Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows critical error, automatic shutdown.


  • This topic is locked This topic is locked
13 replies to this topic

#1 FruitsPonchiSG

FruitsPonchiSG

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 31 July 2012 - 09:24 AM

Yesterday I was infected with Live Security Platinum, wich I've never heard about but I was able to get rid of it with Malwarebytes' Anti-Malware. After that I noticed that Microsoft Security Essentials needed an update, so I updated it. Problem is, after 30 minutes or so I get the "windows has encountered a critical error and will restart automatically in one minute. Please save your work." message. MSE detected 2 Trojans, C:\Windows\System32\services.exe and services731.
Now every time I start up my computer, after some seconds I get the same message and my computer restarts in 1 minute. I tried some solutions to fix this, including using the "shutdown -a" shortcut and choosing Disable Automatic Restart On System Failure in the Advanced Boot Options menu.
None of that worked.

My problem is identical to the topic "Virus + critical error shutdown" started by cbritton7, about a month ago (http://www.bleepingcomputer.com/forums/topic458922.html).

I'm running Windows7 32bit Home Premium.


Farbar Recovery Scan Tool scan log:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 31-07-2012 23:30:52
Running from E:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254

================================ Services (Whitelisted) ==================

2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [913752 2012-03-14] (IObit)
2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [291840 2012-06-11] (Advanced Micro Devices, Inc.)
2 AsSysCtrlService; C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-05-10] ()
2 RalinkRegistryWriter; "C:\Program Files\Edimax\Common\RaRegistry.exe" [185632 2009-12-16] (Ralink Technology, Corp.)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-05-02] (Skype Technologies)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
1 AsIO; C:\Windows\System32\drivers\AsIO.sys [11296 2009-08-04] ()
1 AsUpIO; C:\Windows\System32\drivers\AsUpIO.sys [11448 2009-07-06] ()
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [13216 2009-07-16] ()
1 prodrv06; C:\Windows\System32\drivers\prodrv06.sys [80576 2004-10-07] (Protection Technology)
0 prohlp02; C:\Windows\System32\drivers\prohlp02.sys [115744 2004-10-07] (Protection Technology)
3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [16472 2011-09-02] ()
3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [11104 2011-09-02] ()
0 sfhlp01; C:\Windows\System32\drivers\sfhlp01.sys [4832 2003-12-01] (Protection Technology)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2011-12-30] (Duplex Secure Ltd.)
3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [x]
3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [x]
3 XDva398; \??\C:\Windows\system32\XDva398.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-30 09:27 - 2012-07-30 09:27 - 00000000 ____D C:\FRST
2012-07-30 09:17 - 2012-07-30 09:17 - 00000021 ____A C:\Users\Utilizador\AppData\Roaming\mbam.context.scan
2012-07-30 08:57 - 2012-07-30 08:57 - 00000000 ____D C:\Windows\pss
2012-07-30 08:48 - 2012-07-30 08:49 - 00000928 ____A C:\Users\Utilizador\Desktop\shutdown -a.lnk
2012-07-30 08:48 - 2012-07-30 08:48 - 00000000 ____D C:\Users\Utilizador\Desktop\Nova pasta
2012-07-30 08:38 - 2012-07-30 08:38 - 00000528 ____A C:\Users\Utilizador\Desktop\shutdown.lnk
2012-07-29 16:25 - 2012-07-29 16:25 - 10299264 ____A (Microsoft Corporation) C:\Users\Utilizador\Downloads\mseinstall.exe
2012-07-29 15:44 - 2012-07-29 15:45 - 25175732 ____A C:\Users\Utilizador\Desktop\Crimson_Tide_v2-2-12798-2-2.rar
2012-07-29 14:36 - 2012-07-29 14:36 - 00000878 ____A C:\Windows\PFRO.log
2012-07-29 14:32 - 2012-07-29 14:32 - 00000137 ____A C:\Users\Utilizador\Desktop\XuanLong.txt
2012-07-29 14:10 - 2012-07-29 14:10 - 00001027 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-29 14:09 - 2012-07-29 14:10 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Utilizador\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-29 13:42 - 2012-07-29 13:59 - 00000000 ____D C:\Users\All Users\C2116798A819B937A14FF0154F147CE7
2012-07-29 10:25 - 2012-07-31 14:18 - 00001232 ____A C:\Windows\setupact.log
2012-07-29 10:25 - 2012-07-29 10:25 - 00000000 ____A C:\Windows\setuperr.log
2012-07-26 16:51 - 2012-07-26 16:52 - 00000212 ____A C:\Users\Utilizador\Desktop\aseverdgv.txt
2012-07-24 12:52 - 2012-07-24 12:52 - 00039435 ____A C:\Users\Utilizador\Desktop\TK_Dodge-20923-0-3.7z
2012-07-22 19:11 - 2012-07-22 19:11 - 00000145 ____A C:\Users\Utilizador\Documents\TMFOREVERACCOUNT.txt
2012-07-22 19:08 - 2012-07-22 19:18 - 00000000 ____D C:\Users\All Users\TmForever
2012-07-22 15:03 - 2012-07-22 15:22 - 530600781 ____A C:\Users\Utilizador\Downloads\tmnationsforever_setup.exe
2012-07-20 20:00 - 2012-07-20 20:00 - 00000000 ____D C:\Users\Utilizador\Documents\WB Games
2012-07-20 07:39 - 2012-07-20 07:39 - 00007878 ____A C:\Users\Utilizador\Desktop\ReciboPedido.aspx.htm
2012-07-20 07:39 - 2012-07-20 07:39 - 00000000 ____D C:\Users\Utilizador\Desktop\ReciboPedido.aspx_ficheiros
2012-07-18 06:34 - 2012-07-18 06:35 - 00000000 ____D C:\Users\Utilizador\Documents\Ficheiros do Outlook
2012-07-18 04:36 - 2012-07-22 15:03 - 00000000 ____D C:\Program Files\JDownloader
2012-07-18 04:35 - 2012-07-18 04:35 - 00081488 ____A (AppWork UG (haftungsbeschränkt)) C:\Users\Utilizador\Downloads\JDwonloader.exe
2012-07-18 04:31 - 2012-07-18 04:35 - 00000000 ____D C:\Program Files\RapidShare Downloader
2012-07-16 19:21 - 2012-07-16 19:21 - 00000000 ____D C:\Users\Utilizador\Desktop\[Nipponsei] Yuru Yuri 2 ED Single - 100% Chuugakusei [Nanamorichu Goraku Bu]
2012-07-16 19:19 - 2012-07-16 19:19 - 00000000 ____D C:\Users\Utilizador\Desktop\[Nipponsei] Yuru Yuri 2 OP Single - Yes! Yuyuyu Yuru Yuri [Nanamorichu Goraku Bu]
2012-07-10 16:22 - 2012-07-29 14:10 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-07-10 16:22 - 2012-07-10 16:22 - 00000000 ____D C:\Users\Utilizador\AppData\Roaming\Malwarebytes
2012-07-10 16:22 - 2012-07-10 16:22 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-10 16:22 - 2012-07-03 04:46 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-08 15:08 - 2012-07-08 15:08 - 00000000 ____D C:\Users\Public\Documents\Explorer Suite Signatures
2012-07-08 15:08 - 2012-07-08 15:08 - 00000000 ____D C:\Program Files\NTCore
2012-07-08 12:02 - 2012-07-08 12:02 - 00000000 ____D C:\Users\Utilizador\AppData\Roaming\ts3overlay
2012-07-08 12:00 - 2012-07-08 12:14 - 00000000 ____D C:\Users\Utilizador\AppData\Roaming\TS3Client

============ 3 Months Modified Files ========================

2012-07-31 14:18 - 2012-07-29 10:25 - 00001232 ____A C:\Windows\setupact.log
2012-07-31 14:18 - 2011-12-28 10:18 - 00001004 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-31 14:18 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-30 13:16 - 2011-12-28 12:06 - 01547024 ____A C:\Windows\WindowsUpdate.log
2012-07-30 09:17 - 2012-07-30 09:17 - 00000021 ____A C:\Users\Utilizador\AppData\Roaming\mbam.context.scan
2012-07-30 08:49 - 2012-07-30 08:48 - 00000928 ____A C:\Users\Utilizador\Desktop\shutdown -a.lnk
2012-07-30 08:38 - 2012-07-30 08:38 - 00000528 ____A C:\Users\Utilizador\Desktop\shutdown.lnk
2012-07-30 08:29 - 2011-12-28 06:30 - 00002243 ____A C:\Windows\epplauncher.mif
2012-07-29 16:57 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-29 16:35 - 2011-12-28 10:18 - 00001008 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-29 16:26 - 2011-12-28 06:03 - 01666040 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-29 16:26 - 2009-07-14 00:31 - 00720682 ____A C:\Windows\System32\prfh0816.dat
2012-07-29 16:26 - 2009-07-14 00:31 - 00152564 ____A C:\Windows\System32\prfc0816.dat
2012-07-29 16:25 - 2012-07-29 16:25 - 10299264 ____A (Microsoft Corporation) C:\Users\Utilizador\Downloads\mseinstall.exe
2012-07-29 15:45 - 2012-07-29 15:44 - 25175732 ____A C:\Users\Utilizador\Desktop\Crimson_Tide_v2-2-12798-2-2.rar
2012-07-29 15:30 - 2012-02-28 21:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-29 14:43 - 2009-07-13 20:34 - 00018928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-29 14:43 - 2009-07-13 20:34 - 00018928 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-29 14:36 - 2012-07-29 14:36 - 00000878 ____A C:\Windows\PFRO.log
2012-07-29 14:32 - 2012-07-29 14:32 - 00000137 ____A C:\Users\Utilizador\Desktop\XuanLong.txt
2012-07-29 14:10 - 2012-07-29 14:10 - 00001027 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-29 14:10 - 2012-07-29 14:09 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Utilizador\Downloads\mbam-setup-1.62.0.1300.exe
2012-07-29 13:42 - 2012-02-28 21:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-29 13:42 - 2012-02-28 21:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-29 10:25 - 2012-07-29 10:25 - 00000000 ____A C:\Windows\setuperr.log
2012-07-28 20:03 - 2012-01-02 12:11 - 00108032 ____A C:\Users\Utilizador\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-26 16:52 - 2012-07-26 16:51 - 00000212 ____A C:\Users\Utilizador\Desktop\aseverdgv.txt
2012-07-24 12:52 - 2012-07-24 12:52 - 00039435 ____A C:\Users\Utilizador\Desktop\TK_Dodge-20923-0-3.7z
2012-07-22 19:11 - 2012-07-22 19:11 - 00000145 ____A C:\Users\Utilizador\Documents\TMFOREVERACCOUNT.txt
2012-07-22 15:22 - 2012-07-22 15:03 - 530600781 ____A C:\Users\Utilizador\Downloads\tmnationsforever_setup.exe
2012-07-20 07:39 - 2012-07-20 07:39 - 00007878 ____A C:\Users\Utilizador\Desktop\ReciboPedido.aspx.htm
2012-07-18 16:13 - 2012-02-28 21:29 - 02849488 ____A (DownloadBoosters LLC) C:\Users\Utilizador\Documents\update133.exe
2012-07-18 04:35 - 2012-07-18 04:35 - 00081488 ____A (AppWork UG (haftungsbeschränkt)) C:\Users\Utilizador\Downloads\JDwonloader.exe
2012-07-03 04:46 - 2012-07-10 16:22 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-02 14:58 - 2012-03-02 19:32 - 00281288 ____A C:\Windows\System32\PnkBstrB.xtr
2012-07-02 14:58 - 2012-03-02 19:13 - 00138992 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-07-02 14:58 - 2012-03-02 19:12 - 00281288 ____A C:\Windows\System32\PnkBstrB.exe
2012-07-02 10:15 - 2012-03-02 19:12 - 00281288 ____A C:\Windows\System32\PnkBstrB.ex0
2012-06-23 15:36 - 2012-06-23 15:32 - 44723745 ____A C:\Users\Utilizador\Desktop\[Nipponsei] Sankarea ED Single - Above your hand [Annabel].zip
2012-06-20 07:06 - 2009-07-13 20:53 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-11 10:58 - 2012-06-11 10:58 - 08733696 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
2012-06-11 10:35 - 2012-06-11 10:35 - 00058880 ____A (AMD) C:\Windows\System32\coinst_8.98.dll
2012-06-11 10:00 - 2012-06-11 10:00 - 20467712 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atioglxx.dll
2012-06-11 09:26 - 2012-06-11 09:26 - 00263840 ____A C:\Windows\System32\atiapfxx.blb
2012-06-11 09:25 - 2012-06-11 09:25 - 00163840 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
2012-06-11 09:24 - 2011-12-28 06:25 - 00924160 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx32.dll
2012-06-11 09:20 - 2012-06-11 09:20 - 00442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
2012-06-11 09:19 - 2012-06-11 09:19 - 00468992 ____A (AMD) C:\Windows\System32\atieclxx.exe
2012-06-11 09:19 - 2012-06-11 09:19 - 00217600 ____A (AMD) C:\Windows\System32\atiesrxx.exe
2012-06-11 09:17 - 2012-06-11 09:17 - 00163840 ____A (AMD) C:\Windows\System32\atitmmxx.dll
2012-06-11 09:17 - 2012-06-11 09:17 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\System32\ati2edxx.dll
2012-06-11 09:17 - 2012-06-11 09:17 - 00020992 ____A (AMD) C:\Windows\System32\atimuixx.dll
2012-06-11 09:16 - 2011-12-28 06:25 - 06301696 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx32.dll
2012-06-11 08:45 - 2012-06-11 08:45 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt.dll
2012-06-11 08:45 - 2012-06-11 08:45 - 00044032 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl.dll
2012-06-11 08:45 - 2012-03-08 20:23 - 05480448 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumdag.dll
2012-06-11 08:43 - 2012-03-08 20:23 - 04729344 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumdva.dll
2012-06-11 08:41 - 2012-06-11 08:41 - 02971136 ____A C:\Windows\System32\atiumdva.cap
2012-06-11 08:40 - 2012-06-11 08:40 - 13277696 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd.dll
2012-06-11 08:26 - 2012-06-11 08:26 - 00368640 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
2012-06-11 08:26 - 2012-06-11 08:26 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atigktxx.dll
2012-06-11 08:26 - 2012-06-11 08:26 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
2012-06-11 08:25 - 2012-06-11 08:25 - 00295936 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
2012-06-11 08:25 - 2011-12-28 06:25 - 00042496 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxpag.dll
2012-06-11 08:24 - 2012-06-11 08:24 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
2012-06-11 08:24 - 2012-03-08 19:56 - 00032768 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9pag.dll
2012-06-11 08:23 - 2012-06-11 08:23 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc32.dll
2012-06-11 08:23 - 2012-06-11 08:23 - 00056832 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom32.dll
2012-06-11 04:50 - 2012-06-11 04:50 - 00159232 ____A C:\Windows\System32\clinfo.exe
2012-06-11 04:50 - 2012-06-11 04:50 - 00065024 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo.dll
2012-06-11 04:50 - 2012-06-11 04:50 - 00056320 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OVDecode.dll
2012-06-11 04:49 - 2012-06-11 04:49 - 13008896 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl.dll
2012-06-08 06:34 - 2012-06-08 06:34 - 00000066 ____A C:\Windows\wininit.ini
2012-06-07 12:03 - 2009-07-13 20:33 - 03771072 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-07 05:51 - 2012-06-07 05:51 - 03970928 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-06-07 05:51 - 2012-06-07 05:51 - 03915632 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-07 05:51 - 2012-06-07 05:51 - 02351104 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-07 05:51 - 2012-06-07 05:51 - 00056688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-06-07 05:50 - 2012-06-07 05:50 - 01303408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-06-07 05:50 - 2012-06-07 05:50 - 00187248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-06-07 05:45 - 2012-06-07 05:45 - 01170944 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-06-07 05:45 - 2012-06-07 05:45 - 01077248 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-06-07 05:45 - 2012-06-07 05:45 - 00739840 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-06-07 05:45 - 2012-06-07 05:45 - 00218624 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-06-07 05:45 - 2012-06-07 05:45 - 00161792 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-06-07 05:18 - 2012-06-07 05:18 - 52211712 ____A C:\Windows\System32\config\SOFTWARE.iobit
2012-06-07 05:18 - 2012-06-07 05:18 - 19406848 ____A C:\Windows\System32\config\SYSTEM.iobit
2012-06-07 05:18 - 2012-06-07 05:18 - 00204800 ____A C:\Windows\System32\config\DEFAULT.iobit
2012-06-07 05:18 - 2012-06-07 05:18 - 00061440 ____A C:\Windows\System32\config\SAM.iobit
2012-06-07 05:18 - 2012-06-07 05:18 - 00028672 ____A C:\Windows\System32\config\SECURITY.iobit
2012-05-27 15:44 - 2012-05-27 15:07 - 167483972 ____A C:\Users\Utilizador\Desktop\BadAppleScreensaver.rar
2012-05-21 17:06 - 2012-05-21 05:33 - 68234668 ____A C:\Users\Utilizador\Desktop\[Nipponsei] Fate Zero OP Single - oath sign [LiSA].zip
2012-05-21 05:57 - 2012-05-21 05:33 - 42869575 ____A C:\Users\Utilizador\Desktop\[Nipponsei] Fate Zero ED Single - MEMORIA [Aoi Eir].zip
2012-05-16 17:18 - 2012-05-16 17:15 - 56812674 ____A C:\Users\Utilizador\Desktop\[Nipponsei] Acchi Kocchi OP Single - Acchi de Kocchi de [Various].zip
2012-05-16 17:18 - 2012-05-16 17:15 - 55020341 ____A C:\Users\Utilizador\Desktop\[Nipponsei] Acchi Kocchi ED Single - Te wo Gyu bleepe ne [Ookubo Rumi].zip
2012-05-13 15:25 - 2012-05-13 15:38 - 00132880 ____A (Microsoft Corporation) C:\Windows\MSINET.OCX
2012-05-10 13:33 - 2012-03-02 19:13 - 00138904 ____A C:\Users\Utilizador\AppData\Roaming\PnkBstrK.sys
2012-05-10 13:33 - 2012-03-02 19:12 - 00076888 ____A C:\Windows\System32\PnkBstrA.exe
2012-05-08 15:53 - 2012-05-08 15:49 - 115678040 ____A (Advanced Micro Devices, Inc.) C:\Users\Utilizador\Downloads\12-4_vista_win7_32_dd_ccc.exe


ZeroAccess:
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}\@
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}\L
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}\n
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}\U
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}\U\00000001.@

ZeroAccess:
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}\@
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}\L
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}\n
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2012-02-22 09:09] - [2011-02-25 21:51] - 2614784 ____A (Microsoft Corporation) 255CF508D7CFB10E0794D6AC93280BD8

C:\Windows\System32\winlogon.exe
[2010-07-07 09:50] - [2010-07-07 09:50] - 0285696 ____A (Microsoft Corporation)

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-07-29 16:57] - 0259072 ____A (Microsoft Corporation)

C:\Windows\System32\User32.dll
[2010-07-07 10:00] - [2010-07-07 10:00] - 0811520 ____A (Microsoft Corporation) A59E558BEA7D9607E86E8BDE68E2488F

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2010-07-07 10:18] - [2010-07-07 10:18] - 0245128 ____A (Microsoft Corporation) F09688701E36722B4C1560456F481285


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4093.31 MB
Available physical RAM: 3597.04 MB
Total Pagefile: 3843.26 MB
Available Pagefile: 3671.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.76 GB) (Free:51.24 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (LEANDRO_PEN) (Removable) (Total:0.24 GB) (Free:0.24 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 1017 KB
Disk 1 Online 244 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 466 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 466 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 243 MB 2048 B

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E LEANDRO_PEN FAT Removable 243 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 06:03

======================= End Of Log ==========================

Edited by FruitsPonchiSG, 31 July 2012 - 05:41 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 01 August 2012 - 02:37 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77}
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

  • While you are still booted into System Recovery Options run FRST.

    Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

    Click Search button and post the log it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 01 August 2012 - 04:41 PM

Hello CatByte, thank you for your reply.

Here's the fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-01 22:25:37 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{15260e81-448c-073d-39f1-09ffa7872a77} moved successfully.
C:\Users\Utilizador\AppData\Local\{15260e81-448c-073d-39f1-09ffa7872a77} moved successfully.

==== End of Fixlog ====



And the search log for services.exe:

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-01 22:36:08
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-07-29 16:57] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 01 August 2012 - 07:13 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 01 August 2012 - 09:00 PM

Fix log for services.exe:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-02 02:15:25 Run:2
Running from E:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====



And, the ComboFix log:
(I apologize, some parts of it are in Portuguese because my computer is in that language. If you don't understand, I can easily translate it to English)


ComboFix 12-07-31.03 - Utilizador 02-08-2012 2:26.1.6 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.351.2070.18.3326.2258 [GMT 1:00]
Executando de: c:\users\Utilizador\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Criado um novo ponto de restauração
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\Complitly
c:\program files\Complitly\chrome\ComplitlyChrome.crx
c:\program files\Complitly\FireFoxExtension.exe
c:\program files\Complitly\InstTracker.exe
c:\program files\Complitly\support@Complitly.com\chrome.manifest
c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png
c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\options.js
c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js
c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js
c:\program files\Complitly\support@Complitly.com\install.rdf
c:\program files\Complitly\unins000.dat
c:\program files\Complitly\unins000.exe
c:\programdata\C2116798A819B937A14FF0154F147CE7
c:\programdata\C2116798A819B937A14FF0154F147CE7\C2116798A819B937A14FF0154F147CE7.exe
c:\users\Utilizador\AppData\Roaming\Love
c:\users\Utilizador\AppData\Roaming\Love\mari0\options.txt
c:\users\Utilizador\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Utilizador\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\pt
c:\windows\system32\pt\AuthFWSnapIn.Resources.dll
c:\windows\system32\pt\AuthFWWizFwk.Resources.dll
c:\windows\system32\pt\Narrator.resources.dll
c:\windows\system32\tmp6548.tmp
c:\windows\system32\tmp6549.tmp
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-02 to 2012-08-02 ))))))))))))))))))))))))))))
.
.
2012-08-02 01:34 . 2012-08-02 01:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-30 17:27 . 2012-07-30 17:27 -------- d-----w- C:\FRST
2012-07-30 00:27 . 2012-08-02 01:36 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\offreg.dll
2012-07-30 00:26 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\mpengine.dll
2012-07-23 03:08 . 2012-07-23 03:18 -------- d-----w- c:\programdata\TmForever
2012-07-18 12:36 . 2012-07-22 23:03 -------- d-----w- c:\program files\JDownloader
2012-07-18 12:31 . 2012-07-18 12:35 -------- d-----w- c:\program files\RapidShare Downloader
2012-07-11 00:22 . 2012-07-11 00:22 -------- d-----w- c:\users\Utilizador\AppData\Roaming\Malwarebytes
2012-07-11 00:22 . 2012-07-11 00:22 -------- d-----w- c:\programdata\Malwarebytes
2012-07-11 00:22 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-11 00:22 . 2012-07-29 22:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-08 23:08 . 2012-07-08 23:08 -------- d-----w- c:\program files\NTCore
2012-07-08 20:02 . 2012-07-08 20:02 -------- d-----w- c:\users\Utilizador\AppData\Roaming\ts3overlay
2012-07-08 20:00 . 2012-07-08 20:14 -------- d-----w- c:\users\Utilizador\AppData\Roaming\TS3Client
2012-07-03 21:29 . 2012-02-24 15:35 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D4B5090F-43B4-45AD-999C-2E1D178F8E95}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-29 21:42 . 2012-02-29 05:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 21:42 . 2012-02-29 05:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-02 22:58 . 2012-03-03 03:13 138992 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-07-02 22:58 . 2012-03-03 03:32 281288 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-07-02 22:58 . 2012-03-03 03:12 281288 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-07-02 18:15 . 2012-03-03 03:12 281288 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-06-29 08:44 . 2012-02-24 15:36 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-11 18:58 . 2012-06-11 18:58 8733696 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-06-11 18:35 . 2012-06-11 18:35 58880 ----a-w- c:\windows\system32\coinst_8.98.dll
2012-06-11 18:00 . 2012-06-11 18:00 20467712 ----a-w- c:\windows\system32\atioglxx.dll
2012-06-11 17:25 . 2012-06-11 17:25 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-06-11 17:24 . 2011-12-28 14:25 924160 ----a-w- c:\windows\system32\aticfx32.dll
2012-06-11 17:20 . 2012-06-11 17:20 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-06-11 17:19 . 2012-06-11 17:19 468992 ----a-w- c:\windows\system32\atieclxx.exe
2012-06-11 17:19 . 2012-06-11 17:19 217600 ----a-w- c:\windows\system32\atiesrxx.exe
2012-06-11 17:17 . 2012-06-11 17:17 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2012-06-11 17:17 . 2012-06-11 17:17 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-06-11 17:17 . 2012-06-11 17:17 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-06-11 17:16 . 2011-12-28 14:25 6301696 ----a-w- c:\windows\system32\atidxx32.dll
2012-06-11 16:45 . 2012-06-11 16:45 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-06-11 16:45 . 2012-03-09 04:23 5480448 ----a-w- c:\windows\system32\atiumdag.dll
2012-06-11 16:45 . 2012-06-11 16:45 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-06-11 16:43 . 2012-03-09 04:23 4729344 ----a-w- c:\windows\system32\atiumdva.dll
2012-06-11 16:40 . 2012-06-11 16:40 13277696 ----a-w- c:\windows\system32\aticaldd.dll
2012-06-11 16:26 . 2012-06-11 16:26 368640 ----a-w- c:\windows\system32\atiadlxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-06-11 16:25 . 2012-06-11 16:25 295936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-06-11 16:25 . 2011-12-28 14:25 42496 ----a-w- c:\windows\system32\atiuxpag.dll
2012-06-11 16:24 . 2012-03-09 03:56 32768 ----a-w- c:\windows\system32\atiu9pag.dll
2012-06-11 16:24 . 2012-06-11 16:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\system32\atimpc32.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\system32\amdpcom32.dll
2012-06-11 12:50 . 2012-06-11 12:50 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-06-11 12:50 . 2012-06-11 12:50 65024 ----a-w- c:\windows\system32\OpenVideo.dll
2012-06-11 12:50 . 2012-06-11 12:50 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-06-11 12:49 . 2012-06-11 12:49 13008896 ----a-w- c:\windows\system32\amdocl.dll
2012-06-07 13:51 . 2012-06-07 13:51 3970928 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-06-07 13:51 . 2012-06-07 13:51 3915632 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-07 13:51 . 2012-06-07 13:51 2351104 ----a-w- c:\windows\system32\win32k.sys
2012-06-07 13:51 . 2012-06-07 13:51 56688 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-07 13:50 . 2012-06-07 13:50 187248 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-06-07 13:50 . 2012-06-07 13:50 1303408 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-07 13:45 . 2012-06-07 13:45 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-06-07 13:45 . 2012-06-07 13:45 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-06-07 13:45 . 2012-06-07 13:45 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-06-07 13:45 . 2012-06-07 13:45 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-06-07 13:45 . 2012-06-07 13:45 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-13 23:25 . 2012-05-13 23:38 132880 ----a-w- c:\windows\MSINET.OCX
2012-05-10 21:33 . 2012-03-03 03:13 138904 ----a-w- c:\users\Utilizador\AppData\Roaming\PnkBstrK.sys
2012-05-10 21:33 . 2012-03-03 03:12 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-07-23 21:29 . 2012-02-16 00:42 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Utility.lnk
backup=c:\windows\pss\Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT]
start AMD Accelerated Video Transcoding device initialization [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 17:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 07:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-10-28 23:32 1352272 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2011-05-24 22:48 393216 ----a-w- c:\program files\ATI Technologies\HydraVision\HydraDM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 16:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2011-06-28 08:37 10127976 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2012-06-11 14:00 641704 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-02-22 15:41 1242448 ----a-w- c:\users\Utilizador\JOGOS\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 13:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-12-09 17:22 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
R2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Serviço Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Serviço de Tecnologias de Activação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 XDva398;XDva398;c:\windows\system32\XDva398.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x]
S1 MpKsl914715b2;MpKsl914715b2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\MpKsl914715b2.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [x]
S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28.sys [x]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - WS2IFSL
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-08-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-29 21:42]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 18:18]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 18:18]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&nviar para o OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Utilizador\AppData\Roaming\Mozilla\Firefox\Profiles\8aqzjvwj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extentions.y2layers.defaultEnableAppsList - TwitTube,Buzzdock,toprelatedtopics,dropdowndeals,ezlooker,bestvideodownloader
FF - user.js: extentions.y2layers.installId - 249f786b-a805-4498-b8f8-da5dd9765228
FF - user.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: security.csp.enable - false
FF - user.js: ui.submenuDelay - 0
.
- - - - ORFÃOS REMOVIDOS - - - -
.
AddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files\Complitly\unins000.exe
.
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Edimax\Common\RaRegistry.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-08-02 02:42:45 - Máquina reiniciou
ComboFix-quarantined-files.txt 2012-08-02 01:42
.
Pré-execução: 55.325.589.504 bytes livres
Pós execução: 55.240.740.864 bytes livres
.
- - End Of File - - 184E843EA29EB3488910F38B363CD138

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 01 August 2012 - 09:09 PM

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.
NEXT

Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 02 August 2012 - 10:29 AM

MalwareBytes' AntiMalware log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.01

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
Utilizador :: LEANDRO-PC [administrator]

02-08-2012 03:12:02
mbam-log-2012-08-02 (03-12-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187565
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESET Scan log:
(This one took a while...)


C:\FRST\Quarantine\{15260e81-448c-073d-39f1-09ffa7872a77}\n Win32/Sirefef.EV trojan
C:\FRST\Quarantine\{15260e81-448c-073d-39f1-09ffa7872a77}\{15260e81-448c-073d-39f1-09ffa7872a77}\n Win32/Sirefef.EV trojan
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\ProgramData\C2116798A819B937A14FF0154F147CE7\C2116798A819B937A14FF0154F147CE7.exe.vir a variant of Win32/Kryptik.AJCV trojan
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application



MiniToolBox Result log:

MiniToolBox by Farbar Version: 23-07-2012
Ran by Utilizador (administrator) on 02-08-2012 at 16:24:21
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Configura‡Æo IP do Windows

Cache de resolu‡Æo DNS limpa com ˆxito.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

1ClickDownload (Version: 2.1 Build 26473)
7-Zip 4.64
Adobe AIR (Version: 2.5.1.17730)
Adobe Community Help (Version: 3.4.980)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.268)
Adobe Flash Player 11 Plugin (Version: 11.3.300.268)
Adobe Photoshop CS5.1 (Version: 12.1)
Adobe Reader X (10.1.3) - Português (Version: 10.1.3)
Advanced SystemCare 5 (Version: 5.2.0)
Alice: Madness Returns
AMD Accelerated Video Transcoding (Version: 2.00.0002)
AMD APP SDK Runtime (Version: 10.0.938.1)
AMD Catalyst Install Manager (Version: 8.0.881.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Fuel (Version: 2012.0611.1251.21046)
AMD Media Foundation Decoders (Version: 1.0.70611.1329)
AMD Steady Video Plug-In (Version: 2.04.0000)
AMD VISION Engine Control Center (Version: 2012.0611.1251.21046)
Amnesia - The Dark Descent (Version: 1.2)
Any Video Converter 3.3.5
APB Reloaded
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Assassin's Creed Revelations (Version: 1.00)
ASUS VGA Driver (Version: 3.0.0.1)
ASUSUpdate (Version: 7.18.03)
ATI AVIVO Codecs (Version: 11.6.0.50930)
µTorrent (Version: 3.1.3)
Bandisoft MPEG-1 Decoder
Batman Arkham City version 1.0 (Version: 1.0)
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2012.0611.1251.21046)
Catalyst Control Center InstallProxy (Version: 2012.0611.1251.21046)
Catalyst Control Center Localization All (Version: 2012.0611.1251.21046)
ccc-utility (Version: 2012.0611.1251.21046)
CCC Help Chinese Standard (Version: 2012.0611.1250.21046)
CCC Help Chinese Traditional (Version: 2012.0611.1250.21046)
CCC Help Czech (Version: 2012.0611.1250.21046)
CCC Help Danish (Version: 2012.0611.1250.21046)
CCC Help Dutch (Version: 2012.0611.1250.21046)
CCC Help English (Version: 2012.0611.1250.21046)
CCC Help Finnish (Version: 2012.0611.1250.21046)
CCC Help French (Version: 2012.0611.1250.21046)
CCC Help German (Version: 2012.0611.1250.21046)
CCC Help Greek (Version: 2012.0611.1250.21046)
CCC Help Hungarian (Version: 2012.0611.1250.21046)
CCC Help Italian (Version: 2012.0611.1250.21046)
CCC Help Japanese (Version: 2012.0611.1250.21046)
CCC Help Korean (Version: 2012.0611.1250.21046)
CCC Help Norwegian (Version: 2012.0611.1250.21046)
CCC Help Polish (Version: 2012.0611.1250.21046)
CCC Help Portuguese (Version: 2012.0611.1250.21046)
CCC Help Russian (Version: 2012.0611.1250.21046)
CCC Help Spanish (Version: 2012.0611.1250.21046)
CCC Help Swedish (Version: 2012.0611.1250.21046)
CCC Help Thai (Version: 2012.0611.1250.21046)
CCC Help Turkish (Version: 2012.0611.1250.21046)
CDisplay 1.8
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
Compressor WinRAR
CubeExperimentalUninstaller (Version: 1.0.4)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Driver San Francisco (Version: 1.1.0.0)
Edimax RT2860 Wireless LAN Card (Version: 1.5.5.0)
EPU-4 Engine (Version: 1.02.01)
eReg (Version: 1.20.138.34)
ESET Online Scanner v3
EVEREST Home Edition v2.20 (Version: 2.20)
Explorer Suite III
Fallen Earth
Fallout 3 (Version: 1.00.0000)
Fallout Mod Manager 0.13.21
Fraps (remove only)
Game Booster 3 (Version: 3.3)
GamersFirst LIVE!
Google Chrome (Version: 21.0.1180.60)
Google Update Helper (Version: 1.3.21.115)
High-Definition Video Playback 10 (Version: 7.0.11000.25.1)
HydraVision (Version: 4.2.206.0)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
JDownloader 0.9 (Version: 0.9)
K-Lite Mega Codec Pack 8.1.0 (Version: 8.1.0)
Logitech SetPoint 6.20 (Version: 6.20.64)
Look this way baby plus song
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Mass Effect™ 3 (Version: 1.01.0.0)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile PTG Language Pack (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Antimalware Service PT-PT Language Pack (Version: 3.0.8402.2)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.92.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (Portuguese (Portugal)) 2010 (Version: 14.0.6029.1000)
Microsoft Primary Interoperability Assemblies 2005 (Version: 8.0.50727.42)
Microsoft Security Client PT-PT Language Pack (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
MicroVolts
MiniTool Partition Wizard Home Edition 7.0
Mirror's Edge™ (Version: 1.0.1.0)
Mozilla Firefox 14.0.1 (x86 pt-PT) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nero 10 Menu TemplatePack Basic (Version: 10.0.10300.0.0)
Nero 10 Movie ThemePack Basic (Version: 10.0.10300.1.0)
Nero Burning ROM 10 (Version: 10.0.10700.7.100)
Nero Control Center 10 (Version: 10.0.11500.1.0)
Nero Core Components 10 (Version: 2.0.13100.0.1)
Nero Dolby Files 10 (Version: 2.0.11000.0.10)
Nero Express 10 (Version: 10.0.10500.7.100)
Nero Multimedia Suite 10 (Version: 10.0.11200)
Nero StartSmart 10 (Version: 10.0.10500.4.100)
Nexon Game Manager
Nexus Mod Manager (Version: 0.19.0)
NVIDIA PhysX (Version: 9.11.1107)
OpenAL
Pando Media Booster (Version: 2.6.0.2)
PDF Settings CS5 (Version: 10.0)
Picasa 3 (Version: 3.8)
PunkBuster Services (Version: 0.993)
Quantum Conundrum
Rainmeter (Version: 2.2 r1116)
Rapture3D 2.4.8 Game
Realtek Ethernet Controller Driver (Version: 7.46.610.2011)
Realtek High Definition Audio Driver (Version: 6.0.1.6402)
Red Faction: Guerrilla (Version: 1.0.0003.130)
Revo Uninstaller Pro 2.5.8 (Version: 2.5.8)
Saints Row The Third
Skype™ 5.9 (Version: 5.9.115)
Steam (Version: 1.0.0.0)
Synthesia (remove only)
TeamSpeak 3 Client (Version: 3.0.6)
Ubisoft Game Launcher (Version: 1.0.0.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
uTorrent Turbo Booster (Version: 4.0.0.0)
Victor ScreenSaver
Vindictus EU
Winamp (Version: 5.623 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Worms Reloaded
Yes Man SS HD
Yontoo 1.10.02 (Version: 1.10.02)

**** End of log ****




Farbar Service Scanner log:

Farbar Service Scanner Version: 26-07-2012
Ran by Utilizador (administrator) on 02-08-2012 at 16:26:45
Running from "C:\Users\Utilizador\Desktop"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys
[2010-07-07 18:39] - [2010-07-07 18:39] - 0074240 ____A (Microsoft Corporation) 916320599EDCDCC15BF6B3B00227594D

C:\Windows\system32\Drivers\tcpip.sys
[2012-06-07 14:50] - [2012-06-07 14:50] - 1303408 ____A (Microsoft Corporation) E47C2844A1605A44178F4281E4D58B3D

C:\Windows\system32\dnsrslvr.dll
[2012-02-22 18:43] - [2011-03-03 06:50] - 0132608 ____A (Microsoft Corporation) B3A0A4414D8EC1DD28018004CE8DCBEE

C:\Windows\system32\mpssvc.dll
[2009-07-14 00:53] - [2009-07-14 02:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-14 00:54] - [2009-07-14 02:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-14 00:23] - [2009-07-14 02:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2010-07-07 19:16] - [2010-07-07 19:16] - 1026048 ____A (Microsoft Corporation) 90061E9E9CBB70E64D94643B848D949C

C:\Windows\system32\wscsvc.dll
[2012-02-22 17:35] - [2010-12-21 06:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-14 01:15] - [2009-07-14 02:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-14 00:30] - [2009-07-14 02:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 02 August 2012 - 11:17 AM

Please download the attached registry fix and save it to your desktop, double click it to run it and allow it to merge into your registry (then delete the file as you wont need it any longer)

[attachment=127797:bits7.reg]



NEXT

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\Yontoo\YontooIEClient.dll 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll 
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT

Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 02 August 2012 - 12:22 PM

ComboFix log:

ComboFix 12-07-31.03 - Utilizador 02-08-2012 17:49:53.2.6 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.351.2070.18.3326.2129 [GMT 1:00]
Executando de: c:\users\Utilizador\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\Utilizador\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Yontoo\YontooIEClient.dll"
"c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll"
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yontoo\YontooIEClient.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-02 to 2012-08-02 ))))))))))))))))))))))))))))
.
.
2012-08-02 16:57 . 2012-08-02 16:57 -------- d-----w- c:\users\Utilizador\AppData\Local\temp
2012-08-02 16:57 . 2012-08-02 16:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-02 16:45 . 2012-08-02 16:45 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\MpKsl3de4f23f.sys
2012-08-02 11:58 . 2012-08-02 11:58 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\offreg.dll
2012-08-02 02:23 . 2012-08-02 02:23 -------- d-----w- c:\program files\ESET
2012-07-30 17:27 . 2012-07-30 17:27 -------- d-----w- C:\FRST
2012-07-30 00:26 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\mpengine.dll
2012-07-23 03:08 . 2012-07-23 03:18 -------- d-----w- c:\programdata\TmForever
2012-07-18 12:36 . 2012-07-22 23:03 -------- d-----w- c:\program files\JDownloader
2012-07-18 12:31 . 2012-07-18 12:35 -------- d-----w- c:\program files\RapidShare Downloader
2012-07-11 00:22 . 2012-07-11 00:22 -------- d-----w- c:\users\Utilizador\AppData\Roaming\Malwarebytes
2012-07-11 00:22 . 2012-07-11 00:22 -------- d-----w- c:\programdata\Malwarebytes
2012-07-11 00:22 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-11 00:22 . 2012-07-29 22:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-08 23:08 . 2012-07-08 23:08 -------- d-----w- c:\program files\NTCore
2012-07-08 20:02 . 2012-07-08 20:02 -------- d-----w- c:\users\Utilizador\AppData\Roaming\ts3overlay
2012-07-08 20:00 . 2012-07-08 20:14 -------- d-----w- c:\users\Utilizador\AppData\Roaming\TS3Client
2012-07-03 21:29 . 2012-02-24 15:35 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D4B5090F-43B4-45AD-999C-2E1D178F8E95}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-29 21:42 . 2012-02-29 05:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 21:42 . 2012-02-29 05:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-02 22:58 . 2012-03-03 03:13 138992 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-07-02 22:58 . 2012-03-03 03:32 281288 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-07-02 22:58 . 2012-03-03 03:12 281288 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-07-02 18:15 . 2012-03-03 03:12 281288 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-06-29 08:44 . 2012-02-24 15:36 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-11 18:58 . 2012-06-11 18:58 8733696 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-06-11 18:35 . 2012-06-11 18:35 58880 ----a-w- c:\windows\system32\coinst_8.98.dll
2012-06-11 18:00 . 2012-06-11 18:00 20467712 ----a-w- c:\windows\system32\atioglxx.dll
2012-06-11 17:25 . 2012-06-11 17:25 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-06-11 17:24 . 2011-12-28 14:25 924160 ----a-w- c:\windows\system32\aticfx32.dll
2012-06-11 17:20 . 2012-06-11 17:20 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-06-11 17:19 . 2012-06-11 17:19 468992 ----a-w- c:\windows\system32\atieclxx.exe
2012-06-11 17:19 . 2012-06-11 17:19 217600 ----a-w- c:\windows\system32\atiesrxx.exe
2012-06-11 17:17 . 2012-06-11 17:17 163840 ----a-w- c:\windows\system32\atitmmxx.dll
2012-06-11 17:17 . 2012-06-11 17:17 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-06-11 17:17 . 2012-06-11 17:17 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-06-11 17:16 . 2011-12-28 14:25 6301696 ----a-w- c:\windows\system32\atidxx32.dll
2012-06-11 16:45 . 2012-06-11 16:45 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-06-11 16:45 . 2012-03-09 04:23 5480448 ----a-w- c:\windows\system32\atiumdag.dll
2012-06-11 16:45 . 2012-06-11 16:45 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-06-11 16:43 . 2012-03-09 04:23 4729344 ----a-w- c:\windows\system32\atiumdva.dll
2012-06-11 16:40 . 2012-06-11 16:40 13277696 ----a-w- c:\windows\system32\aticaldd.dll
2012-06-11 16:26 . 2012-06-11 16:26 368640 ----a-w- c:\windows\system32\atiadlxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-06-11 16:26 . 2012-06-11 16:26 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-06-11 16:25 . 2012-06-11 16:25 295936 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-06-11 16:25 . 2011-12-28 14:25 42496 ----a-w- c:\windows\system32\atiuxpag.dll
2012-06-11 16:24 . 2012-03-09 03:56 32768 ----a-w- c:\windows\system32\atiu9pag.dll
2012-06-11 16:24 . 2012-06-11 16:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\system32\atimpc32.dll
2012-06-11 16:23 . 2012-06-11 16:23 56832 ----a-w- c:\windows\system32\amdpcom32.dll
2012-06-11 12:50 . 2012-06-11 12:50 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-06-11 12:50 . 2012-06-11 12:50 65024 ----a-w- c:\windows\system32\OpenVideo.dll
2012-06-11 12:50 . 2012-06-11 12:50 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-06-11 12:49 . 2012-06-11 12:49 13008896 ----a-w- c:\windows\system32\amdocl.dll
2012-06-07 13:51 . 2012-06-07 13:51 3970928 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-06-07 13:51 . 2012-06-07 13:51 3915632 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-07 13:51 . 2012-06-07 13:51 2351104 ----a-w- c:\windows\system32\win32k.sys
2012-06-07 13:51 . 2012-06-07 13:51 56688 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-07 13:50 . 2012-06-07 13:50 187248 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-06-07 13:50 . 2012-06-07 13:50 1303408 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-07 13:45 . 2012-06-07 13:45 739840 ----a-w- c:\windows\system32\d2d1.dll
2012-06-07 13:45 . 2012-06-07 13:45 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-06-07 13:45 . 2012-06-07 13:45 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2012-06-07 13:45 . 2012-06-07 13:45 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-06-07 13:45 . 2012-06-07 13:45 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-13 23:25 . 2012-05-13 23:38 132880 ----a-w- c:\windows\MSINET.OCX
2012-05-10 21:33 . 2012-03-03 03:13 138904 ----a-w- c:\users\Utilizador\AppData\Roaming\PnkBstrK.sys
2012-05-10 21:33 . 2012-03-03 03:12 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-07-23 21:29 . 2012-02-16 00:42 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Wireless Utility.lnk
backup=c:\windows\pss\Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT]
start AMD Accelerated Video Transcoding device initialization [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 17:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 07:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6]
2010-10-28 23:32 1352272 ----a-w- c:\program files\Logitech\SetPointP\SetPoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2011-05-24 22:48 393216 ----a-w- c:\program files\ATI Technologies\HydraVision\HydraDM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 16:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2011-06-28 08:37 10127976 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2012-06-11 14:00 641704 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-02-22 15:41 1242448 ----a-w- c:\users\Utilizador\JOGOS\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 13:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-12-09 17:22 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
R2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Serviço Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 WatAdminSvc;Serviço de Tecnologias de Activação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 XDva398;XDva398;c:\windows\system32\XDva398.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x]
S1 MpKsl3de4f23f;MpKsl3de4f23f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{85ECD261-35C0-41A9-AE31-C63E7716CF82}\MpKsl3de4f23f.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [x]
S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28.sys [x]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - MPKSL3DE4F23F
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-08-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-29 21:42]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 18:18]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 18:18]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&nviar para o OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\Utilizador\AppData\Roaming\Mozilla\Firefox\Profiles\8aqzjvwj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extentions.y2layers.defaultEnableAppsList - TwitTube,Buzzdock,toprelatedtopics,dropdowndeals,ezlooker,bestvideodownloader
FF - user.js: extentions.y2layers.installId - 249f786b-a805-4498-b8f8-da5dd9765228
FF - user.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: security.csp.enable - false
FF - user.js: ui.submenuDelay - 0
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2012-08-02 17:59:33
ComboFix-quarantined-files.txt 2012-08-02 16:59
ComboFix2.txt 2012-08-02 01:42
.
Pré-execução: 52.142.149.632 bytes livres
Pós execução: 52.600.799.232 bytes livres
.
- - End Of File - - 4C5D76E11DCABC6F24F271377E02FB49



The latest Java update was installed succefully, and I'm very glad to say that my computer is running like it used to and I haven't experienced any problems so far.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 02 August 2012 - 12:32 PM

You can delete all the the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 02 August 2012 - 01:10 PM

Thank you so much for your help. I had no idea how to deal with this and I'm glad I signed up here to ask for help.
All your instructions were really simple and easy to perform.

From now on I'll keep in mind to check if there are new updates to my software and I will most defenitively pay more attention to security.

Also, do you advise on another Anti-Virus software (preferably free), or is Microsoft Security Essentials just as capable as any other AV?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 02 August 2012 - 01:17 PM

I prefer Microsoft Security Essentials, but Avast and Avira both make excellent free products as well, try them, one at a time, till you find the one that is right for you.

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 FruitsPonchiSG

FruitsPonchiSG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:22 AM

Posted 02 August 2012 - 01:32 PM

I will try them out. Again, thank you so much so much for your help.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:22 PM

Posted 02 August 2012 - 03:00 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users