Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
44 replies to this topic

#1 OverHere

OverHere

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 August 2012 - 11:22 AM

I have a Dell Optiplex running Windows 7 32 bit.

Somehow I seem to have gotten the redirect Rootkik/virus. It disabled Microsoft Security Essentials.

I have tried several things in safe mode to remove this (Malwarebytes, AVG, DrWeb, Kasperski, Notron) but have not had any luck.

Will you assist me?

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 19 August 2012 - 11:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Do you have a USB Flash Drive you can use?

Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 August 2012 - 12:13 PM

DDS.scr was still running after about 30 minites. I clicked on the browser window and now the system clock has stopped. I can still move the DDS window but that is all I can do. This is running in Safe Mode. The # symbols seem to have stopped progressing also.

Here is some more information on some of the malware that was detected in my earlier scans:
sirefef (6 or 7 varieties), Ursnif.gen!f, necurs.gen!a, obfuscator.zj, lameshield.

I rebooted the computer in standard mode. DDS.scr has now been ran for 2 hour in standard mode but never finished.

I had to power cycle the computer to get out.

GMER gives an error when launched LoadDriver( "C:\Users
a\Appdata\Local\Temp\kwddqpoc.sys") error 0xC000010e: an instance of this service is already running.

When I continue most of the options are not selected and are grayed out. I ran the scan with the options Services, Registry, Files, c:\, and ADS checked.

Edited by OverHere, 19 August 2012 - 03:04 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 19 August 2012 - 05:10 PM

Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 August 2012 - 05:40 PM

Yes I have a 32g flash drive.

Here are the results of the GMER run with the above options checked.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-19 16:39:14
Windows 6.1.7600
Running: 93064li3.exe; Driver: C:\Users\a\AppData\Local\Temp\kwddqpoc.sys


---- Files - GMER 1.0.15 ----

File C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DIRRGXL\cm[1] 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\0XDBWRV0.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\1792CL0S.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\2BRI4QOT.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\E0JF0L8T.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\EG649KMB.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\8U2QV3WK.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\3WNMURXQ.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\4C960Z3Z.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\4ELA5GHV.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\IGUML20B.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\JWU8I4GY.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\QSW6QL4T.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\SBUCUEU4.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\XHPJLIVI.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\XZ3KD61N.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\ZQ2WDYYP.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\A6B56LU6.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\2LT90YTX.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\33ASUG7B.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\FZ8A6ZC1.txt 146 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\GCJ9IMHX.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\GF4MHYJ6.txt 214 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\GX2H30YD.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\GXA1TZ2E.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\HCC4VK9O.txt 111 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\59I9C7RM.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\67MIB138.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\6NRZA4VE.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\6XB922M6.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\LVFVHGKA.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\OD9F17SA.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\PKZO6HZ5.txt 0 bytes
File C:\Users\a\AppData\Roaming\Microsoft\Windows\Cookies\PS1MQMOT.txt 1296 bytes

---- EOF - GMER 1.0.15 ----

Edited by OverHere, 19 August 2012 - 05:41 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 19 August 2012 - 07:57 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 19 August 2012 - 10:39 PM

Dont have CDs here and system never finishes booting in Recovery mode from Hard Disk.
I will get the CDs tomorrow

Edited by OverHere, 19 August 2012 - 10:40 PM.


#8 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 20 August 2012 - 03:54 PM

Here are the results of the FRST scan:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 19-08-2012 01
Ran by SYSTEM at 20-08-2012 14:50:17
Running from F:\bleeping computer\Fabar
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2691072 2009-08-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-07-27] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-07-27] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-07-27] (Intel Corporation)
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [24576 2009-02-19] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [40960 2009-02-19] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [329 2012-08-19] ()
HKLM\...\Run: [PDFHook] C:\Program Files\ScanSoft\PDF Converter 5\pdfpro5hook.exe [628000 2008-12-23] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF5 Registry Controller] C:\Program Files\ScanSoft\PDF Converter 5\RegistryController.exe [58656 2008-12-23] (Nuance Communications, Inc.)
HKLM\...\Run: [MapDriver] c:\mapdrivers.bat [x]
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [821144 2010-10-25] (Adobe Systems Inc.)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
HKU\gmosler\...\Run: [OpAgent] "OpAgent.exe" /agent [x]
HKU\gmosler\...\Run: [AROReminder] C:\Program Files\ARO 2011\ARO.exe -rem [2312048 2011-01-25] (Support.com)
HKU\gmosler\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-18] (Google Inc.)
HKU\gmosler\...\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe" [x]
HKU\gmosler\...\Run: [NxuXDmPMgbl.exe] C:\ProgramData\NxuXDmPMgbl.exe [x]
HKU\gmosler\...\Run: [x3OT8wNM2eVy4h] C:\ProgramData\x3OT8wNM2eVy4h.exe [x]
HKU\gmosler\...\Run: [syshost32] C:\Users\gmosler\AppData\Local\{C54733FF-3CD1-B749-A872-CD0D884F208B}\syshost.exe [x]
HKU\gmosler\...\Run: [hnNPUrMR21XBMJ2] C:\Users\gmosler\AppData\Roaming\Ii0Nm8sy.exe [x]
HKU\gmosler\...\Winlogon: [Shell] C:\Users\gmosler\AppData\Roaming\Ii0Nm8sy.exe [x]
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.8.1
Lsa: [Authentication Packages] msv1_0
wvauth

================================ Services (Whitelisted) ==================

2 Apache2.2; "C:\apache\bin\httpd.exe" -k runservice [20549 2012-01-28] (Apache Software Foundation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 GoToAssist; "C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe" Start=service [16680 2011-06-14] (Citrix Online, a division of Citrix Systems, Inc.)
2 N360; "C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 PDFProFiltSrv; C:\Program Files\ScanSoft\PDF Converter 5\PDFProFiltSrv.exe [144672 2008-12-23] (Nuance Communications, Inc.)
3 SecureStorageService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe" [1477632 2010-11-03] (Wave Systems Corp.)
2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
2 TdmService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe" [2336104 2010-10-16] (Wave Systems Corp.)

========================== Drivers (Whitelisted) =============

1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120803.001\BHDrvx86.sys [821920 2012-08-02] (Symantec Corporation)
3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360\0602010.005\ccSetx86.sys [132744 2011-11-04] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-19] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-19] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120817.001\IDSvix86.sys [382624 2012-08-17] (Symantec Corporation)
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2748064 2009-11-16] (Realtek Semiconductor Corp.)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273448 2009-06-20] (Broadcom Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120819.007\NAVENG.SYS [87928 2012-08-19] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120819.007\NAVEX15.SYS [1589752 2012-08-19] (Symantec Corporation)
0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
3 SRTSP; C:\Windows\System32\Drivers\N360\0602010.005\SRTSP.SYS [574072 2012-03-28] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0602010.005\SRTSPX.SYS [32888 2012-03-28] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0602010.005\SYMDS.SYS [340088 2011-08-15] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0602010.005\SYMEFA.SYS [905336 2011-11-23] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-08-19] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0602010.005\Ironx86.SYS [149624 2011-11-16] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\N360\0602010.005\SYMNETS.SYS [318584 2011-11-16] (Symantec Corporation)
3 catchme; \??\C:\Users\a\AppData\Local\Temp\catchme.sys [x]
1 piuwdoia; \??\C:\Windows\system32\drivers\piuwdoia.sys [x]
0 SMR300; C:\Windows\System32\drivers\SMR300.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-20 14:50 - 2012-08-20 14:50 - 00000000 ____D C:\FRST
2012-08-19 14:43 - 2012-08-19 14:43 - 00004021 ____A C:\Users\a\Documents\GMER .txt
2012-08-19 08:41 - 2012-08-19 08:41 - 00607260 ____R (Swearware) C:\Users\a\Desktop\dds.scr
2012-08-19 07:57 - 2012-08-19 11:40 - 00000000 ____D C:\Users\a\Desktop\Bleeping computer
2012-08-19 07:55 - 2012-08-19 07:55 - 00000000 ____D C:\Users\a\AppData\Local\CrashDumps
2012-08-19 07:51 - 2012-08-19 07:53 - 00000000 ____D C:\32788R22FWJFW
2012-08-19 00:25 - 2012-08-19 00:40 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-08-19 00:25 - 2012-08-19 00:35 - 00002344 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-08-19 00:25 - 2012-08-19 00:35 - 00000000 ____D C:\Windows\System32\Drivers\N360
2012-08-19 00:25 - 2012-08-19 00:25 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-08-19 00:25 - 2012-08-19 00:25 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-08-19 00:25 - 2012-08-19 00:25 - 00000000 ____D C:\Program Files\Symantec
2012-08-19 00:25 - 2012-08-19 00:25 - 00000000 ____D C:\Program Files\Norton Security Suite
2012-08-19 00:24 - 2012-08-19 00:24 - 00000000 ____D C:\Users\a\Documents\Symantec
2012-08-19 00:21 - 2012-08-19 00:22 - 00001361 ____A C:\Users\a\Desktop\Norton Installation Files.lnk
2012-08-19 00:21 - 2012-08-19 00:21 - 00000000 ____D C:\Users\Public\Downloads\Norton
2012-08-18 13:12 - 2012-08-19 00:25 - 00000000 ____D C:\Users\All Users\Norton
2012-08-18 13:12 - 2012-08-19 00:13 - 00000000 ____D C:\Users\a\AppData\Local\NPE
2012-08-18 11:05 - 2012-08-18 11:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-17 06:37 - 2012-08-17 08:19 - 00000000 ____D C:\Users\a\DoctorWeb
2012-08-14 04:54 - 2012-08-14 04:54 - 00060304 ____A C:\Users\gmosler\g2mdlhlpx.exe
2012-08-13 21:03 - 2012-08-16 13:02 - 00000000 ____D C:\Users\gmosler\AppData\Local\{C54733FF-3CD1-B749-A872-CD0D884F208B}
2012-08-13 12:27 - 2012-08-13 13:34 - 00006403 ____A C:\Windows\System32\avgrep.txt
2012-08-13 12:01 - 2012-08-13 12:01 - 00000000 ____D C:\Windows\Sun
2012-08-13 10:49 - 2012-08-13 12:01 - 00009023 ____A C:\Users\a\Desktop\avgrep.txt
2012-08-13 09:19 - 2012-08-13 09:19 - 00000000 ____D C:\Users\a\AppData\Roaming\Mozilla
2012-08-13 09:19 - 2012-08-13 09:19 - 00000000 ____D C:\Users\a\AppData\Local\Mozilla
2012-08-13 08:34 - 2012-08-13 08:34 - 00000000 ____D C:\Program Files\AVG
2012-08-13 07:36 - 2012-08-13 14:41 - 00000000 ____D C:\Users\All Users\MFAData
2012-08-13 07:29 - 2012-08-13 07:30 - 03879800 ____A (AVG Technologies) C:\Users\a\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-13 07:24 - 2012-08-13 07:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-13 02:48 - 2012-08-13 10:47 - 00000000 ____D C:\Users\gmosler\AppData\Local\{032DD8DE-828D-CC9C-D8B3-5C6BB86E015E}
2012-08-10 06:44 - 2012-08-10 06:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-10 06:44 - 2012-08-10 06:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-09 05:34 - 2012-08-09 05:34 - 00002985 ____A C:\Users\gmosler\Documents\export.csv
2012-08-08 12:09 - 2012-08-09 08:09 - 00000000 ____D C:\Users\gmosler\AppData\Local\{8B23EB46-C676-F6EF-DB0D-D91FBAEA7D64}
2012-08-07 02:32 - 2012-08-07 07:58 - 00000000 ____D C:\Users\gmosler\AppData\Local\{52CBCFF0-E33D-5F4C-5C75-08353C3073DB}
2012-08-06 10:25 - 2012-08-06 10:25 - 00000000 ____D C:\Users\gmosler\AppData\Roaming\Malwarebytes
2012-08-06 09:38 - 2012-08-06 09:38 - 00007605 ____A C:\Users\a\AppData\Local\Resmon.ResmonCfg
2012-08-06 09:29 - 2012-08-06 09:29 - 00000000 ____D C:\Users\a\AppData\Roaming\Malwarebytes
2012-08-06 09:28 - 2012-08-06 09:28 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-06 09:28 - 2012-08-06 09:28 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-06 08:06 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-06 08:06 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-06 08:06 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-06 07:51 - 2012-08-13 07:37 - 00000000 ____D C:\Windows\erdnt
2012-08-06 07:18 - 2012-08-06 07:20 - 00000000 ____D C:\Users\a\AppData\Roaming\Google
2012-08-06 07:18 - 2012-08-06 07:18 - 00000000 ____D C:\Users\a\AppData\Local\Google
2012-08-06 07:13 - 2012-08-06 07:13 - 00000000 ____D C:\Users\a\AppData\Roaming\Macromedia
2012-08-06 07:10 - 2012-08-06 07:10 - 00000000 ____D C:\Users\a\AppData\Roaming\Zeon
2012-08-06 07:09 - 2012-08-06 06:45 - 00000000 ____A C:\Users\a\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-06 07:08 - 2012-08-13 09:00 - 00000000 ____D C:\Users\a\AppData\Roaming\Adobe
2012-08-06 07:08 - 2012-08-13 08:59 - 00000000 ____D C:\Users\a\AppData\Local\Adobe
2012-08-06 06:27 - 2012-08-06 06:27 - 00000000 ____D C:\Windows\System32\SPReview
2012-08-06 06:23 - 2012-08-06 06:23 - 00000000 ____D C:\Windows\System32\EventProviders
2012-08-06 06:17 - 2012-08-06 06:18 - 00000368 ___AH C:\Users\All Users\x3OT8wNM2eVy4h
2012-08-06 06:17 - 2012-08-06 06:18 - 00000072 ___AH C:\Users\All Users\-x3OT8wNM2eVy4hr
2012-08-06 06:17 - 2012-08-06 06:18 - 00000072 ___AH C:\Users\All Users\-x3OT8wNM2eVy4h
2012-08-06 06:17 - 2012-08-06 06:17 - 00000657 ____A C:\Users\gmosler\Desktop\File_Recovery.lnk

============ 3 Months Modified Files ========================

2012-08-19 19:32 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-19 19:32 - 2009-07-13 20:39 - 00035257 ____A C:\Windows\setupact.log
2012-08-19 19:26 - 2009-07-13 20:55 - 02052276 ____A C:\Windows\WindowsUpdate.log
2012-08-19 19:03 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-19 19:03 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-19 19:00 - 2011-01-27 14:54 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-19 18:57 - 2011-10-18 10:57 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-19 16:27 - 2011-10-18 10:57 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-19 14:43 - 2012-08-19 14:43 - 00004021 ____A C:\Users\a\Documents\GMER .txt
2012-08-19 08:41 - 2012-08-19 08:41 - 00607260 ____R (Swearware) C:\Users\a\Desktop\dds.scr
2012-08-19 08:35 - 2011-01-27 16:49 - 00174548 ____A C:\Windows\PFRO.log
2012-08-19 00:35 - 2012-08-19 00:25 - 00002344 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-08-19 00:25 - 2012-08-19 00:25 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-08-19 00:25 - 2012-08-19 00:25 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-08-19 00:22 - 2012-08-19 00:21 - 00001361 ____A C:\Users\a\Desktop\Norton Installation Files.lnk
2012-08-15 22:15 - 2011-06-21 06:41 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-14 04:54 - 2012-08-14 04:54 - 00060304 ____A C:\Users\gmosler\g2mdlhlpx.exe
2012-08-13 13:34 - 2012-08-13 12:27 - 00006403 ____A C:\Windows\System32\avgrep.txt
2012-08-13 12:01 - 2012-08-13 10:49 - 00009023 ____A C:\Users\a\Desktop\avgrep.txt
2012-08-13 07:39 - 2011-02-02 13:40 - 00000358 _RASH C:\Users\All Users\ntuser.pol
2012-08-13 07:30 - 2012-08-13 07:29 - 03879800 ____A (AVG Technologies) C:\Users\a\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-13 07:23 - 2011-10-11 08:20 - 00000376 ____A C:\Windows\ODBC.INI
2012-08-10 06:44 - 2012-08-10 06:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-10 06:44 - 2012-08-10 06:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-09 11:34 - 2011-02-07 13:41 - 00002028 ____A C:\Users\gmosler\Documents\Default.rdp
2012-08-09 05:34 - 2012-08-09 05:34 - 00002985 ____A C:\Users\gmosler\Documents\export.csv
2012-08-06 09:38 - 2012-08-06 09:38 - 00007605 ____A C:\Users\a\AppData\Local\Resmon.ResmonCfg
2012-08-06 07:08 - 2011-02-01 12:54 - 00110920 ____A C:\Users\a\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-06 06:56 - 2009-07-13 20:33 - 03768824 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-06 06:48 - 2009-07-13 18:05 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-08-06 06:45 - 2012-08-06 07:09 - 00000000 ____A C:\Users\a\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-06 06:18 - 2012-08-06 06:17 - 00000368 ___AH C:\Users\All Users\x3OT8wNM2eVy4h
2012-08-06 06:18 - 2012-08-06 06:17 - 00000072 ___AH C:\Users\All Users\-x3OT8wNM2eVy4hr
2012-08-06 06:18 - 2012-08-06 06:17 - 00000072 ___AH C:\Users\All Users\-x3OT8wNM2eVy4h
2012-08-06 06:17 - 2012-08-06 06:17 - 00000657 ____A C:\Users\gmosler\Desktop\File_Recovery.lnk
2012-08-06 05:20 - 2012-01-03 06:27 - 00020480 ____A C:\Users\gmosler\Documents\Vac2012.xls
2012-07-12 06:01 - 2012-07-12 06:01 - 00002686 ____A C:\Users\gmosler\Desktop\Opps db.lnk
2012-07-12 01:58 - 2011-02-01 13:40 - 00110920 ____A C:\Users\gmosler\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-11 08:07 - 2009-07-13 18:04 - 00000496 ____A C:\Windows\win.ini
2012-07-03 01:13 - 2011-02-01 12:48 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-28 08:04 - 2012-06-28 08:02 - 13153826 ____A C:\Users\gmosler\Documents\EFI-77xx-English.zip
2012-06-19 07:10 - 2011-02-07 08:04 - 00028160 ____A C:\Users\gmosler\Documents\export.xls
2012-06-12 08:19 - 2012-06-12 08:19 - 00002951 ____A C:\Users\gmosler\Downloads\export (2).csv
2012-06-11 18:44 - 2012-07-11 08:04 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:46 - 2012-07-11 01:42 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-07 11:51 - 2012-06-07 11:46 - 14057472 ____A C:\Users\gmosler\Documents\WSLLCmay2002.accdb
2012-06-07 07:56 - 2012-06-07 07:56 - 00003924 ____A C:\Users\gmosler\Downloads\export (1).csv
2012-06-05 21:09 - 2012-07-11 01:42 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:09 - 2012-07-11 01:42 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:31 - 2012-06-04 07:31 - 00147312 ____A C:\Windows\Minidump\060412-13088-01.dmp
2012-06-04 07:30 - 2012-03-14 02:24 - 426754783 ____A C:\Windows\MEMORY.DMP
2012-06-02 14:19 - 2012-06-21 16:58 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 16:58 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 16:58 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 16:58 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 13:19 - 2012-06-21 16:57 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:12 - 2012-06-21 16:57 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 08:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 08:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 08:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 08:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 08:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 08:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 08:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 08:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 08:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 08:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 08:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 08:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 08:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 08:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:51 - 2012-07-11 01:42 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:51 - 2012-07-11 01:42 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:50 - 2012-07-11 01:42 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:48 - 2012-07-11 01:42 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:47 - 2012-07-11 01:42 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-30 06:05 - 2012-05-30 06:05 - 00004871 ____A C:\Users\gmosler\Downloads\export.csv


ZeroAccess:
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\L
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U

ZeroAccess:
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\@
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\L
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3995.65 MB
Available physical RAM: 3473.45 MB
Total Pagefile: 3993.93 MB
Available Pagefile: 3488.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:223.48 GB) (Free:155 GB) NTFS
2 Drive e: (2012.08.20_1113) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:14.91 GB) (Free:14.35 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:9.29 GB) (Free:5.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 9 GB 40 MB
Partition 3 Primary 223 GB 9 GB
Partition 4 Primary 10 MB 232 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Removable 14 GB Healthy

==================================================================================

Last Boot: 2012-08-18 11:43

======================= End Of Log ==========================

Edited by OverHere, 20 August 2012 - 03:55 PM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 20 August 2012 - 05:36 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKU\gmosler\...\Run: [NxuXDmPMgbl.exe] C:\ProgramData\NxuXDmPMgbl.exe [x]
HKU\gmosler\...\Run: [x3OT8wNM2eVy4h] C:\ProgramData\x3OT8wNM2eVy4h.exe [x]
HKU\gmosler\...\Run: [syshost32] C:\Users\gmosler\AppData\Local\{C54733FF-3CD1-B749-A872-CD0D884F208B}\syshost.exe [x]
HKU\gmosler\...\Run: [hnNPUrMR21XBMJ2] C:\Users\gmosler\AppData\Roaming\Ii0Nm8sy.exe [x]
HKU\gmosler\...\Winlogon: [Shell] C:\Users\gmosler\AppData\Roaming\Ii0Nm8sy.exe [x]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll [X]
C:\Users\All Users\x3OT8wNM2eVy4h
C:\Users\All Users\-x3OT8wNM2eVy4hr
C:\Users\All Users\-x3OT8wNM2eVy4h
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


How is the machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 20 August 2012 - 09:19 PM

The computer seems to be working good mow. Thanks!

I ran full scans with Norton and MBAM. except for tracking Cookies, both came up clean.

Here is the log.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-08-2012 01
Ran by SYSTEM at 2012-08-20 18:17:41 Run:1
Running from F:\bleeping computer\Fabar

==============================================

HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\NxuXDmPMgbl.exe Value deleted successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\x3OT8wNM2eVy4h Value deleted successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\syshost32 Value deleted successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\hnNPUrMR21XBMJ2 Value deleted successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\spba Key deleted successfully.
C:\Users\All Users\x3OT8wNM2eVy4h moved successfully.
C:\Users\All Users\-x3OT8wNM2eVy4hr moved successfully.
C:\Users\All Users\-x3OT8wNM2eVy4h moved successfully.
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7} moved successfully.
C:\Users\gmosler\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7} moved successfully.

==== End of Fixlog ====

#11 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 21 August 2012 - 12:11 AM

It looks like there may still be some issues.

Windows Update fails with a code 80246008.

I also had a BSOD once when trying to run Windows Update

I am also seeing some Norton firewall blocks on 176.31.16.231 (Malicious toolkit Website) these continued after I refreshed the IP address on my Router.

It is less frequent but I still get redirected every once and a while. 8/20

Definitely still infected. Security Shield just popped up. 8/21

Edited by OverHere, 21 August 2012 - 03:22 PM.


#12 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 21 August 2012 - 03:46 PM

Here are the results of a new scan with FRST

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 19-08-2012 01
Ran by SYSTEM at 21-08-2012 14:36:10
Running from F:\bleeping computer\Fabar
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2691072 2009-08-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [136216 2010-07-27] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [171032 2010-07-27] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [170520 2010-07-27] (Intel Corporation)
HKLM\...\Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [24576 2009-02-19] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [40960 2009-02-19] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [343 2012-08-21] ()
HKLM\...\Run: [PDFHook] C:\Program Files\ScanSoft\PDF Converter 5\pdfpro5hook.exe [628000 2008-12-23] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF5 Registry Controller] C:\Program Files\ScanSoft\PDF Converter 5\RegistryController.exe [58656 2008-12-23] (Nuance Communications, Inc.)
HKLM\...\Run: [MapDriver] c:\mapdrivers.bat [x]
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [1564872 2012-06-06] (Ask)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [821144 2010-10-25] (Adobe Systems Inc.)
HKLM\...\Run: [syshost32] C:\Windows\Installer\{46308FD1-3BFF-5277-246B-0FD20452AB14}\syshost.exe [355328 2012-08-21] (Seagate)
HKU\a\...\Run: [4Y3Y0C3AYIVBYJ5ZAU] C:\ReGBe.Bin\071BAAF8139.exe /q [213504 2011-11-16] ()
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1173504 2009-07-13] (Microsoft Corporation)
HKU\gmosler\...\Run: [OpAgent] "OpAgent.exe" /agent [x]
HKU\gmosler\...\Run: [AROReminder] C:\Program Files\ARO 2011\ARO.exe -rem [2312048 2011-01-25] (Support.com)
HKU\gmosler\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-18] (Google Inc.)
HKU\gmosler\...\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe" [x]
HKLM\...\RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.8.1
Lsa: [Authentication Packages] msv1_0
wvauth

================================ Services (Whitelisted) ==================

2 Apache2.2; "C:\apache\bin\httpd.exe" -k runservice [20549 2012-01-28] (Apache Software Foundation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 GoToAssist; "C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe" Start=service [16680 2011-06-14] (Citrix Online, a division of Citrix Systems, Inc.)
2 N360; "C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 PDFProFiltSrv; C:\Program Files\ScanSoft\PDF Converter 5\PDFProFiltSrv.exe [144672 2008-12-23] (Nuance Communications, Inc.)
3 SecureStorageService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe" [1477632 2010-11-03] (Wave Systems Corp.)
2 tcsd_win32.exe; "C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1629696 2010-07-13] ()
2 TdmService; "C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe" [2336104 2010-10-16] (Wave Systems Corp.)

========================== Drivers (Whitelisted) =============

1 1125278; \??\C:\Windows\system32\drivers\1125278.sys [70144 2012-08-21] ()
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120803.001\BHDrvx86.sys [821920 2012-08-02] (Symantec Corporation)
3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360\0602010.005\ccSetx86.sys [132744 2011-11-04] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-19] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-19] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20120818.001\IDSvix86.sys [382624 2012-08-17] (Symantec Corporation)
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2748064 2009-11-16] (Realtek Semiconductor Corp.)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273448 2009-06-20] (Broadcom Corporation)
3 mbamchameleon; \??\C:\Windows\system32\drivers\mbamchameleon.sys [31560 2012-08-21] ()
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120820.034\NAVENG.SYS [92704 2012-08-20] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20120820.034\NAVEX15.SYS [1601184 2012-08-20] (Symantec Corporation)
0 pavboot; C:\Windows\System32\drivers\pavboot.sys [28552 2009-06-30] (Panda Security, S.L.)
0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
3 SRTSP; C:\Windows\System32\Drivers\N360\0602010.005\SRTSP.SYS [574072 2012-03-28] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0602010.005\SRTSPX.SYS [32888 2012-03-28] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0602010.005\SYMDS.SYS [340088 2011-08-15] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0602010.005\SYMEFA.SYS [905336 2011-11-23] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-08-19] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0602010.005\Ironx86.SYS [149624 2011-11-16] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\N360\0602010.005\SYMNETS.SYS [318584 2011-11-16] (Symantec Corporation)
3 catchme; \??\C:\Users\a\AppData\Local\Temp\catchme.sys [x]
4 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [x]
1 piuwdoia; \??\C:\Windows\system32\drivers\piuwdoia.sys [x]
0 SMR300; C:\Windows\System32\drivers\SMR300.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-21 12:24 - 2012-08-21 12:24 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-08-21 12:10 - 2012-08-21 12:10 - 00495616 ____A C:\Users\a\AppData\Local\mjrvvi.exe
2012-08-21 12:10 - 2012-08-21 12:10 - 00070144 ____A C:\Windows\System32\Drivers\1125278.sys
2012-08-21 11:31 - 2009-06-30 08:37 - 00028552 ____A (Panda Security, S.L.) C:\Windows\System32\Drivers\pavboot.sys
2012-08-21 11:30 - 2012-08-21 11:30 - 00000000 ____D C:\Program Files\Panda Security
2012-08-21 11:10 - 2012-08-21 11:10 - 00001204 ____A C:\Users\a\Desktop\PC Utility Kit.lnk
2012-08-21 11:10 - 2012-08-21 11:10 - 00000414 ____A C:\Windows\Tasks\PC Utility Kit Update3.job
2012-08-21 11:10 - 2012-08-21 11:10 - 00000412 ____A C:\Windows\Tasks\PC Utility Kit.job
2012-08-21 11:10 - 2012-08-21 11:10 - 00000400 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job
2012-08-21 11:10 - 2012-08-21 11:10 - 00000000 ____D C:\Users\All Users\PC Utility Kit
2012-08-21 11:10 - 2012-08-21 11:10 - 00000000 ____D C:\Users\a\AppData\Roaming\PC Utility Kit
2012-08-21 11:10 - 2012-08-21 11:10 - 00000000 ____D C:\Users\a\AppData\Roaming\DriverCure
2012-08-21 11:10 - 2012-08-21 11:10 - 00000000 ____D C:\Program Files\PC Utility Kit
2012-08-21 11:10 - 2012-08-21 11:10 - 00000000 ____D C:\Program Files\Common Files\PC Utility Kit
2012-08-21 06:01 - 2012-08-21 06:01 - 00003208 ____N C:\bootsqm.dat
2012-08-20 20:39 - 2012-08-20 20:39 - 00153488 ____A C:\Windows\Minidump\082012-22011-01.dmp
2012-08-20 20:36 - 2012-08-21 11:23 - 00000000 ____D C:\Users\a\AppData\Roaming\QuickScan
2012-08-20 20:36 - 2012-08-20 20:36 - 00000000 ___HD C:\Windows\AxInstSV
2012-08-20 14:50 - 2012-08-20 14:50 - 00000000 ____D C:\FRST
2012-08-19 14:43 - 2012-08-19 14:43 - 00004021 ____A C:\Users\a\Documents\GMER .txt
2012-08-19 08:41 - 2012-08-19 08:41 - 00607260 ____R (Swearware) C:\Users\a\Desktop\dds.scr
2012-08-19 07:57 - 2012-08-19 11:40 - 00000000 ____D C:\Users\a\Desktop\Bleeping computer
2012-08-19 07:55 - 2012-08-19 07:55 - 00000000 ____D C:\Users\a\AppData\Local\CrashDumps
2012-08-19 07:51 - 2012-08-19 07:53 - 00000000 ____D C:\32788R22FWJFW
2012-08-19 00:25 - 2012-08-19 00:40 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-08-19 00:25 - 2012-08-19 00:35 - 00002344 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-08-19 00:25 - 2012-08-19 00:35 - 00000000 ____D C:\Windows\System32\Drivers\N360
2012-08-19 00:25 - 2012-08-19 00:25 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-08-19 00:25 - 2012-08-19 00:25 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-08-19 00:25 - 2012-08-19 00:25 - 00000000 ____D C:\Program Files\Symantec
2012-08-19 00:25 - 2012-08-19 00:25 - 00000000 ____D C:\Program Files\Norton Security Suite
2012-08-19 00:24 - 2012-08-19 00:24 - 00000000 ____D C:\Users\a\Documents\Symantec
2012-08-19 00:21 - 2012-08-19 00:22 - 00001361 ____A C:\Users\a\Desktop\Norton Installation Files.lnk
2012-08-19 00:21 - 2012-08-19 00:21 - 00000000 ____D C:\Users\Public\Downloads\Norton
2012-08-18 13:12 - 2012-08-19 00:25 - 00000000 ____D C:\Users\All Users\Norton
2012-08-18 13:12 - 2012-08-19 00:13 - 00000000 ____D C:\Users\a\AppData\Local\NPE
2012-08-18 11:05 - 2012-08-18 11:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-17 06:37 - 2012-08-17 08:19 - 00000000 ____D C:\Users\a\DoctorWeb
2012-08-14 04:54 - 2012-08-14 04:54 - 00060304 ____A C:\Users\gmosler\g2mdlhlpx.exe
2012-08-13 21:03 - 2012-08-16 13:02 - 00000000 ____D C:\Users\gmosler\AppData\Local\{C54733FF-3CD1-B749-A872-CD0D884F208B}
2012-08-13 12:27 - 2012-08-13 13:34 - 00006403 ____A C:\Windows\System32\avgrep.txt
2012-08-13 12:01 - 2012-08-13 12:01 - 00000000 ____D C:\Windows\Sun
2012-08-13 10:49 - 2012-08-13 12:01 - 00009023 ____A C:\Users\a\Desktop\avgrep.txt
2012-08-13 09:19 - 2012-08-13 09:19 - 00000000 ____D C:\Users\a\AppData\Roaming\Mozilla
2012-08-13 09:19 - 2012-08-13 09:19 - 00000000 ____D C:\Users\a\AppData\Local\Mozilla
2012-08-13 08:34 - 2012-08-13 08:34 - 00000000 ____D C:\Program Files\AVG
2012-08-13 07:36 - 2012-08-13 14:41 - 00000000 ____D C:\Users\All Users\MFAData
2012-08-13 07:29 - 2012-08-13 07:30 - 03879800 ____A (AVG Technologies) C:\Users\a\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-13 07:24 - 2012-08-13 07:24 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-13 02:48 - 2012-08-13 10:47 - 00000000 ____D C:\Users\gmosler\AppData\Local\{032DD8DE-828D-CC9C-D8B3-5C6BB86E015E}
2012-08-10 06:44 - 2012-08-10 06:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-10 06:44 - 2012-08-10 06:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-09 05:34 - 2012-08-09 05:34 - 00002985 ____A C:\Users\gmosler\Documents\export.csv
2012-08-08 12:09 - 2012-08-09 08:09 - 00000000 ____D C:\Users\gmosler\AppData\Local\{8B23EB46-C676-F6EF-DB0D-D91FBAEA7D64}
2012-08-07 02:32 - 2012-08-07 07:58 - 00000000 ____D C:\Users\gmosler\AppData\Local\{52CBCFF0-E33D-5F4C-5C75-08353C3073DB}
2012-08-06 10:25 - 2012-08-06 10:25 - 00000000 ____D C:\Users\gmosler\AppData\Roaming\Malwarebytes
2012-08-06 09:38 - 2012-08-06 09:38 - 00007605 ____A C:\Users\a\AppData\Local\Resmon.ResmonCfg
2012-08-06 09:29 - 2012-08-06 09:29 - 00000000 ____D C:\Users\a\AppData\Roaming\Malwarebytes
2012-08-06 09:28 - 2012-08-21 12:28 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-08-06 09:28 - 2012-08-06 09:28 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-06 08:06 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-06 08:06 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-06 08:06 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-06 08:06 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-06 07:51 - 2012-08-13 07:37 - 00000000 ____D C:\Windows\erdnt
2012-08-06 07:18 - 2012-08-06 07:20 - 00000000 ____D C:\Users\a\AppData\Roaming\Google
2012-08-06 07:18 - 2012-08-06 07:18 - 00000000 ____D C:\Users\a\AppData\Local\Google
2012-08-06 07:13 - 2012-08-06 07:13 - 00000000 ____D C:\Users\a\AppData\Roaming\Macromedia
2012-08-06 07:10 - 2012-08-06 07:10 - 00000000 ____D C:\Users\a\AppData\Roaming\Zeon
2012-08-06 07:09 - 2012-08-06 06:45 - 00000000 ____A C:\Users\a\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-06 07:08 - 2012-08-13 09:00 - 00000000 ____D C:\Users\a\AppData\Roaming\Adobe
2012-08-06 07:08 - 2012-08-13 08:59 - 00000000 ____D C:\Users\a\AppData\Local\Adobe
2012-08-06 06:27 - 2012-08-06 06:27 - 00000000 ____D C:\Windows\System32\SPReview
2012-08-06 06:23 - 2012-08-06 06:23 - 00000000 ____D C:\Windows\System32\EventProviders
2012-08-06 06:17 - 2012-08-06 06:17 - 00000657 ____A C:\Users\gmosler\Desktop\File_Recovery.lnk


============ 3 Months Modified Files ========================

2012-08-21 12:24 - 2012-08-21 12:24 - 00031560 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-08-21 12:10 - 2012-08-21 12:10 - 00495616 ____A C:\Users\a\AppData\Local\mjrvvi.exe
2012-08-21 12:10 - 2012-08-21 12:10 - 00070144 ____A C:\Windows\System32\Drivers\1125278.sys
2012-08-21 11:10 - 2012-08-21 11:10 - 00001204 ____A C:\Users\a\Desktop\PC Utility Kit.lnk
2012-08-21 11:10 - 2012-08-21 11:10 - 00000414 ____A C:\Windows\Tasks\PC Utility Kit Update3.job
2012-08-21 11:10 - 2012-08-21 11:10 - 00000412 ____A C:\Windows\Tasks\PC Utility Kit.job
2012-08-21 11:10 - 2012-08-21 11:10 - 00000400 ____A C:\Windows\Tasks\PC Utility Kit Registration3.job
2012-08-21 07:17 - 2011-01-27 14:54 - 00730274 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-21 07:10 - 2009-07-13 20:55 - 01556502 ____A C:\Windows\WindowsUpdate.log
2012-08-21 06:27 - 2011-10-18 10:57 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-21 06:24 - 2011-10-18 10:57 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-21 06:09 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-21 06:09 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-21 06:01 - 2012-08-21 06:01 - 00003208 ____N C:\bootsqm.dat
2012-08-21 06:01 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-21 06:01 - 2009-07-13 20:39 - 00035481 ____A C:\Windows\setupact.log
2012-08-20 20:39 - 2012-08-20 20:39 - 00153488 ____A C:\Windows\Minidump\082012-22011-01.dmp
2012-08-20 20:38 - 2012-03-14 02:24 - 493226751 ____A C:\Windows\MEMORY.DMP
2012-08-20 19:21 - 2011-01-27 16:49 - 00174880 ____A C:\Windows\PFRO.log
2012-08-19 14:43 - 2012-08-19 14:43 - 00004021 ____A C:\Users\a\Documents\GMER .txt
2012-08-19 08:41 - 2012-08-19 08:41 - 00607260 ____R (Swearware) C:\Users\a\Desktop\dds.scr
2012-08-19 00:35 - 2012-08-19 00:25 - 00002344 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-08-19 00:25 - 2012-08-19 00:25 - 00141944 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-08-19 00:25 - 2012-08-19 00:25 - 00007468 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-08-19 00:22 - 2012-08-19 00:21 - 00001361 ____A C:\Users\a\Desktop\Norton Installation Files.lnk
2012-08-15 22:15 - 2011-06-21 06:41 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-14 04:54 - 2012-08-14 04:54 - 00060304 ____A C:\Users\gmosler\g2mdlhlpx.exe
2012-08-13 13:34 - 2012-08-13 12:27 - 00006403 ____A C:\Windows\System32\avgrep.txt
2012-08-13 12:01 - 2012-08-13 10:49 - 00009023 ____A C:\Users\a\Desktop\avgrep.txt
2012-08-13 07:39 - 2011-02-02 13:40 - 00000358 _RASH C:\Users\All Users\ntuser.pol
2012-08-13 07:30 - 2012-08-13 07:29 - 03879800 ____A (AVG Technologies) C:\Users\a\Downloads\avg_free_stb_all_2012_2197_cnet.exe
2012-08-13 07:23 - 2011-10-11 08:20 - 00000376 ____A C:\Windows\ODBC.INI
2012-08-10 06:44 - 2012-08-10 06:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-10 06:44 - 2012-08-10 06:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-09 11:34 - 2011-02-07 13:41 - 00002028 ____A C:\Users\gmosler\Documents\Default.rdp
2012-08-09 05:34 - 2012-08-09 05:34 - 00002985 ____A C:\Users\gmosler\Documents\export.csv
2012-08-06 09:38 - 2012-08-06 09:38 - 00007605 ____A C:\Users\a\AppData\Local\Resmon.ResmonCfg
2012-08-06 07:08 - 2011-02-01 12:54 - 00110920 ____A C:\Users\a\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-06 06:56 - 2009-07-13 20:33 - 03768824 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-06 06:48 - 2009-07-13 18:05 - 00152064 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-08-06 06:45 - 2012-08-06 07:09 - 00000000 ____A C:\Users\a\Desktop\mbam-setup-1.62.0.1300.exe
2012-08-06 06:17 - 2012-08-06 06:17 - 00000657 ____A C:\Users\gmosler\Desktop\File_Recovery.lnk
2012-08-06 05:20 - 2012-01-03 06:27 - 00020480 ____A C:\Users\gmosler\Documents\Vac2012.xls
2012-07-12 06:01 - 2012-07-12 06:01 - 00002686 ____A C:\Users\gmosler\Desktop\Opps db.lnk
2012-07-12 01:58 - 2011-02-01 13:40 - 00110920 ____A C:\Users\gmosler\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-11 08:07 - 2009-07-13 18:04 - 00000496 ____A C:\Windows\win.ini
2012-07-03 01:13 - 2011-02-01 12:48 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-28 08:04 - 2012-06-28 08:02 - 13153826 ____A C:\Users\gmosler\Documents\EFI-77xx-English.zip
2012-06-19 07:10 - 2011-02-07 08:04 - 00028160 ____A C:\Users\gmosler\Documents\export.xls
2012-06-12 08:19 - 2012-06-12 08:19 - 00002951 ____A C:\Users\gmosler\Downloads\export (2).csv
2012-06-11 18:44 - 2012-07-11 08:04 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:46 - 2012-07-11 01:42 - 12868608 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-07 11:51 - 2012-06-07 11:46 - 14057472 ____A C:\Users\gmosler\Documents\WSLLCmay2002.accdb
2012-06-07 07:56 - 2012-06-07 07:56 - 00003924 ____A C:\Users\gmosler\Downloads\export (1).csv
2012-06-05 21:09 - 2012-07-11 01:42 - 01389568 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:09 - 2012-07-11 01:42 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:31 - 2012-06-04 07:31 - 00147312 ____A C:\Windows\Minidump\060412-13088-01.dmp
2012-06-02 14:19 - 2012-06-21 16:58 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 16:58 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 16:58 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 16:58 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 16:58 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 13:19 - 2012-06-21 16:57 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:12 - 2012-06-21 16:57 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-11 08:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-11 08:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-11 08:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-11 08:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-11 08:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 08:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-11 08:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-11 08:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 08:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 08:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-11 08:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-11 08:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 08:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 08:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:51 - 2012-07-11 01:42 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:51 - 2012-07-11 01:42 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:50 - 2012-07-11 01:42 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:48 - 2012-07-11 01:42 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:47 - 2012-07-11 01:42 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-30 06:05 - 2012-05-30 06:05 - 00004871 ____A C:\Users\gmosler\Downloads\export.csv


ZeroAccess:
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\L
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\n
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\L\00000004.@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U\00000004.@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U\00000008.@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U\000000cb.@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U\80000000.@
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U\80000032.@

ZeroAccess:
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\@
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\L
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\n
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3995.65 MB
Available physical RAM: 3472.57 MB
Total Pagefile: 3993.93 MB
Available Pagefile: 3480.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.22 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:223.48 GB) (Free:153.69 GB) NTFS
2 Drive e: (2012.08.20_1113) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:14.91 GB) (Free:14.35 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:9.29 GB) (Free:5.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 9 GB 40 MB
Partition 3 Primary 223 GB 9 GB
Partition 4 Primary 10 MB 232 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Removable 14 GB Healthy

==================================================================================

Last Boot: 2012-08-18 11:43

======================= End Of Log ==========================

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 21 August 2012 - 04:48 PM

Hello,

Please don't use your computer to do anything except what I request. Please remove it from the internet untill i tell you it is ok to use. Except for downloading tools to use that I suggest. Please also disable your Norton until further notice.


1.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Run: [MapDriver] c:\mapdrivers.bat [x]
HKLM\...\Run: [] [x]
HKLM\...\Run: [syshost32] C:\Windows\Installer\{46308FD1-3BFF-5277-246B-0FD20452AB14}\syshost.exe [355328 2012-08-21] (Seagate)
HKU\a\...\Run: [4Y3Y0C3AYIVBYJ5ZAU] C:\ReGBe.Bin\071BAAF8139.exe /q [213504 2011-11-16] ()
C:\ReGBe.Bin\071BAAF8139.exe
C:\Windows\Installer\{46308FD1-3BFF-5277-246B-0FD20452AB14}\syshost.exe
HKU\gmosler\...\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe" [x]
HKU\gmosler\...\Run: [OpAgent] "OpAgent.exe" /agent [x]
1 1125278; \??\C:\Windows\system32\drivers\1125278.sys [70144 2012-08-21] ()
C:\Windows\system32\drivers\1125278.sys
1 piuwdoia; \??\C:\Windows\system32\drivers\piuwdoia.sys [x]
C:\Windows\system32\drivers\piuwdoia.sys
C:\Users\a\AppData\Local\mjrvvi.exe
C:\Program Files\PC Utility Kit
C:\Users\a\Desktop\PC Utility Kit.lnk
C:\Windows\PFRO.log
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7}
C:\Windows\assembly\GAC\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

2.
We need to find a replacement file on your system

Please do the following:

  • boot into System Recovery Options and run FRST64.
  • Type the following in the edit box after "Search:" so it looks like this:

    Search: services.exe

Click Search button and post the log it makes to your reply.


3.This can be done in Normal mode.
Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Edited by fireman4it, 21 August 2012 - 04:49 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 OverHere

OverHere
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 21 August 2012 - 06:50 PM

This machine has Win 7 32 bit so I ran FRST instead of FRST64.

Here are the 3 logs you requested.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-08-2012 01
Ran by SYSTEM at 2012-08-21 17:33:27 Run:2
Running from F:\bleeping computer\Fabar

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MapDriver Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\syshost32 Value deleted successfully.
HKEY_USERS\a\Software\Microsoft\Windows\CurrentVersion\Run\\4Y3Y0C3AYIVBYJ5ZAU Value deleted successfully.
C:\ReGBe.Bin\071BAAF8139.exe moved successfully.
C:\Windows\Installer\{46308FD1-3BFF-5277-246B-0FD20452AB14}\syshost.exe moved successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\feedreader.exe Value deleted successfully.
HKEY_USERS\gmosler\Software\Microsoft\Windows\CurrentVersion\Run\\OpAgent Value deleted successfully.
1125278 service deleted successfully.
C:\Windows\system32\drivers\1125278.sys moved successfully.
piuwdoia service deleted successfully.
C:\Windows\system32\drivers\piuwdoia.sys not found.
C:\Users\a\AppData\Local\mjrvvi.exe moved successfully.
C:\Program Files\PC Utility Kit moved successfully.
C:\Users\a\Desktop\PC Utility Kit.lnk moved successfully.
C:\Windows\PFRO.log moved successfully.
C:\Windows\Installer\{5ada2620-2ab3-86e1-2530-6f94362163e7} moved successfully.
C:\Users\a\AppData\Local\{5ada2620-2ab3-86e1-2530-6f94362163e7} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

==== End of Fixlog ====

Farbar Recovery Scan Tool Version: 19-08-2012 01
Ran by SYSTEM at 2012-08-21 17:35:19
Running from F:\bleeping computer\Fabar

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===


ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 21-08-2012 at 17:43:39
Windows 7 (X86)
Running From: F:\bleeping computer\Fabar
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3995.65 MB
Available physical RAM: 3432.66 MB
Total Pagefile: 3993.93 MB
Available Pagefile: 3518.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.54 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:223.48 GB) (Free:153.69 GB) NTFS
2 Drive e: (2012.08.20_1113) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
3 Drive f: () (Removable) (Total:14.91 GB) (Free:14.35 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:9.29 GB) (Free:5.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 9 GB 40 MB
Partition 3 Primary 223 GB 9 GB
Partition 4 Primary 10 MB 232 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Removable 14 GB Healthy

======================================================================================================

****** End Of Log ******

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:50 PM

Posted 21 August 2012 - 08:06 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe  C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


2.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Edited by fireman4it, 21 August 2012 - 08:06 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users