Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown "Security" virus, partially removed, with HJT logs


  • This topic is locked This topic is locked
10 replies to this topic

#1 UltraFred

UltraFred

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 23 August 2012 - 12:28 AM

*Apparently it's Sirefef RTK. Most of the advice I've been getting elsewhere is of the "Reinstall windows" variety, which if of course always an option, but not one I'd like to jump right to.*

I picked up a particularly nasty fake security suite virus the other day, and had some luck in getting rid of at least some parts of the program itself. (The bits that generated all of the popups.)

It's left in its wake a pile of misery. Hid half of my desktop icons, appears to be DNS hijacking my internet connection - not to go anywhere specific, it just wont work outside of safe mode. Several normal startup programs have been flipping out due to some function they require not being accessible anymore. Steam and the Catalyst Control Center specifically.

I ran a system restore, Avast, and Kaspersky, and plan to try out the Smitfraudfix DNS cleaner this evening.

HJT logs as follows.


Logfile of HijackThis v1.99.1
Scan saved at 11:59:48 PM, on 8/22/2012
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)

Running processes:
C:\Program Files (x86)\AIM\aim.exe
C:\Users\Nick\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Programs\Steam\Steam.exe
C:\Program Files (x86)\PowerMenu\PowerMenu.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
C:\Users\Nick\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [googletalk] C:\Users\Nick\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Steam] "C:\Programs\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: PowerMenu.lnk = C:\Program Files (x86)\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ie_banner_deny.htm
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (file missing)
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Unknown owner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" -r (file missing)
O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Programs\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

Edited by UltraFred, 23 August 2012 - 01:38 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 24 August 2012 - 04:15 PM

Please don't run any scans other than what I ask for while we are working together as it makes my job a little harder,

Please do the following:


Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

NEXT


download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 UltraFred

UltraFred
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 August 2012 - 05:35 AM

Scan result of Farbar Recovery Scan Tool Version: 23-08-2012 02
Ran by SYSTEM at 25-08-2012 04:18:15
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-08-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4282728 2012-08-21] (AVAST Software)
HKLM-x32\...\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe [x]
HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" [202296 2011-12-24] (Kaspersky Lab ZAO)
HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [74752 2010-12-09] (Nullsoft, Inc.)
HKU\Nick\...\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US [4321112 2012-02-29] (AOL Inc.)
HKU\Nick\...\Run: [googletalk] C:\Users\Nick\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKU\Nick\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\Nick\...\Run: [Steam] "C:\Programs\Steam\Steam.exe" -silent [1353080 2012-08-12] (Valve Corporation)
HKU\Nick\...\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-08-21] (Google Inc.)
Winlogon\Notify\klogon: %SystemRoot%\System32\klogon.dll (Kaspersky Lab ZAO)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\PowerMenu.lnk
ShortcutTarget: PowerMenu.lnk -> C:\Program Files (x86)\PowerMenu\PowerMenu.exe (Thong Nguyen)

==================== Services (Whitelisted) ======

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software)
2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" -r [202296 2011-12-24] (Kaspersky Lab ZAO)
2 CSObjectsSrv; "C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe" [743992 2009-12-21] (Infowatch)
3 DAUpdaterSvc; C:\Programs\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [25832 2009-07-26] (BioWare)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
4 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [x]

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-08-21] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-08-21] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-08-21] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [969200 2012-08-21] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [359464 2012-08-21] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-08-21] (AVAST Software)
0 CSCrySec; C:\Windows\System32\Drivers\CSCrySec.sys [85048 2009-12-14] (Infowatch)
1 CSVirtualDiskDrv; C:\Windows\System32\Drivers\CSVirtualDiskDrv.sys [66104 2009-12-14] (Infowatch)
0 KL1; C:\Windows\System32\Drivers\KL1.sys [458032 2011-10-20] (Kaspersky Lab ZAO)
1 kl2; C:\Windows\System32\Drivers\kl2.sys [13616 2011-10-20] (Kaspersky Lab ZAO)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [639280 2012-08-21] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [29488 2011-03-10] (Kaspersky Lab ZAO)
3 klmouflt; C:\Windows\System32\Drivers\klmouflt.sys [22544 2009-11-02] (Kaspersky Lab)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-08-18] (Duplex Secure Ltd.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [x]
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [x]
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-25 00:55 - 2012-08-25 00:55 - 01446223 ____A (Farbar) C:\Users\Nick\Downloads\FRST64.exe
2012-08-25 00:55 - 2012-08-25 00:55 - 01446223 ____A (Farbar) C:\Users\Nick\Desktop\FRST64.exe
2012-08-25 00:54 - 2012-08-25 01:07 - 00002928 ____A C:\Users\Nick\Desktop\unhide.txt
2012-08-25 00:54 - 2012-08-25 00:54 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Nick\Desktop\unhide.exe
2012-08-25 00:53 - 2012-08-25 00:54 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Nick\Downloads\unhide.exe
2012-08-23 10:10 - 2012-08-23 10:10 - 00743066 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-23 10:10 - 2012-08-23 10:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-23 10:10 - 2012-08-23 10:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-22 22:36 - 2012-08-23 10:10 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-22 22:36 - 2012-08-22 22:37 - 72255536 ____A (Microsoft Corporation) C:\Users\Nick\Downloads\msert.exe
2012-08-22 22:36 - 2012-08-22 22:36 - 12621696 ____A (Microsoft Corporation) C:\Users\Nick\Downloads\mseinstall.exe
2012-08-22 21:43 - 2012-08-22 22:29 - 00000007 ____A C:\Users\Nick\Desktop\virus.txt
2012-08-22 21:18 - 2012-08-22 21:18 - 04736524 ____A (Swearware) C:\Users\Nick\Downloads\ComboFix.exe
2012-08-22 21:18 - 2012-08-22 21:18 - 04736524 ____A (Swearware) C:\Users\Nick\Downloads\ComboFix (1).exe
2012-08-22 21:13 - 2012-08-22 21:13 - 00000691 ____A C:\Users\Nick\AppData\Roaming\GetValue.vbs
2012-08-22 21:13 - 2012-08-22 21:13 - 00000035 ____A C:\Users\Nick\AppData\Roaming\SetValue.bat
2012-08-22 21:12 - 2012-08-22 21:12 - 01872472 ____A C:\Users\Nick\Downloads\SmitfraudFix (1).exe
2012-08-22 21:11 - 2012-08-22 21:33 - 00001567 ____A C:\rapport.txt
2012-08-22 21:11 - 2012-08-22 21:13 - 00001370 ____A C:\Windows\SysWOW64\tmp.reg
2012-08-22 21:11 - 2012-08-22 21:13 - 00000000 ____A C:\Windows\SysWOW64\tmp.txt
2012-08-22 21:11 - 2012-08-22 21:11 - 01884866 ____A C:\Users\Nick\Downloads\SmitfraudFix.exe
2012-08-22 21:11 - 2012-08-22 21:11 - 00000000 ____D C:\Users\Nick\Downloads\SmitfraudFix
2012-08-22 21:11 - 2009-06-02 08:17 - 00075776 ____A C:\Windows\SysWOW64\WS2Fix.exe
2012-08-22 21:11 - 2008-12-11 22:57 - 00078336 ____A (S!Ri.URZ) C:\Windows\SysWOW64\Agent.OMZ.Fix.exe
2012-08-22 21:11 - 2008-11-29 15:58 - 00082944 ____A (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.C.exe
2012-08-22 21:11 - 2008-10-01 12:51 - 00087552 ____A (S!Ri.URZ) C:\Windows\SysWOW64\VACFix.exe
2012-08-22 21:11 - 2008-09-20 09:45 - 00080384 ____A (S!Ri.URZ) C:\Windows\SysWOW64\o4Patch.exe
2012-08-22 21:11 - 2008-08-18 09:19 - 00082432 ____A (S!Ri.URZ) C:\Windows\SysWOW64\404Fix.exe
2012-08-22 21:11 - 2008-05-18 18:40 - 00082944 ____A (S!Ri.URZ) C:\Windows\SysWOW64\IEDFix.exe
2012-08-22 21:11 - 2007-09-05 21:22 - 00289144 ____A (S!Ri) C:\Windows\SysWOW64\VCCLSID.exe
2012-08-22 21:11 - 2006-12-01 03:20 - 00079360 ____A (SteelWerX) C:\Windows\SysWOW64\swxcacls.exe
2012-08-22 21:11 - 2006-08-29 16:43 - 00135168 ____A (SteelWerX) C:\Windows\SysWOW64\swreg.exe
2012-08-22 21:11 - 2006-04-27 14:49 - 00288417 ____A (S!Ri) C:\Windows\SysWOW64\SrchSTS.exe
2012-08-22 21:11 - 2006-01-09 07:36 - 00040960 ____A C:\Windows\SysWOW64\swsc.exe
2012-08-22 21:11 - 2004-07-31 15:50 - 00051200 ____A C:\Windows\SysWOW64\dumphive.exe
2012-08-22 21:11 - 2003-06-05 18:13 - 00053248 ____A (http://www.beyondlogic.org) C:\Windows\SysWOW64\Process.exe
2012-08-22 20:51 - 2012-08-22 20:59 - 00000000 ____D C:\Users\Nick\Desktop\HJT
2012-08-22 20:51 - 2012-08-22 20:51 - 00251392 ____A C:\Users\Nick\Downloads\hijackthis_sfx.exe
2012-08-22 20:51 - 2012-08-22 20:51 - 00251392 ____A C:\Users\Nick\Downloads\hijackthis_sfx (1).exe
2012-08-22 20:50 - 2012-08-22 20:50 - 01402880 ____A C:\Users\Nick\Downloads\HiJackThis.msi
2012-08-22 14:36 - 2012-08-24 10:09 - 00124782 ____A C:\Windows\WindowsUpdate.log
2012-08-22 14:34 - 2012-08-24 05:53 - 00001130 ____A C:\Windows\setupact.log
2012-08-22 14:34 - 2012-08-22 14:34 - 00001620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-22 14:34 - 2012-08-22 14:34 - 00000000 ____A C:\Windows\setuperr.log
2012-08-22 10:14 - 2012-06-28 20:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-22 10:14 - 2012-06-28 20:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-22 10:14 - 2012-06-28 19:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-22 10:14 - 2012-06-28 19:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-22 10:14 - 2012-06-28 19:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-22 10:14 - 2012-06-28 19:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-22 10:14 - 2012-06-28 19:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-22 10:14 - 2012-06-28 19:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-22 10:14 - 2012-06-28 19:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-22 10:14 - 2012-06-28 19:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-22 10:14 - 2012-06-28 19:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-22 10:14 - 2012-06-28 19:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-22 10:14 - 2012-06-28 19:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-22 10:14 - 2012-06-28 19:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-22 10:14 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-22 10:14 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-22 10:14 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-22 10:14 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-22 10:14 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-22 10:14 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-22 10:14 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-22 10:14 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-22 10:14 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-22 10:14 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-22 10:14 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-22 10:14 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-22 10:14 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-22 10:14 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-21 23:10 - 2012-08-21 23:10 - 00017408 ____A C:\Users\Nick\AppData\Local\WebpageIcons.db
2012-08-21 23:04 - 2012-08-21 23:04 - 00000000 ___RD C:\Backup
2012-08-21 22:59 - 2012-08-21 23:33 - 00153053 ____A C:\Windows\System32\Drivers\klin.dat
2012-08-21 22:59 - 2012-08-21 23:33 - 00107384 ____A C:\Windows\System32\Drivers\klick.dat
2012-08-21 22:58 - 2009-12-14 09:44 - 00085048 ____A (Infowatch) C:\Windows\System32\Drivers\CSCrySec.sys
2012-08-21 22:58 - 2009-12-14 09:44 - 00066104 ____A (Infowatch) C:\Windows\System32\Drivers\CSVirtualDiskDrv.sys
2012-08-21 22:57 - 2012-08-24 10:03 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-08-21 22:57 - 2012-08-21 22:57 - 00639280 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\klif.sys
2012-08-21 22:57 - 2012-08-21 22:57 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2012-08-21 22:57 - 2012-08-21 22:57 - 00000000 ____D C:\kleaner.tmp
2012-08-21 22:19 - 2012-08-24 09:29 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001UA.job
2012-08-21 22:19 - 2012-08-22 22:29 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001Core.job
2012-08-21 22:19 - 2012-08-21 22:19 - 00000000 ____D C:\Users\Nick\AppData\Local\Deployment
2012-08-21 22:19 - 2012-08-21 22:19 - 00000000 ____D C:\Users\Nick\AppData\Local\Apps\2.0
2012-08-21 10:37 - 2012-08-21 01:13 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-21 10:37 - 2012-08-21 01:13 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-21 10:37 - 2012-08-21 01:13 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-21 10:37 - 2012-05-05 00:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-21 10:37 - 2012-05-04 23:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-21 10:36 - 2012-08-21 10:36 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-08-21 10:36 - 2012-08-21 10:36 - 00000000 ____D C:\Program Files\AVAST Software
2012-08-21 10:36 - 2012-08-21 10:36 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-21 10:36 - 2012-08-21 01:13 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-21 10:36 - 2012-08-21 01:13 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 10:36 - 2012-08-21 01:13 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-21 10:36 - 2012-08-21 01:12 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 10:36 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-21 10:36 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-21 10:36 - 2012-02-10 22:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-21 10:36 - 2012-02-10 22:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-21 10:36 - 2012-02-10 22:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-21 10:36 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-21 10:35 - 2012-08-22 21:05 - 00000000 ____D C:\Windows\pss
2012-08-21 10:35 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-21 10:35 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-21 10:35 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-21 10:35 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-21 10:35 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-21 10:35 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-21 10:35 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-21 00:53 - 2012-08-21 00:53 - 00000368 ____A C:\Users\All Users\sj9ZUifP9RsYtp
2012-08-07 21:02 - 2012-08-07 21:02 - 00001121 ____A C:\Users\Nick\Documents\Documents - Shortcut (2).lnk


============ 3 Months Modified Files ========================

2012-08-25 01:07 - 2012-08-25 00:54 - 00002928 ____A C:\Users\Nick\Desktop\unhide.txt
2012-08-25 00:55 - 2012-08-25 00:55 - 01446223 ____A (Farbar) C:\Users\Nick\Downloads\FRST64.exe
2012-08-25 00:55 - 2012-08-25 00:55 - 01446223 ____A (Farbar) C:\Users\Nick\Desktop\FRST64.exe
2012-08-25 00:54 - 2012-08-25 00:54 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Nick\Desktop\unhide.exe
2012-08-25 00:54 - 2012-08-25 00:53 - 00399264 ____A (Bleeping Computer, LLC) C:\Users\Nick\Downloads\unhide.exe
2012-08-24 10:09 - 2012-08-22 14:36 - 00124782 ____A C:\Windows\WindowsUpdate.log
2012-08-24 09:29 - 2012-08-21 22:19 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001UA.job
2012-08-24 05:55 - 2009-07-13 21:13 - 00729688 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-24 05:53 - 2012-08-22 14:34 - 00001130 ____A C:\Windows\setupact.log
2012-08-24 05:50 - 2009-07-13 20:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-24 05:50 - 2009-07-13 20:45 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-24 05:42 - 2009-07-13 21:08 - 00000006 ____A C:\Windows\Tasks\SA.DAT
2012-08-23 10:10 - 2012-08-23 10:10 - 00743066 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-23 10:10 - 2012-08-22 22:36 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-22 22:37 - 2012-08-22 22:36 - 72255536 ____A (Microsoft Corporation) C:\Users\Nick\Downloads\msert.exe
2012-08-22 22:36 - 2012-08-22 22:36 - 12621696 ____A (Microsoft Corporation) C:\Users\Nick\Downloads\mseinstall.exe
2012-08-22 22:29 - 2012-08-22 21:43 - 00000007 ____A C:\Users\Nick\Desktop\virus.txt
2012-08-22 22:29 - 2012-08-21 22:19 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001Core.job
2012-08-22 21:33 - 2012-08-22 21:11 - 00001567 ____A C:\rapport.txt
2012-08-22 21:18 - 2012-08-22 21:18 - 04736524 ____A (Swearware) C:\Users\Nick\Downloads\ComboFix.exe
2012-08-22 21:18 - 2012-08-22 21:18 - 04736524 ____A (Swearware) C:\Users\Nick\Downloads\ComboFix (1).exe
2012-08-22 21:13 - 2012-08-22 21:13 - 00000691 ____A C:\Users\Nick\AppData\Roaming\GetValue.vbs
2012-08-22 21:13 - 2012-08-22 21:13 - 00000035 ____A C:\Users\Nick\AppData\Roaming\SetValue.bat
2012-08-22 21:13 - 2012-08-22 21:11 - 00001370 ____A C:\Windows\SysWOW64\tmp.reg
2012-08-22 21:13 - 2012-08-22 21:11 - 00000000 ____A C:\Windows\SysWOW64\tmp.txt
2012-08-22 21:12 - 2012-08-22 21:12 - 01872472 ____A C:\Users\Nick\Downloads\SmitfraudFix (1).exe
2012-08-22 21:11 - 2012-08-22 21:11 - 01884866 ____A C:\Users\Nick\Downloads\SmitfraudFix.exe
2012-08-22 20:51 - 2012-08-22 20:51 - 00251392 ____A C:\Users\Nick\Downloads\hijackthis_sfx.exe
2012-08-22 20:51 - 2012-08-22 20:51 - 00251392 ____A C:\Users\Nick\Downloads\hijackthis_sfx (1).exe
2012-08-22 20:50 - 2012-08-22 20:50 - 01402880 ____A C:\Users\Nick\Downloads\HiJackThis.msi
2012-08-22 14:34 - 2012-08-22 14:34 - 00001620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-22 14:34 - 2012-08-22 14:34 - 00000000 ____A C:\Windows\setuperr.log
2012-08-22 14:34 - 2009-07-13 20:45 - 00291272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-22 14:33 - 2010-10-25 06:29 - 00014892 ____A C:\Windows\PFRO.log
2012-08-22 10:12 - 2012-04-10 16:47 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-21 23:33 - 2012-08-21 22:59 - 00153053 ____A C:\Windows\System32\Drivers\klin.dat
2012-08-21 23:33 - 2012-08-21 22:59 - 00107384 ____A C:\Windows\System32\Drivers\klick.dat
2012-08-21 23:10 - 2012-08-21 23:10 - 00017408 ____A C:\Users\Nick\AppData\Local\WebpageIcons.db
2012-08-21 22:57 - 2012-08-21 22:57 - 00639280 ____A (Kaspersky Lab) C:\Windows\System32\Drivers\klif.sys
2012-08-21 10:36 - 2012-08-21 10:36 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-08-21 01:13 - 2012-08-21 10:37 - 00359464 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-08-21 01:13 - 2012-08-21 10:37 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys
2012-08-21 01:13 - 2012-08-21 10:37 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-08-21 01:13 - 2012-08-21 10:36 - 00969200 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-08-21 01:13 - 2012-08-21 10:36 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 01:13 - 2012-08-21 10:36 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-08-21 01:12 - 2012-08-21 10:36 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 01:12 - 2012-08-21 10:36 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-08-21 01:12 - 2012-08-21 10:36 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-08-21 00:53 - 2012-08-21 00:53 - 00000368 ____A C:\Users\All Users\sj9ZUifP9RsYtp
2012-08-07 21:02 - 2012-08-07 21:02 - 00001121 ____A C:\Users\Nick\Documents\Documents - Shortcut (2).lnk
2012-07-19 00:15 - 2010-08-31 23:10 - 00376821 ____A C:\Windows\DirectX.log
2012-07-18 10:15 - 2012-08-21 10:35 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-15 16:04 - 2012-07-15 16:04 - 00001121 ____A C:\Users\Nick\Documents\Documents - Shortcut.lnk
2012-07-11 21:02 - 2012-04-04 11:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-11 21:02 - 2011-06-08 10:17 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-04 14:16 - 2012-08-21 10:35 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-21 10:35 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-21 10:35 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-21 10:35 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-21 10:35 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-28 20:55 - 2012-08-22 10:14 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-22 10:14 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-22 10:14 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-22 10:14 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:49 - 2012-08-22 10:14 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:48 - 2012-08-22 10:14 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-22 10:14 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-22 10:14 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-22 10:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-22 10:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-22 10:14 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-22 10:14 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-22 10:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-22 10:14 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-22 10:14 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-22 10:14 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-22 10:14 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-22 10:14 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-22 10:14 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-22 10:14 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-22 10:14 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-22 10:14 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-22 10:14 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:04 - 2012-08-22 10:14 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:01 - 2012-08-22 10:14 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-22 10:14 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-22 10:14 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-22 10:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-19 12:52 - 2012-06-19 12:52 - 00003466 ____A C:\Windows\SysWOW64\Subtitle.cfg
2012-06-12 18:45 - 2012-06-12 18:45 - 00000298 ____A C:\Windows\EReg072.dat
2012-06-10 23:36 - 2010-07-24 09:26 - 00063360 ____A C:\Users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-08 21:43 - 2012-07-11 21:10 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 21:10 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 21:10 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 21:10 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 21:10 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 21:10 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 21:10 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 21:10 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-08 17:18 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-08 17:18 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-08 17:18 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-08 17:18 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-08 17:18 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-08 17:18 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-08 17:18 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-08 17:18 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-08 17:18 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-11 21:10 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 21:10 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 21:10 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 21:10 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 21:10 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 21:10 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 21:10 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 21:10 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 21:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll


ZeroAccess:
C:\Users\Nick\AppData\Local\{98b645d0-ba0b-146a-2d06-bdd49cbaf728}
C:\Users\Nick\AppData\Local\{98b645d0-ba0b-146a-2d06-bdd49cbaf728}\@
C:\Users\Nick\AppData\Local\{98b645d0-ba0b-146a-2d06-bdd49cbaf728}\L
C:\Users\Nick\AppData\Local\{98b645d0-ba0b-146a-2d06-bdd49cbaf728}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4095.3 MB
Available physical RAM: 3475.75 MB
Total Pagefile: 4093.45 MB
Available Pagefile: 3463 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:931.41 GB) (Free:543.35 GB) NTFS
4 Drive f: (DIABLO II) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 3816 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 931 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 931 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 564 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F DIABLO II FAT32 Removable 3823 MB Healthy

==================================================================================

Last Boot: 2012-08-16 23:20

======================= End Of Log ==========================



Farbar Recovery Scan Tool Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-25 05:25:30
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 25 August 2012 - 07:33 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2012-08-21 00:53 - 2012-08-21 00:53 - 00000368 ____A C:\Users\All Users\sj9ZUifP9RsYtp
2012-06-12 18:45 - 2012-06-12 18:45 - 00000298 ____A C:\Windows\EReg072.dat
C:\Users\Nick\AppData\Local\{98b645d0-ba0b-146a-2d06-bdd49cbaf728}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 UltraFred

UltraFred
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 August 2012 - 05:53 PM

The primary symptom - that internet access outside of safemode is inaccessible - has not alleviated yet.

I disabled the AVAST service prior to running combofix, but it was insistent that it was still active. I triple checked and it was definitely disabled - though the program was still running.


ComboFix 12-08-25.04 - Nick 08/25/2012 17:04:28.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2546 [GMT -5:00]
Running from: c:\users\Nick\Desktop\ComboFix5.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Nick\AppData\Local\.#
c:\users\Nick\AppData\Roaming\NWNToolPrefs.txt
c:\windows\SysWow64\404Fix.exe
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\dumphive.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\IEDFix.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\Process.exe
c:\windows\SysWow64\SrchSTS.exe
c:\windows\SysWow64\tmp.reg
c:\windows\SysWow64\VACFix.exe
c:\windows\SysWow64\VCCLSID.exe
c:\windows\SysWow64\vid_conv2.dll
c:\windows\SysWow64\vid_core2.dll
c:\windows\SysWow64\vid_format2.dll
c:\windows\SysWow64\vid_multi2.dll
c:\windows\SysWow64\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
.
.
2012-08-25 12:18 . 2012-08-25 12:18 -------- d-----w- C:\FRST
2012-08-25 10:43 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{808405A8-6187-408E-B6E3-ACF14E9EA668}\mpengine.dll
2012-08-23 18:36 . 2012-08-20 06:53 9309624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-23 18:10 . 2012-08-23 18:10 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-23 18:10 . 2012-08-23 18:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-23 05:13 . 2012-08-23 05:13 691 ----a-w- c:\users\Nick\AppData\Roaming\GetValue.vbs
2012-08-23 05:13 . 2012-08-23 05:13 35 ----a-w- c:\users\Nick\AppData\Roaming\SetValue.bat
2012-08-22 07:04 . 2012-08-22 07:04 -------- d-----r- C:\Backup
2012-08-22 06:58 . 2009-12-14 17:44 85048 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2012-08-22 06:58 . 2009-12-14 17:44 66104 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2012-08-22 06:58 . 2012-08-25 21:52 -------- dc----w- c:\windows\system32\DRVSTORE
2012-08-22 06:57 . 2012-08-22 06:57 -------- d-----w- C:\kleaner.tmp
2012-08-22 06:19 . 2012-08-22 06:19 -------- d-----w- c:\users\Nick\AppData\Local\Apps
2012-08-22 06:19 . 2012-08-22 06:19 -------- d-----w- c:\users\Nick\AppData\Local\Deployment
2012-08-21 18:37 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-21 18:37 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-21 18:37 . 2012-08-21 09:13 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 18:37 . 2012-08-21 09:13 359464 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 18:37 . 2012-08-21 09:13 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-08-21 18:36 . 2012-08-21 09:13 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 18:36 . 2012-08-21 09:13 969200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 18:36 . 2012-08-21 09:13 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-21 18:36 . 2012-08-21 09:12 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-21 18:36 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-21 18:36 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-21 18:36 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-21 18:36 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-21 18:36 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 18:36 . 2012-08-21 09:12 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-08-21 18:36 . 2012-08-21 18:36 -------- d-----w- c:\programdata\AVAST Software
2012-08-21 18:36 . 2012-08-21 18:36 -------- d-----w- c:\program files\AVAST Software
2012-08-21 18:35 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-21 18:35 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-21 18:35 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-21 18:35 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-21 18:35 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-21 18:35 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-22 18:12 . 2012-04-11 00:47 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-12 05:02 . 2012-04-04 19:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 05:02 . 2011-06-08 18:17 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-11 07:39 . 2011-03-28 23:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-09 05:43 . 2012-07-12 05:10 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-12 05:10 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-12 05:10 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-12 05:10 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-12 05:10 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-12 05:10 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-12 05:10 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-09 01:18 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-09 01:18 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-09 01:18 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-09 01:18 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-09 01:18 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-09 01:18 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-09 01:18 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-09 01:18 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-09 01:18 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-12 05:10 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-12 05:10 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-12 05:10 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-12 05:10 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-12 05:10 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-12 05:10 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-12 05:10 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-12 05:10 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-12 05:10 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files (x86)\AIM\aim.exe" [2012-02-29 4321112]
"googletalk"="c:\users\Nick\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Steam"="c:\programs\Steam\Steam.exe" [2012-08-12 1353080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-26 98304]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PowerMenu.lnk - c:\program files (x86)\PowerMenu\PowerMenu.exe [2002-12-19 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\programs\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-24 1255736]
R4 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-19 834544]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-10-05 203264]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-10-05 7767040]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-10-05 279040]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-10-05 116240]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-22 06:19]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2958724896-2049278016-3311970155-1001UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-22 06:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:11 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\cg7kyk8i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-AVG_TRAY - c:\program files (x86)\AVG\AVG10\avgtray.exe
Toolbar-Locked - (no file)
AddRemove-Dungeon Keeper II - c:\programs\Dungeon Keeper\Uninst.isu
AddRemove-RPGVXAce_RTP_is1 - c:\programs\RPG Maker\RPGVXAce\unins000.exe
AddRemove-xSIMS_Censor_Remover_TS3 - c:\programs\The Sims 3\xSIMS_TS3_Censor_Remover_Uninstall.exe
AddRemove-xSIMS_Nude_Clothes_Females - c:\programs\The Sims 3\xSIMS_TS3_Nude_Clothes_Females_Uninstall.exe
AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files (x86)\Pando Networks\Media Booster\uninst.exe
AddRemove-{B883F0C7-64DB-4D11-A7F6-FEB08A072595}_is1 - c:\illusion\@Home Mate\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2958724896-2049278016-3311970155-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9b,fa,26,a7,6e,24,99,bc,2f,0d,69,ce,03,77,8a,79,91,43,da,16,ab,72,6b,
9d,5e,91,a4,36,6d,b7,85,e4,bb,c4,13,e6,e9,7c,98,1d,21,8d,08,42,11,9f,53,24,\
"??"=hex:ea,a8,50,22,01,53,bb,d7,3c,d3,e6,98,78,e2,b2,8a
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2012-08-25 17:20:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-25 22:20
.
Pre-Run: 627,598,123,008 bytes free
Post-Run: 627,099,942,912 bytes free
.
- - End Of File - - 43D500DB6EE8608A1C54462646847338

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 25 August 2012 - 06:02 PM

The log is showing that you have two antivirus products installed

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

Having more than one AV can cause system slowdowns, conflicts and crashes, I advise you to remove one of them.

please do the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 UltraFred

UltraFred
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 26 August 2012 - 02:12 AM

I suppose I got a little overzealous with the antivirus software. >_>

I pulled kaspersky and MS Security essentials off.

Internet is functioning in normal mode now - but still seems a bit unresponsive.


MiniToolBox by Farbar Version: 23-07-2012
Ran by Nick (administrator) on 26-08-2012 at 02:08:07
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Leawo MP4 Converter version 3.1.0.0
@Home Mate (Version: 1.0)
µTorrent (Version: 2.0.3)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.0.1.152)
Adobe Flash Player 11 Plugin (Version: 11.3.300.265)
AIM 7
AMD Drag and Drop Transcoding (Version: 2.00.0000)
Amnesia - The Dark Descent (Version: 1.0.0)
Arcanum (Version: 1.0.6.4)
ATI Catalyst Install Manager (Version: 3.0.790.0)
ATI Catalyst Registration (Version: 3.00.0000)
ATMA V 5.05 (Version: 5.05)
AutoHotkey 1.0.48.05 (Version: 1.0.48.05)
avast! Free Antivirus (Version: 7.0.1466.0)
Avernum (Version: 1.0.0)
AVG 2011 (Version: 10.0.1204)
AVG 2011 (Version: 10.0.1435)
Baldur's Gate
Baldur's Gate Tutu
Baldur's Gate™ II - Throne of Bhaal ™
Bastion
Braid (Version 1.015)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2010.0825.2146.37182)
Catalyst Control Center Graphics Previews Vista (Version: 2010.0825.2146.37182)
Catalyst Control Center InstallProxy (Version: 2010.0825.2146.37182)
ccc-core-static (Version: 2010.0825.2146.37182)
ccc-utility64 (Version: 2010.0825.2146.37182)
CCC Help English (Version: 2010.0825.2145.37182)
CDBurnerXP (Version: 4.3.8.2568)
CDisplay 1.8
Character Builder (Version: 1.10.0000)
Cheetah DVD Burner
Combined Community Codec Pack 2010-10-10 (Version: 2010.10.10.0)
D3DX10 (Version: 15.4.2368.0902)
Deus Ex: Human Revolution - The Missing Link
Diablo II
Diablo III (Version: 1.0.3.10235)
doPDF 7.1 printer
Download Updater (AOL LLC)
Dragon Age: Origins (Version: 1.00)
DreamStripper Collection (Version: 1.00.0000)
Dungeon Defenders
Dungeon Keeper 2
Fallout: New Vegas
FINAL FANTASY XIV (Version: 1.0.0000)
FINAL FANTASY XIV Beta Version (Version: 0.9.1000)
Foxit Reader (Version: 4.1.1.805)
Frozen Synapse
Galactic Civilizations II: Ultimate Edition
Google Chrome (Version: 21.0.1180.83)
Google Talk (remove only)
Hero Editor V0.96
HijackThis 1.99.1 (Version: 1.99.1)
Icewind Dale II (Version: 1.00.000)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 30 (Version: 6.0.300)
League of Legends (Version: 1.0020)
LIMBO
Magic Workstation 0.94f
Magic: The Gathering — Duels of the Planeswalkers 2012
Magicka
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Games for Windows - LIVE (Version: 3.4.54.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.4.18.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.88.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ Run Time Lib Setup (Version: 1.0.0)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Might & Magic Heroes VI (Version: 1.1)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSVCRT (Version: 15.4.2862.0708)
MTG GamePack for Magic Workstation
Neverwinter Nights Platinum Edition
Nexus Mod Manager (Version: 0.18.9)
NVIDIA PhysX (Version: 9.10.0513)
OpenAL
OpenOffice.org 3.2 (Version: 3.2.9502)
Pando Media Booster (Version: 2.3.4.0)
PlugY, The Survival Kit (Version: 10.00)
PowerMenu 1.51 (Version: 1.51)
PRC Pack
Psychonauts
Revenge of the Titans HIB (remove only)
RPG MAKER VX Ace RTP (Version: 1.00)
Shadowgrounds 1.05b
Shadowgrounds Survivor 1.09
Sid Meier's Alpha Centauri 2000/XP Compatibility Update (Version: 1.03.0000)
Sid Meier's Civilization 4 - Beyond the Sword (Version: 3.19)
Sid Meier's Civilization 4 - Warlords (Version: 2.13)
Sid Meier's Civilization 4 (Version: 1.00.0000)
Sid Meier's Civilization 4 (Version: 1.74)
Sims 3 - Nude Censor Remover
Sims 3 - Nude Clothes Females
StarCraft II (Version: 1.4.3.21029)
Steam (Version: 1.0.0.0)
TGA Viewer
The Elder Scrolls V: Skyrim
The Lord of the Rings FREE Trial (Version: 1.00.0000)
The Sims™ 3 (Version: 1.0.631)
Ubisoft Game Launcher (Version: 1.0.0.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Ventrilo Client for Windows x64 (Version: 3.0.5.0)
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
Winamp (Version: 5.601 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
WinRAR archiver
WordBiz version 1.8 (Version: 1.8)
World of Warcraft (Version: 4.3.4.15595)

**** End of log ****


Farbar Service Scanner Version: 06-08-2012
Ran by Nick (administrator) on 26-08-2012 at 02:10:22
Running from "C:\Users\Nick\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 26 August 2012 - 07:43 AM

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp

NEXT


P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and Features.


NEXT


Try running this Temp File Cleaner, then run a defrag and see if that helps with the responsiveness


Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean



First open an elevated Command Prompt
  • Go to Start > All Programs > Accessories
  • right click on the Command Prompt and choose “Run as administrator”
  • Type the following see how much your hard drive is fragmented (in this example, your C:\ drive):
  • defrag c: -a (be patient, this can take a while)
  • The resulting analysis will tell you a “Percent file fragmentation” and at the bottom, if you need to defragment the drive or not.
  • To fully defragment your C:\ drive type the following:
  • defrag c: -w
  • Give it time to run (it can take a while, best to leave the computer alone) and then you’re done!



Let me know if there is any change

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 UltraFred

UltraFred
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 26 August 2012 - 10:14 AM

Everything seems good. Thanks very much for all your help. ^_^

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 26 August 2012 - 10:31 AM

We just have some housekeeping to do now,

Please do the following:


You can delete all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:48 PM

Posted 01 September 2012 - 01:35 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users