Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

white listed trojan horse Patched_c.LZI


  • This topic is locked This topic is locked
57 replies to this topic

#1 TheSkyBelow

TheSkyBelow

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 07 August 2012 - 04:24 PM

Referred from: http://www.bleepingcomputer.com/forums/topic463024.html ~ OB

I keep getting poop ups from my AV that tells me that one of my sys32 services is infected and that removing the threat could cause problems. I ran the dds and gmer programs and here are the logs. thank you for taking time to help me.

from the DDS

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Phyzaar at 18:16:20 on 2012-08-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4084.3529 [GMT -7:00]
.
AV: AVG Internet Security *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Internet Security *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
FW: AVG Firewall *Enabled* {34A811A1-D438-CA83-C13E-A23981B1E8F9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_262_Plugin.exe -update plugin
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun: [AVGIDS] "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
StartupFolder: C:\Users\Phyzaar\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9543F960-0837-460F-B781-571955600A69} : DhcpNameServer = 192.168.1.254
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
BHO-X64: Browser Address Error Redirector - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun-x64: [AVGIDS] "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phyzaar\AppData\Roaming\Mozilla\Firefox\Profiles\04uo2jhq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bf56a0e9a-c72e-48fe-b399-f179a43d9574%7D&mid=9ccb3e056756ff1bb8638b7577f990ce-16321237ade491462439ff78036494df02949e9e&ds=AVG&v=9.0.0.18.1&lang=us&pr=fr&d=2011-11-21%2008%3A37%3A26&sap=ku&q=
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx64;avgrkx64.sys;C:\Windows\system32\Drivers\avgrkx64.sys --> C:\Windows\system32\Drivers\avgrkx64.sys [?]
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
S1 anodlwf;ANOD Network Security Filter driver;C:\Windows\system32\DRIVERS\anodlwfx.sys --> C:\Windows\system32\DRIVERS\anodlwfx.sys [?]
S1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6a.sys --> C:\Windows\system32\DRIVERS\avgfwd6a.sys [?]
S1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\system32\Drivers\avgldx64.sys --> C:\Windows\system32\Drivers\avgldx64.sys [?]
S1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\system32\Drivers\avgmfx64.sys --> C:\Windows\system32\Drivers\avgmfx64.sys [?]
S1 AvgTdiA;AVG8 Network Redirector x64;C:\Windows\system32\Drivers\avgtdia.sys --> C:\Windows\system32\Drivers\avgtdia.sys [?]
S2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~2\AVG\AVG8\avgemc.exe [2012-7-10 908056]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [2012-7-10 297752]
S2 avgfws8;AVG8 Firewall;C:\PROGRA~2\AVG\AVG8\avgfws8.exe [2012-7-10 1370488]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-7-22 5641736]
S2 AVGIDSWatcher;AVGIDSWatcher;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-7-22 571912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 gupdate1c9efc03ada2d10;Google Update Service (gupdate1c9efc03ada2d10);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-17 133104]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-3-18 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" --> C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-3 250056]
S3 AVGIDSDriver;AVGIDSDriver;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSDriver.sys [2009-7-22 132104]
S3 AVGIDSFilter;AVGIDSFilter;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSFilter.sys [2009-7-22 35848]
S3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-17 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-2-4 1355968]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-6 113120]
S3 netr28ux;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\Dnetr28ux.sys --> C:\Windows\system32\DRIVERS\Dnetr28ux.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SynasUSB;SynasUSB;C:\Windows\system32\drivers\SynUSB64.sys --> C:\Windows\system32\drivers\SynUSB64.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-10 89920]
S4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"C:\Program Files (x86)\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> C:\Program Files (x86)\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-31 23:24:28 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-31 21:53:12 9133488 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2012-07-29 20:29:33 -------- d-sh--w- C:\$RECYCLE.BIN
2012-07-29 00:37:43 -------- d-----w- C:\Users\Phyzaar\AppData\Local\temp
2012-07-28 22:20:07 98816 ----a-w- C:\Windows\sed.exe
2012-07-28 22:20:07 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-28 22:20:07 256000 ----a-w- C:\Windows\PEV.exe
2012-07-28 22:20:07 208896 ----a-w- C:\Windows\MBR.exe
2012-07-28 22:19:57 -------- d-----w- C:\ComboFix
2012-07-28 19:43:25 15872 ----a-w- C:\Windows\System32\drivers\anodlwfx.sys
2012-07-28 19:43:24 900608 ----a-w- C:\Windows\System32\drivers\Dnetr28ux.sys
2012-07-28 19:43:24 305152 ----a-w- C:\Windows\System32\RaCoInstx.dll
2012-07-27 03:59:06 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2012-07-11 15:50:09 2769408 ----a-w- C:\Windows\System32\win32k.sys
2012-07-11 01:37:11 -------- d-----w- C:\$AVG8.VAULT$
2012-07-11 00:46:47 -------- d-----w- C:\Windows\SysWow64\drivers\avg
2012-07-11 00:28:46 1869824 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-11 00:28:46 1797120 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-11 00:28:46 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-11 00:28:46 1248768 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-11 00:28:45 974848 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-11 00:28:45 708608 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 00:28:41 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-07-11 00:28:41 516480 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-07-11 00:28:41 347136 ----a-w- C:\Windows\System32\schannel.dll
2012-07-11 00:28:41 278528 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-07-11 00:28:41 254464 ----a-w- C:\Windows\System32\ncrypt.dll
2012-07-11 00:28:41 204288 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-07-10 23:36:00 -------- d-----w- C:\ProgramData\Downloaded Installations
2012-07-10 23:35:20 12464 ----a-w- C:\Windows\System32\avgrssta.dll
2012-07-10 23:35:19 14856 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2012-07-10 23:35:17 133640 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-07-10 23:35:13 427016 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2012-07-10 23:35:12 33416 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-07-10 23:35:11 -------- d-----w- C:\Windows\System32\drivers\Avg
2012-07-10 23:32:47 29464 ----a-w- C:\Windows\System32\drivers\avgfwd6a.sys
2012-07-08 20:49:59 -------- d-----w- C:\Users\Phyzaar\AppData\Local\Macromedia
.
==================== Find3M ====================
.
2012-07-29 20:31:43 80904 ----a-w- C:\Windows\System32\drivers\WS2IFSL.SYS
2012-07-04 02:04:45 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-04 02:04:45 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-04 02:04:40 9815752 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 18:18:46.54 ===============


from the Gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-05 23:34:31
Windows 6.0.6002 Service Pack 2
Running: f35f74ts.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x4A 0x1C 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCE 0x65 0x89 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0xC9 0xF8 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xB2 0x90 0x2B 0x98 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x4A 0x1C 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCE 0x65 0x89 0x05 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0xC9 0xF8 0x85 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xB2 0x90 0x2B 0x98 ...

---- EOF - GMER 1.0.15 ----

Attached File  ddsattach.txt   15.52KB   1 downloads

Edited by Orange Blossom, 09 August 2012 - 02:45 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 12 August 2012 - 04:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/464289 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 12 August 2012 - 06:46 PM

Hello, to state my problem again my AV (AVG) keeps giving me a multiple threat detection of a Trojan horse Patched_c.LZI and that it is "white listed" I'm running a 64 bit system.

Is there anything else you need to know about my computer?

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Phyzaar at 16:32:48 on 2012-08-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4084.1981 [GMT -7:00]
.
AV: AVG Internet Security *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Internet Security *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
FW: AVG Firewall *Enabled* {34A811A1-D438-CA83-C13E-A23981B1E8F9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~2\AVG\AVG8\avgfws8.exe
C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~2\AVG\AVG8\avgam.exe
C:\PROGRA~2\AVG\AVG8\avgrsa.exe
C:\PROGRA~2\AVG\AVG8\avgnsa.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrva.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\PROGRA~2\AVG\AVG8\avgemc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Digital Line Detect\DLG.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_262.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_262_Plugin.exe -update plugin
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun: [AVGIDS] "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
StartupFolder: C:\Users\Phyzaar\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9543F960-0837-460F-B781-571955600A69} : DhcpNameServer = 192.168.1.254
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
BHO-X64: Browser Address Error Redirector - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
mRun-x64: [AVGIDS] "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Phyzaar\AppData\Roaming\Mozilla\Firefox\Profiles\04uo2jhq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bf56a0e9a-c72e-48fe-b399-f179a43d9574%7D&mid=9ccb3e056756ff1bb8638b7577f990ce-16321237ade491462439ff78036494df02949e9e&ds=AVG&v=9.0.0.18.1&lang=us&pr=fr&d=2011-11-21%2008%3A37%3A26&sap=ku&q=
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx64;avgrkx64.sys;C:\Windows\system32\Drivers\avgrkx64.sys --> C:\Windows\system32\Drivers\avgrkx64.sys [?]
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 anodlwf;ANOD Network Security Filter driver;C:\Windows\system32\DRIVERS\anodlwfx.sys --> C:\Windows\system32\DRIVERS\anodlwfx.sys [?]
R1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6a.sys --> C:\Windows\system32\DRIVERS\avgfwd6a.sys [?]
R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\system32\Drivers\avgldx64.sys --> C:\Windows\system32\Drivers\avgldx64.sys [?]
R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\system32\Drivers\avgmfx64.sys --> C:\Windows\system32\Drivers\avgmfx64.sys [?]
R1 AvgTdiA;AVG8 Network Redirector x64;C:\Windows\system32\Drivers\avgtdia.sys --> C:\Windows\system32\Drivers\avgtdia.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~2\AVG\AVG8\avgemc.exe [2012-7-10 908056]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [2012-7-10 297752]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~2\AVG\AVG8\avgfws8.exe [2012-7-10 1370488]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-7-22 5641736]
R2 AVGIDSWatcher;AVGIDSWatcher;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-7-22 571912]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-3-18 1153368]
R3 AVGIDSDriver;AVGIDSDriver;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSDriver.sys [2009-7-22 132104]
R3 AVGIDSFilter;AVGIDSFilter;C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSFilter.sys [2009-7-22 35848]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?]
R3 netr28ux;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\Dnetr28ux.sys --> C:\Windows\system32\DRIVERS\Dnetr28ux.sys [?]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1c9efc03ada2d10;Google Update Service (gupdate1c9efc03ada2d10);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-17 133104]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" --> C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-7-3 250056]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-17 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-2-4 1355968]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-6 113120]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SynasUSB;SynasUSB;C:\Windows\system32\drivers\SynUSB64.sys --> C:\Windows\system32\drivers\SynUSB64.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-10 89920]
S4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"C:\Program Files (x86)\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> C:\Program Files (x86)\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-31 23:24:28 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-31 21:53:12 9133488 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2012-07-29 20:29:33 -------- d-sh--w- C:\$RECYCLE.BIN
2012-07-29 00:37:43 -------- d-----w- C:\Users\Phyzaar\AppData\Local\temp
2012-07-28 22:20:07 98816 ----a-w- C:\Windows\sed.exe
2012-07-28 22:20:07 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-28 22:20:07 256000 ----a-w- C:\Windows\PEV.exe
2012-07-28 22:20:07 208896 ----a-w- C:\Windows\MBR.exe
2012-07-28 22:19:57 -------- d-----w- C:\ComboFix
2012-07-28 19:43:25 15872 ----a-w- C:\Windows\System32\drivers\anodlwfx.sys
2012-07-28 19:43:24 900608 ----a-w- C:\Windows\System32\drivers\Dnetr28ux.sys
2012-07-28 19:43:24 305152 ----a-w- C:\Windows\System32\RaCoInstx.dll
2012-07-27 03:59:06 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
.
==================== Find3M ====================
.
2012-07-29 20:31:43 80904 ----a-w- C:\Windows\System32\drivers\WS2IFSL.SYS
2012-07-11 00:46:46 427016 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2012-07-10 23:35:20 12464 ----a-w- C:\Windows\System32\avgrssta.dll
2012-07-10 23:35:19 14856 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2012-07-10 23:35:17 133640 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-07-10 23:35:12 33416 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-07-10 23:32:47 29464 ----a-w- C:\Windows\System32\drivers\avgfwd6a.sys
2012-07-04 02:04:45 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-04 02:04:45 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-04 02:04:40 9815752 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-06-13 13:58:27 2769408 ----a-w- C:\Windows\System32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-05 16:22:47 1797120 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-05 16:22:46 1869824 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-04 15:29:59 516480 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 00:22:56 347136 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 00:22:10 254464 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 00:05:11 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 00:04:25 278528 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 16:33:38.47 ===============

Again thank you for taking the time to help.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 12 August 2012 - 08:27 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
When you ran ComboFix did it produce a log for you? If so, I'd like to see it - this will open it:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 13 August 2012 - 02:07 PM

There was a log produced, but I didn't save it. I was discussing this problem with a friend of mine and he said something about combofix being a tool that people used. He told me to download it and run it. I did, but my problems persisted and when I came to this place I found out that I should've waited on using combofix.

To the point I have no log from the first time I ran combo fix, am I bleeped? Or should I run it again?

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 13 August 2012 - 09:01 PM

Don't run ComboFix again just yet, please do this:

Posted Image Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]Please include the following in your next post:
  • FRST.txt log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 15 August 2012 - 12:40 PM

Okay thank you, one more thing though. whenever i try to start windows normally or in safe mode i get a blue screen.

The screen reads as follows:
A problem has been detected and windows has been bleep down to prevent damage to your computer.
A process or thread crucial to system operation has unexpectedly exited or been terminated.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps;

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disabls or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart your computer, yada yada get into safe mode.

Technical information;
*** STOP: 0x000000F4 (0x0000000000000003, 0xFFFFFA800533E800, 0xFFFFFA800533EA38, 0xFFFFF80002B39C90)

then there is text telling me about collecting data for crach dump initializing disk for crash dump, beggining dump of physical memory and dumping physical memory to disk.
contact support for further assistance.


Should I till do what you said or is this a completely new problem?

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 15 August 2012 - 08:36 PM

Hi,

Those Blue Screen events are all symptoms of the infection you have. Please proceed with my last instructions.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 15 August 2012 - 11:51 PM

Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 15-08-2012 19:13:11
Running from E:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [138264 2008-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [203800 2008-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [168472 2008-02-11] (Intel Corporation)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2206280 2008-06-10] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-11-17] (Apple Inc.)
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe [2042208 2012-07-11] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVGIDS] "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [1600008 2009-07-22] (AVG)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\owner\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [26192680 2010-04-20] (Skype Technologies S.A.)
HKU\owner\...\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [x]
HKU\Phyzaar\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
AppInit_DLLs: avgrssta.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\owner\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Phyzaar\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()

==================== Services (Whitelisted) ======

2 AERTFilters; C:\Windows\System32\AERTSr64.exe [86016 2008-07-17] (Andrea Electronics Corporation)
2 avg8emc; C:\PROGRA~2\AVG\AVG8\avgemc.exe [908056 2012-07-10] (AVG Technologies CZ, s.r.o.)
2 avg8wd; C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe [297752 2012-07-10] (AVG Technologies CZ, s.r.o.)
2 avgfws8; C:\PROGRA~2\AVG\AVG8\avgfws8.exe [1370488 2012-07-10] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe" AVGIDSAgent [5641736 2009-07-22] (AVG)
2 AVGIDSWatcher; C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [571912 2009-07-22] (AVG)
2 gupdate1c9efc03ada2d10; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [133104 2009-06-17] (Google Inc.)
3 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [1355968 2011-06-14] (Lavasoft)
2 libusbd; C:\Windows\SysWow64\libusbd-nt.exe [18944 2005-03-09] (http://libusb-win32.sourceforge.net)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 NMSAccessU; C:\Program Files (x86)\Super_DVD_Creator_9.8\NMSAccessU.exe [x]
4 Roxio UPnP Renderer 11; "C:\Program Files (x86)\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [x]
2 Viewpoint Manager Service; "C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe" [x]
3 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

1 anodlwf; C:\Windows\System32\DRIVERS\anodlwfx.sys [15872 2009-03-06] ()
1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [29464 2012-07-10] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; \??\C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSDriver.sys [132104 2009-07-22] (AVG Technologies )
0 AVGIDSErHr; C:\Windows\SysWow64\Drivers\AVGIDSErHr.sys [27144 2009-07-22] (AVG Technologies )
3 AVGIDSFilter; \??\C:\Program Files (x86)\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSFilter.sys [35848 2009-07-22] (AVG Technologies )
1 AvgLdx64; C:\Windows\System32\Drivers\AvgLdx64.sys [427016 2012-07-10] (AVG Technologies CZ, s.r.o.)
1 AvgMfx64; C:\Windows\System32\Drivers\AvgMfx64.sys [33416 2012-07-10] (AVG Technologies CZ, s.r.o.)
0 AvgRkx64; C:\Windows\System32\Drivers\AvgRkx64.sys [14856 2012-07-10] (AVG Technologies CZ, s.r.o.)
1 AvgTdiA; C:\Windows\System32\Drivers\AvgTdiA.sys [133640 2012-07-10] (AVG Technologies CZ, s.r.o.)
3 CAXHWBS2; C:\Windows\System32\Drivers\CAXHWBS2.sys [411136 2008-07-01] (Conexant Systems, Inc.)
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69152 2010-06-08] (Lavasoft AB)
3 libusb0; C:\Windows\SysWow64\Drivers\libusb0.sys [33792 2005-03-09] ()
3 netr28ux; C:\Windows\System32\DRIVERS\Dnetr28ux.sys [900608 2009-08-03] (Ralink Technology Corp.)
4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-07-02] (Duplex Secure Ltd.)
3 SynasUSB; C:\Windows\System32\drivers\SynUSB64.sys [31248 2006-11-16] (SIA Syncrosoft)
1 Beep; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-15 19:12 - 2012-08-15 19:12 - 00000000 ____D C:\FRST
2012-08-12 15:40 - 2012-08-12 15:40 - 00015938 ____A C:\Users\Phyzaar\Desktop\Attach.txt
2012-08-05 17:16 - 2012-08-05 17:16 - 00000020 ____A C:\Users\Phyzaar\defogger_reenable
2012-08-04 13:42 - 2012-08-05 17:16 - 00000000 ____D C:\Users\Phyzaar\Desktop\the new bleep
2012-07-31 15:24 - 2012-07-31 15:24 - 00000000 ____D C:\Program Files (x86)\ESET
2012-07-31 14:14 - 2012-07-31 14:14 - 02322184 ____A (ESET) C:\Users\Phyzaar\Downloads\esetsmartinstaller_enu.exe
2012-07-31 14:14 - 2012-07-31 14:14 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Phyzaar\Downloads\tdsskiller.exe
2012-07-31 14:08 - 2012-07-31 18:29 - 00000680 ____A C:\Users\Phyzaar\AppData\Local\d3d9caps.dat
2012-07-28 14:20 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-28 14:20 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-28 14:20 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-28 14:20 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-28 14:20 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-28 14:20 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-28 14:20 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-28 14:20 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-28 14:19 - 2012-07-29 12:32 - 00000000 ____D C:\ComboFix
2012-07-28 11:43 - 2009-08-03 09:56 - 00900608 ____A (Ralink Technology Corp.) C:\Windows\System32\Drivers\Dnetr28ux.sys
2012-07-28 11:43 - 2009-08-03 09:55 - 00305152 ____A (Ralink Technology, Inc.) C:\Windows\System32\RaCoInstx.dll
2012-07-28 11:43 - 2009-08-03 09:55 - 00013931 ____A C:\Windows\System32\RaCoInst.dat
2012-07-28 11:43 - 2009-03-06 17:10 - 00015872 ____A () C:\Windows\System32\Drivers\anodlwfx.sys
2012-07-26 20:05 - 2012-07-29 12:29 - 00000000 ____D C:\Windows\erdnt
2012-07-26 20:05 - 2012-07-26 20:05 - 00000000 ____D C:\Qoobox
2012-07-26 19:59 - 2012-07-26 20:03 - 00000000 ____D C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2012-07-26 14:34 - 2012-08-12 15:24 - 00000000 ____D C:\Users\Phyzaar\Desktop\fixer
2012-07-26 14:01 - 2012-07-26 14:01 - 00269840 ____A C:\Windows\Minidump\Mini072612-01.dmp

============ 3 Months Modified Files ========================

2012-08-15 09:24 - 2010-05-09 08:05 - 00267755 ____A C:\aaw7boot.log
2012-08-15 09:24 - 2009-03-02 13:30 - 351011925 ____A C:\Windows\MEMORY.DMP
2012-08-15 09:24 - 2008-01-20 19:26 - 00048338 ____A C:\Windows\PFRO.log
2012-08-13 11:08 - 2008-12-09 05:57 - 01192642 ____A C:\Windows\WindowsUpdate.log
2012-08-13 11:08 - 2006-11-02 07:42 - 00032652 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-13 11:08 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-13 11:08 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:08 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:03 - 2006-11-02 04:46 - 00005538 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 11:02 - 2012-07-03 17:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 10:56 - 2009-06-29 19:47 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-12 15:40 - 2012-08-12 15:40 - 00015938 ____A C:\Users\Phyzaar\Desktop\Attach.txt
2012-08-12 15:36 - 2009-06-29 19:47 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-05 17:16 - 2012-08-05 17:16 - 00000020 ____A C:\Users\Phyzaar\defogger_reenable
2012-07-31 18:29 - 2012-07-31 14:08 - 00000680 ____A C:\Users\Phyzaar\AppData\Local\d3d9caps.dat
2012-07-31 14:14 - 2012-07-31 14:14 - 02322184 ____A (ESET) C:\Users\Phyzaar\Downloads\esetsmartinstaller_enu.exe
2012-07-31 14:14 - 2012-07-31 14:14 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Phyzaar\Downloads\tdsskiller.exe
2012-07-29 12:34 - 2006-11-02 07:27 - 00172819 ____A C:\Windows\setupact.log
2012-07-29 12:31 - 2008-01-20 18:49 - 00080904 ____A (AVG Technologies ) C:\Windows\System32\Drivers\WS2IFSL.SYS
2012-07-29 12:29 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-07-26 14:59 - 2006-11-02 04:33 - 79429632 ____A C:\Windows\System32\config\software_previous
2012-07-26 14:59 - 2006-11-02 04:33 - 28573696 ____A C:\Windows\System32\config\system_previous
2012-07-26 14:50 - 2006-11-02 04:33 - 58982400 ____A C:\Windows\System32\config\components_previous
2012-07-26 14:50 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-26 14:01 - 2012-07-26 14:01 - 00269840 ____A C:\Windows\Minidump\Mini072612-01.dmp
2012-07-24 21:29 - 2006-11-02 04:33 - 00524288 ____A C:\Windows\System32\config\default_previous
2012-07-24 21:29 - 2006-11-02 04:33 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-11 11:16 - 2006-11-02 07:21 - 00305584 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 08:04 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-10 16:46 - 2012-07-10 15:35 - 00427016 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys
2012-07-10 15:35 - 2012-07-10 15:35 - 00133640 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-07-10 15:35 - 2012-07-10 15:35 - 00033416 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys
2012-07-10 15:35 - 2012-07-10 15:35 - 00014856 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgrkx64.sys
2012-07-10 15:35 - 2012-07-10 15:35 - 00012464 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\avgrssta.dll
2012-07-10 15:32 - 2012-07-10 15:32 - 00029464 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgfwd6a.sys
2012-07-10 15:29 - 2011-12-01 14:59 - 00008192 ____A C:\users\Mcx2
2012-07-10 15:29 - 2011-12-01 14:59 - 00008192 ____A C:\users\Mcx1
2012-07-06 15:46 - 2009-06-21 16:20 - 00000488 ____A C:\Windows\WININIT.INI
2012-07-04 14:40 - 2011-06-26 13:55 - 00005555 ____A C:\Windows\System32\avgrep.txt
2012-07-04 14:37 - 2011-06-26 10:05 - 00000732 ____A C:\Users\owner\AppData\Local\d3d9caps64.dat
2012-07-03 18:04 - 2012-07-03 18:04 - 09815752 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-07-03 18:04 - 2012-07-03 17:40 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-03 18:04 - 2011-11-12 07:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-21 19:59 - 2012-06-21 19:57 - 19503253 ____A C:\Users\Phyzaar\Downloads\ps3video9-600-setup.exe
2012-06-21 19:19 - 2011-08-28 16:31 - 00021504 ____A C:\Users\Phyzaar\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-13 05:58 - 2012-07-11 07:50 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:59 - 2012-07-10 13:54 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 13:54 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-10 16:28 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 16:28 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 16:28 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 16:28 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 16:28 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-24 00:40 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 00:40 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 00:40 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-24 00:39 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-24 00:40 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-24 00:39 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-24 00:39 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:12 - 2012-06-24 00:39 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 14:12 - 2012-06-24 00:39 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-11 07:51 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 07:51 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 07:51 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 07:51 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 07:51 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 07:51 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 07:51 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 07:51 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 07:51 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 07:51 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 07:51 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 07:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 07:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 07:51 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 07:51 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 07:51 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 07:51 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 07:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 07:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 07:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 07:51 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 07:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 07:51 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 07:51 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 07:51 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 07:51 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 07:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 07:51 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-10 16:28 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 16:28 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 16:28 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 16:28 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 16:28 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-31 11:25 - 2009-10-04 07:13 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-30 21:57 - 2012-05-30 21:41 - 00000080 ____A C:\Windows\SysWOW64\karoshi2.sav
2012-05-30 21:40 - 2012-05-30 21:39 - 09145520 ____A C:\Users\Phyzaar\Downloads\karoshi2.zip
2012-05-29 22:16 - 2012-05-29 22:11 - 12810883 ____A C:\Users\Phyzaar\Downloads\Farm Lessons 16 (full).rar
2012-05-28 16:39 - 2012-05-28 16:39 - 00000531 ____A C:\Users\owner\Desktop\µPeerShield v1.1.lnk
2012-05-24 19:21 - 2012-05-24 19:20 - 01708871 ____A C:\Users\Phyzaar\Downloads\Hotmail (1).zip
2012-05-22 09:05 - 2012-05-22 09:05 - 01038724 ____A C:\Users\owner\Downloads\CBEST_CAT_5.jar


ZeroAccess:
C:\Windows\Installer\{6eafbdfb-1624-7891-b48c-d81310fa2096}
C:\Windows\Installer\{6eafbdfb-1624-7891-b48c-d81310fa2096}\L
C:\Windows\Installer\{6eafbdfb-1624-7891-b48c-d81310fa2096}\U

ZeroAccess:
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096}
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096}\@
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096}\L
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 4084.27 MB
Available physical RAM: 3650.57 MB
Total Pagefile: 3955.91 MB
Available Pagefile: 3627.64 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:154.14 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (PHONE CARD) (Removable) (Total:0.93 GB) (Free:0.01 GB) FAT
4 Drive x: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.39 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 951 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 15 GB 40 MB
Partition 3 Primary 451 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 950 MB 185 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PHONE CARD FAT Removable 950 MB Healthy

==================================================================================

Last Boot: 2012-08-13 11:06

======================= End Of Log ==========================


Here is what I got. Thank you again.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 16 August 2012 - 02:56 PM

Please do this next:

Posted Image Boot back into System Recovery Options and run FRST.
  • Type the following in the edit box after "Search:".

    services.exe

    It then should look like:

    Search: services.exe
  • Click Search button and post the log (Search.txt) it makes to your reply.
Please include the following in your next post:
  • Search.txt log

Edited by RPMcMurphy, 16 August 2012 - 02:57 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 18 August 2012 - 11:15 PM

Here is my search.txt:

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 20:13:39
Running from D:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-12-10 17:51] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-12-10 17:49] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-12-10 17:51] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

====== End Of Search ======

Thank you for being quick with your replies :)

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 19 August 2012 - 12:57 AM

Please do this next:

Posted Image Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe  C:\Windows\System32\services.exe
C:\Windows\Installer\{6eafbdfb-1624-7891-b48c-d81310fa2096}
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Posted Image Reboot and try running ComboFix again. When it asks to update, please allow it to do so.

Please include the following in your next post:
  • Fixlog.txt log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 20 August 2012 - 05:17 PM

hey im posting from my playstation because i couldnt get my hands on a laptop.

the frst64 fixlog said it could not find Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-
but the gac_32 and 64 and the installer and the owner appdata bits were successfully moved.

is it bad that it could not find that one winsxs bit?

#14 TheSkyBelow

TheSkyBelow
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 20 August 2012 - 07:15 PM

Well i was actually able to get a hold of a laptop. here is the fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-20 17:11:56 Run:5
Running from D:\

==============================================

Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{6eafbdfb-1624-7891-b48c-d81310fa2096} not found.
C:\Users\owner\AppData\Local\{6eafbdfb-1624-7891-b48c-d81310fa2096} not found.
C:\Windows\assembly\GAC_32\Desktop.ini not found.
C:\Windows\assembly\GAC_64\Desktop.ini not found.

==== End of Fixlog ====

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 20 August 2012 - 07:55 PM

That actually doesn't look too bad. Please try to run ComboFix again - when it asks to update, please allow it to.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users