [65640 2010-07-13] (ITE Tech. Inc. )
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [229888 2009-07-13] (Broadcom Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
3 catchme; \??\C:\Users\ELIZAB~1\AppData\Local\Temp\catchme.sys [x]
3 KMW_KBD; C:\Windows\System32\DRIVERS\KMW_KBD.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-25 10:54 - 2012-07-25 10:54 - 00015093 ____A C:\ComboFix.txt
2012-07-25 10:37 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-25 10:37 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-25 10:37 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-25 10:37 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-25 10:37 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-25 10:37 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-25 10:37 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-25 10:37 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-25 10:32 - 2012-07-25 10:54 - 00000000 ____D C:\Qoobox
2012-07-25 10:32 - 2012-07-25 10:52 - 00000000 ____D C:\Windows\erdnt
2012-07-25 10:32 - 2012-07-25 10:32 - 04585817 ____R (Swearware) C:\Users\Elizabeth\Desktop\ComboFix.exe
2012-07-25 10:32 - 2012-07-25 10:32 - 00000064 ____A C:\Users\Elizabeth\Desktop\catchme.log
2012-07-25 10:27 - 2012-07-25 10:27 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-25 10:26 - 2012-07-25 10:26 - 02117108 ____A C:\Users\Elizabeth\Desktop\tdsskiller.zip
2012-07-24 11:27 - 2012-07-24 11:27 - 03028656 ____A (TeamViewer) C:\Users\Elizabeth\Desktop\TeamViewerQS_en.exe
2012-07-24 11:24 - 2012-07-24 11:24 - 00072764 ____A C:\Users\Elizabeth\Desktop\ark.txt
2012-07-24 10:56 - 2012-07-24 10:56 - 00000000 ____D C:\Users\Elizabeth\Desktop\gmer
2012-07-24 10:54 - 2012-07-24 10:54 - 00020081 ____A C:\Users\Elizabeth\Desktop\Attach.txt
2012-07-24 10:53 - 2012-07-24 10:53 - 00012799 ____A C:\Users\Elizabeth\Desktop\DDS.txt
2012-07-24 10:50 - 2012-07-24 10:51 - 00000480 ____A C:\Users\Elizabeth\Desktop\defogger_disable.log
2012-07-24 10:50 - 2012-07-24 10:50 - 00000000 ____A C:\Users\Elizabeth\defogger_reenable
2012-07-24 10:47 - 2012-07-24 10:47 - 00294216 ____A C:\Users\Elizabeth\Desktop\gmer.zip
2012-07-24 10:46 - 2012-07-24 10:46 - 00607260 ____R (Swearware) C:\Users\Elizabeth\Desktop\dds.scr
2012-07-24 10:45 - 2012-07-24 10:45 - 00050477 ____A C:\Users\Elizabeth\Desktop\Defogger.exe
2012-07-24 10:40 - 2012-07-24 10:50 - 00000361 ____A C:\rkill.log
2012-07-24 10:38 - 2012-07-24 10:38 - 01012656 ____A C:\Users\Elizabeth\Desktop\iExplore.exe
2012-07-24 09:22 - 2012-07-25 10:26 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Elizabeth\Desktop\TDSSKiller.exe
2012-07-22 15:57 - 2012-07-22 15:57 - 00000000 ____D C:\Windows\pss
2012-07-22 15:43 - 2012-07-22 15:43 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\TeamViewer
2012-07-22 13:26 - 2012-07-22 14:06 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-22 13:26 - 2012-07-22 13:26 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-22 13:26 - 2012-07-22 13:26 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\Malwarebytes
2012-07-22 13:26 - 2012-07-22 13:26 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-22 13:26 - 2012-07-03 09:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-22 13:25 - 2012-07-22 13:25 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Elizabeth\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-22 11:40 - 2012-07-22 11:40 - 177181242 ____A C:\Windows\MEMORY.DMP
2012-07-22 11:40 - 2012-07-22 11:40 - 00147024 ____A C:\Windows\Minidump\072212-47939-01.dmp
2012-07-22 11:40 - 2012-07-22 11:40 - 00000000 ____D C:\Windows\Minidump
2012-07-22 11:16 - 2012-07-22 11:16 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-22 11:10 - 2012-07-22 11:10 - 00000000 ____D C:\Windows\Sun
2012-07-22 09:17 - 2012-07-22 09:19 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\Mysteryville2
2012-07-22 09:05 - 2012-07-22 09:05 - 00000000 ____D C:\Program Files\AVG Secure Search
2012-07-22 08:48 - 2012-07-22 08:56 - 00000000 ____D C:\Windows\System32\appmgmt
2012-07-21 01:19 - 2012-07-21 01:21 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\ooVoo Details
2012-07-19 15:08 - 2012-07-19 15:08 - 00000000 ____D C:\Users\Elizabeth\AppData\Local\AVG Secure Search
2012-07-17 16:24 - 2012-07-17 16:24 - 00000000 ____D C:\$AVG
2012-07-17 15:51 - 2012-07-17 15:51 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\AVG2012
2012-07-17 15:50 - 2012-07-17 15:50 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-07-17 15:49 - 2012-07-18 16:32 - 00000000 ____D C:\Users\All Users\AVG Secure Search
2012-07-17 15:49 - 2012-07-18 16:32 - 00000000 ____D C:\Program Files\Common Files\AVG Secure Search
2012-07-17 15:48 - 2012-07-25 11:11 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-07-17 15:48 - 2012-07-17 16:01 - 00000000 ____D C:\Users\All Users\AVG2012
2012-07-17 15:47 - 2012-07-17 15:47 - 00000000 ____D C:\Program Files\AVG
2012-07-17 15:44 - 2012-07-25 11:13 - 00000000 ____D C:\Users\All Users\MFAData
2012-07-17 15:44 - 2012-07-17 15:44 - 03897504 ____A (AVG Technologies) C:\Users\Elizabeth\Downloads\avg_avct_stb_all_2012_1796_cm10.exe
2012-07-14 14:55 - 2012-07-14 14:55 - 00000496 ____A C:\Users\Elizabeth\Documents\state prison addresses.txt
2012-07-14 11:33 - 2012-07-14 11:33 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\Gogii Games
2012-07-14 11:33 - 2012-07-14 11:33 - 00000000 ____D C:\Users\All Users\Gogii Games
2012-07-14 09:34 - 2012-07-14 09:34 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\LegacyInteractive
2012-07-13 16:56 - 2012-07-13 16:56 - 00000000 ____D C:\Users\Elizabeth\AppData\Roaming\PlayFirst
2012-07-13 16:56 - 2012-07-13 16:56 - 00000000 ____D C:\Users\All Users\PlayFirst
2012-07-13 15:09 - 2012-07-13 15:09 - 00000000 ____D C:\Users\All Users\SpecialBit Games
2012-07-11 15:35 - 2012-07-11 15:35 - 09226440 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-11 14:46 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 14:46 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 14:46 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 14:46 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 14:46 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 14:46 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 14:46 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 14:46 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 14:46 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 14:45 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 14:45 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 14:45 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 14:45 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 14:45 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 14:42 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 15:48 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 15:48 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 15:48 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 15:48 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 15:48 - 2012-06-01 20:45 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 15:48 - 2012-06-01 20:45 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 15:48 - 2012-06-01 20:40 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 15:48 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 15:48 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 15:48 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-06-26 12:58 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-26 12:58 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-26 12:58 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-26 12:58 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-26 12:57 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-26 12:57 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-26 12:57 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-26 12:57 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-26 12:57 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe


============ 3 Months Modified Files ========================

2012-07-25 11:33 - 2012-03-07 15:11 - 01599965 ____A C:\Windows\WindowsUpdate.log
2012-07-25 11:15 - 2009-07-13 20:34 - 00016928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 11:15 - 2009-07-13 20:34 - 00016928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 11:13 - 2012-03-11 07:54 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 11:08 - 2012-03-11 07:54 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 11:08 - 2012-03-06 15:56 - 00008128 ____A C:\Windows\setupact.log
2012-07-25 11:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 10:54 - 2012-07-25 10:54 - 00015093 ____A C:\ComboFix.txt
2012-07-25 10:50 - 2009-07-13 18:04 - 00000242 ____A C:\Windows\system.ini
2012-07-25 10:47 - 2012-03-12 13:42 - 00030560 ____A C:\Windows\PFRO.log
2012-07-25 10:35 - 2012-06-22 02:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-25 10:32 - 2012-07-25 10:32 - 04585817 ____R (Swearware) C:\Users\Elizabeth\Desktop\ComboFix.exe
2012-07-25 10:32 - 2012-07-25 10:32 - 00000064 ____A C:\Users\Elizabeth\Desktop\catchme.log
2012-07-25 10:26 - 2012-07-25 10:26 - 02117108 ____A C:\Users\Elizabeth\Desktop\tdsskiller.zip
2012-07-25 10:26 - 2012-07-24 09:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Elizabeth\Desktop\TDSSKiller.exe
2012-07-24 11:27 - 2012-07-24 11:27 - 03028656 ____A (TeamViewer) C:\Users\Elizabeth\Desktop\TeamViewerQS_en.exe
2012-07-24 11:24 - 2012-07-24 11:24 - 00072764 ____A C:\Users\Elizabeth\Desktop\ark.txt
2012-07-24 10:54 - 2012-07-24 10:54 - 00020081 ____A C:\Users\Elizabeth\Desktop\Attach.txt
2012-07-24 10:53 - 2012-07-24 10:53 - 00012799 ____A C:\Users\Elizabeth\Desktop\DDS.txt
2012-07-24 10:51 - 2012-07-24 10:50 - 00000480 ____A C:\Users\Elizabeth\Desktop\defogger_disable.log
2012-07-24 10:50 - 2012-07-24 10:50 - 00000000 ____A C:\Users\Elizabeth\defogger_reenable
2012-07-24 10:50 - 2012-07-24 10:40 - 00000361 ____A C:\rkill.log
2012-07-24 10:47 - 2012-07-24 10:47 - 00294216 ____A C:\Users\Elizabeth\Desktop\gmer.zip
2012-07-24 10:46 - 2012-07-24 10:46 - 00607260 ____R (Swearware) C:\Users\Elizabeth\Desktop\dds.scr
2012-07-24 10:45 - 2012-07-24 10:45 - 00050477 ____A C:\Users\Elizabeth\Desktop\Defogger.exe
2012-07-24 10:38 - 2012-07-24 10:38 - 01012656 ____A C:\Users\Elizabeth\Desktop\iExplore.exe
2012-07-22 13:26 - 2012-07-22 13:26 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-22 13:25 - 2012-07-22 13:25 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Elizabeth\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-22 11:40 - 2012-07-22 11:40 - 177181242 ____A C:\Windows\MEMORY.DMP
2012-07-22 11:40 - 2012-07-22 11:40 - 00147024 ____A C:\Windows\Minidump\072212-47939-01.dmp
2012-07-22 08:08 - 2012-03-26 17:37 - 00000632 _RASH C:\Users\Elizabeth\ntuser.pol
2012-07-22 08:03 - 2009-07-13 20:53 - 00028816 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-17 15:50 - 2012-07-17 15:50 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-07-17 15:44 - 2012-07-17 15:44 - 03897504 ____A (AVG Technologies) C:\Users\Elizabeth\Downloads\avg_avct_stb_all_2012_1796_cm10.exe
2012-07-14 14:55 - 2012-07-14 14:55 - 00000496 ____A C:\Users\Elizabeth\Documents\state prison addresses.txt
2012-07-11 17:24 - 2009-07-13 20:33 - 00409752 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 15:35 - 2012-07-11 15:35 - 09226440 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerInstaller.exe
2012-07-11 15:35 - 2012-06-22 02:30 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-11 15:35 - 2012-03-11 09:00 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-11 14:45 - 2009-07-13 18:04 - 00000497 ____A C:\Windows\win.ini
2012-07-11 14:42 - 2012-03-05 17:19 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-03 09:46 - 2012-07-22 13:26 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-22 02:33 - 2012-03-05 16:33 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-11 18:40 - 2012-07-11 14:42 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-10 15:48 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 21:05 - 2012-07-10 15:48 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-10 15:48 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-10 15:48 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 14:19 - 2012-06-26 12:58 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-26 12:58 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-26 12:58 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-26 12:57 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-26 12:57 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-26 12:58 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-26 12:57 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-26 12:57 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-26 12:57 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 14:45 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 14:45 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 14:46 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 14:45 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 14:46 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:25 - 2012-07-11 14:45 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:23 - 2012-07-11 14:45 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 14:46 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 14:46 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 14:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 14:46 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 14:46 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 14:46 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 14:46 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-10 15:48 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-10 15:48 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-10 15:48 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-10 15:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-10 15:48 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-30 11:44 - 2012-05-30 11:44 - 00001554 ____A C:\Users\Public\Documents\little moose.txt
2012-05-11 16:40 - 2012-05-11 16:40 - 00000332 ____A C:\Windows\Directx.log
2012-05-11 16:39 - 2012-05-11 16:39 - 00000000 _RASH C:\MSDOS.SYS
2012-05-11 16:39 - 2012-05-11 16:39 - 00000000 _RASH C:\IO.SYS
2012-05-01 05:05 - 2012-05-01 05:05 - 00665320 ____A C:\Users\Elizabeth\Downloads\emailNotifierSetup.exe
2012-04-30 20:44 - 2012-06-17 04:21 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:17 - 2012-06-17 04:21 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}
C:\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\L
C:\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4054.86 MB
Available physical RAM: 3567.92 MB
Total Pagefile: 4053.14 MB
Available Pagefile: 3571.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:297.99 GB) (Free:265.57 GB) NTFS
3 Drive f: (SECURE II) (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 1915 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 297 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 297 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1915 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F SECURE II FAT32 Removable 1915 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-21 09:07

======================= End Of Log ==========================



Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 15:40:09
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\erdnt\cache\services.exe
[2012-07-25 10:52] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 02:49 PM

Looking much better :)

we just have a little more work to do

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 03:23 PM

Here is the fixlog and the mbam log. Running ESET now.



Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 15:54:29 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434} moved successfully.

==== End of Fixlog ====




Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.25.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Elizabeth :: ELIZABETH-PC [administrator]

Protection: Enabled

7/25/2012 3:57:07 PM
mbam-log-2012-07-25 (15-57-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 204515
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{09971cee-01b8-42bc-9d91-456b1faad6be} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 04:05 PM

And here is the ESET scan results.



C:\ProgramData\Microsoft\Windows\DRM\FC62.tmp a variant of Win32/Kryptik.AITT trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{c550c35a-259b-9fea-dc34-fa91010e9434}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win32/Sirefef.FC trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NH trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\25.07.2012_14.26.42\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\Users\All Users\Microsoft\Windows\DRM\FC62.tmp a variant of Win32/Kryptik.AITT trojan
C:\Users\Elizabeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\5e0d9b8f-79237833 multiple threats

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 04:10 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\ProgramData\Microsoft\Windows\DRM\FC62.tmp 
C:\Users\All Users\Microsoft\Windows\DRM\FC62.tmp 
C:\Users\Elizabeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\5e0d9b8f-79237833 
 
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 04:29 PM

Here's the log.


ComboFix 12-07-26.04 - Elizabeth 07/25/2012 17:20:21.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2066 [GMT -4:00]
Running from: c:\users\Elizabeth\Desktop\ComboFix.exe
Command switches used :: c:\users\Elizabeth\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Windows\DRM\FC62.tmp"
"c:\users\All Users\Microsoft\Windows\DRM\FC62.tmp"
"c:\users\Elizabeth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\5e0d9b8f-79237833"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\FC62.tmp
c:\users\All Users\Microsoft\Windows\DRM\FC62.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 23:37 . 2012-07-25 23:38 -------- d-----w- C:\FRST
2012-07-25 21:25 . 2012-07-25 21:25 -------- d-----w- c:\users\Elizabeth\AppData\Local\temp
2012-07-25 21:25 . 2012-07-25 21:25 -------- d-----w- c:\users\DJ\AppData\Local\temp
2012-07-25 21:25 . 2012-07-25 21:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-25 20:17 . 2012-07-25 20:17 -------- d-----w- c:\program files\ESET
2012-07-25 18:44 . 2012-07-25 18:44 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{46F8E9D5-E0DA-4A7E-B448-786BF8A4A556}\offreg.dll
2012-07-25 18:27 . 2012-07-25 18:27 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 23:43 . 2012-07-22 23:43 -------- d-----w- c:\users\Elizabeth\temp
2012-07-22 23:43 . 2012-07-22 23:43 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\TeamViewer
2012-07-22 21:26 . 2012-07-22 21:26 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Malwarebytes
2012-07-22 21:26 . 2012-07-22 22:06 -------- d-----w- c:\programdata\Malwarebytes
2012-07-22 21:26 . 2012-07-22 21:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-22 21:26 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-22 19:16 . 2012-07-22 19:16 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-22 19:10 . 2012-07-22 19:10 -------- d-----w- c:\windows\Sun
2012-07-22 17:17 . 2012-07-22 17:19 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Mysteryville2
2012-07-22 17:05 . 2012-07-22 17:05 -------- d-----w- c:\program files\AVG Secure Search
2012-07-21 09:19 . 2012-07-21 09:21 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\ooVoo Details
2012-07-19 23:08 . 2012-07-19 23:08 -------- d-----w- c:\users\Elizabeth\AppData\Local\AVG Secure Search
2012-07-18 00:24 . 2012-07-18 00:24 -------- d-----w- C:\$AVG
2012-07-17 23:51 . 2012-07-17 23:51 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\AVG2012
2012-07-17 23:49 . 2012-07-19 00:32 -------- d-----w- c:\programdata\AVG Secure Search
2012-07-17 23:49 . 2012-07-19 00:32 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-07-17 23:48 . 2012-07-25 19:11 -------- d-----w- c:\windows\system32\drivers\AVG
2012-07-17 23:48 . 2012-07-18 00:01 -------- d-----w- c:\programdata\AVG2012
2012-07-17 23:47 . 2012-07-17 23:47 -------- d-----w- c:\program files\AVG
2012-07-17 23:45 . 2012-07-17 23:45 -------- d--h--w- c:\programdata\Common Files
2012-07-17 23:44 . 2012-07-25 19:13 -------- d-----w- c:\programdata\MFAData
2012-07-14 19:33 . 2012-07-14 19:33 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\Gogii Games
2012-07-14 19:33 . 2012-07-14 19:33 -------- d-----w- c:\programdata\Gogii Games
2012-07-14 17:34 . 2012-07-14 17:34 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\LegacyInteractive
2012-07-14 00:56 . 2012-07-14 00:56 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\PlayFirst
2012-07-14 00:56 . 2012-07-14 00:56 -------- d-----w- c:\programdata\PlayFirst
2012-07-13 23:09 . 2012-07-13 23:09 -------- d-----w- c:\programdata\SpecialBit Games
2012-07-11 23:35 . 2012-07-11 23:35 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-11 22:46 . 2012-06-02 08:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-11 22:46 . 2012-06-02 09:08 140920 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-07-11 22:46 . 2012-06-02 08:22 194560 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-07-11 22:46 . 2012-06-02 08:21 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-07-11 22:46 . 2012-06-02 08:25 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-07-11 22:46 . 2012-06-02 08:20 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-07-11 22:46 . 2012-06-02 08:33 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-07-11 22:45 . 2012-06-02 09:08 748664 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2012-07-11 22:45 . 2012-06-02 08:27 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-07-11 22:45 . 2012-06-02 08:26 387584 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2012-07-11 22:45 . 2012-06-02 08:25 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-11 22:42 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-26 20:58 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-26 20:58 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-26 20:58 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-26 20:58 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-26 20:57 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-26 20:57 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-26 20:57 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-26 20:57 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-26 20:57 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 23:35 . 2012-06-22 10:30 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-11 23:35 . 2012-03-11 17:00 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 04:44 . 2012-06-17 12:21 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:17 . 2012-06-17 12:21 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-07-22 17:05 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-07-22 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Elizabeth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 14:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 02:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-27 23:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2012-01-24 21:24 2416480 ----a-w- c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-03-25 02:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-04-02 14:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-12 00:26 171032 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-12 00:26 137752 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 17:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-12 00:26 172568 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2012-03-11 15:54 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2012-07-22 17:05 939872 ----a-w- c:\program files\AVG Secure Search\vprot.exe
.
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R4 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
R4 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R4 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-22 23:35]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-11 15:54]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-11 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 208.67.220.220 208.67.222.222 75.75.75.75
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{247E51A1-2723-4A79-94CC-06F75FAC6C83}\84F4D454D213132423: NameServer = 208.67.222.222,208.67.220.220
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-25 17:26:54
ComboFix-quarantined-files.txt 2012-07-25 21:26
ComboFix2.txt 2012-07-25 18:54
.
Pre-Run: 284,489,023,488 bytes free
Post-Run: 284,222,914,560 bytes free
.
- - End Of File - - 826DD4C27A936588E4DD7BCA9E5A107A

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 05:24 PM

looking good :)

how is the computer running now? Are there any outstanding issues?

check and make sure windows updates are working (this infection has sometimes be known to break that service)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 08:50 PM

Looks like everything is back to normal. It will not install updates and the BITS service is missing from the services list.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 09:08 PM

please do the following:

Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"Last Counter"=dword:00000fc8
"Last Help"=dword:00000fc9
"First Counter"=dword:00000fb8
"First Help"=dword:00000fb9
"Object List"="4024"
"1008"=hex(<img src='http://www.bleepingcomputer.com/forums/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />:50,94,22,ad,0d,ad,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,94,00,00,00,a4,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,\
  00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Now reboot and retry the Windows updates

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 bigt0242000

bigt0242000
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:03:44 AM

Posted 25 July 2012 - 09:24 PM

That solved that issue. Thanks for the quick help. One last question, should I leave AVG on here or should I change to MSE, Avast, or Avira?

EDIT: I am noticing that I'm getting an occasional redirect when going to an address that I typed in the address bar.

Edited by bigt0242000, 25 July 2012 - 09:30 PM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 AM

Posted 25 July 2012 - 09:36 PM

please run the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

should I leave AVG on here or should I change to MSE, Avast, or Avira?


personally I use MSE, but Avast and Avira are both excellent

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users