Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Luhe.Sirefef.A and windows firewall fails to turn on


  • This topic is locked This topic is locked
14 replies to this topic

#1 Lostinthesauce13

Lostinthesauce13

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 August 2012 - 02:43 PM

(Edited for conciseness)
Somewhat fast Lenovo running 32-bit Windows
+
Up to date AVG left running with FIREWALL OFF
===> Chronic slowness + CANNOT ENABLE Firewall

AVG reported the following after a recent scan:

"";"C:\Windows\System32\services.exe";"Trojan horse Patched_c.LYU";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\Windows\System32\config\systemprofile\AppData\Local\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\n";"Trojan horse Generic28.CBZO";"Moved to Virus Vault"
"";"C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\n";"Trojan horse Generic28.CBZO";"Moved to Virus Vault"
"";"C:\Program Files\Mozilla Firefox\firefox.exe (12056):\memory_012e0000";"Found Luhe.Sirefef.A";"Object is inaccessible."
"";"C:\Program Files\Mozilla Firefox\firefox.exe (12056)";"Found Luhe.Sirefef.A";""

Attempted to access Windows FIREWALL with the following error message:

Windows Firewall can't change some of your settings.
Error code: 0x80070424


DDS log
-------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2
Run by amai at 9:07:56 on 2012-08-24
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2009.866 [GMT -10:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
C:\Program Files\AVG\AVG2012\avgscanx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{DF8F430F-A055-4D00-9EB7-021BDCB51480} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{DF8F430F-A055-4D00-9EB7-021BDCB51480}\E4544574541425 : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\amai\appdata\roaming\mozilla\firefox\profiles\w2xxkp9u.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.swagbucks.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=63395&p=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-7-15 242240]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-23 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-14 113120]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-4-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-25 1343400]
.
=============== Created Last 30 ================
.
2012-08-24 17:58:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-24 17:06:03 -------- d-----w- c:\windows\pss
2012-08-24 16:32:06 -------- d-----w- c:\windows\system32\appmgmt
2012-08-24 15:18:09 -------- d-----w- C:\sh4ldr
2012-08-24 15:18:08 -------- d-----w- c:\program files\Enigma Software Group
2012-08-24 15:15:55 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-24 15:15:50 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-08-24 13:29:40 -------- d--h--w- C:\$AVG
2012-08-24 13:20:04 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 13:19:20 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-24 12:42:01 -------- d-----w- c:\users\amai\appdata\roaming\AVG
2012-08-24 12:31:30 -------- d-----w- c:\users\amai\appdata\roaming\AVG2012
2012-08-24 12:25:48 -------- d-----w- c:\windows\system32\drivers\AVG
2012-08-24 12:25:48 -------- d-----w- c:\programdata\AVG2012
2012-08-24 12:24:12 -------- d-----w- c:\program files\AVG
2012-08-24 12:18:03 -------- d-----w- c:\programdata\MFAData
2012-08-16 23:08:41 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-15 07:14:15 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{250ccf3b-fe02-4984-aced-72243d9783bd}\mpengine.dll
2012-08-14 08:21:53 -------- d-----w- c:\users\amai\appdata\local\Opera
2012-08-13 22:13:55 184320 ----a-w- c:\programdata\microsoft\windows\drm\F1CD.tmp
2012-08-09 08:41:24 -------- d-----w- c:\users\amai\G3
.
==================== Find3M ====================
.
2012-08-24 18:02:52 259072 ----a-w- c:\windows\system32\services.exe
2012-08-24 13:16:52 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 01:26:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 01:26:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-16 04:38:40 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-03 01:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 22:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 9:08:48.73 ===============

GMER log
-------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-24 09:40:34
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050B9A300 rev.PB4OC64G
Running: u79ktn6m.exe; Driver: C:\Users\amai\AppData\Local\Temp\kxldrpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x96963F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x96963FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x96964080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9696411C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A853C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82AC6054 4 Bytes [3C, 3F, 96, 96] {CMP AL, 0x3f; XCHG ESI, EAX; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82AC6324 8 Bytes [E4, 3F, 96, 96, 80, 40, 96, ...] {IN AL, 0x3f; XCHG ESI, EAX; XCHG ESI, EAX; ADD BYTE [EAX-0x6a], 0x96}
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82AC6398 4 Bytes [1C, 41, 96, 96] {SBB AL, 0x41; XCHG ESI, EAX; XCHG ESI, EAX}
? system32\drivers\93139046.sys The system cannot find the path specified. !
.text ataport.SYS!AtaPortInitialize + 3A3C 88409F1A 5 Bytes JMP A91D69E8 \??\C:\Users\amai\AppData\Local\Temp\aswMBR.sys
? C:\Users\amai\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\Users\amai\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3156] USER32.dll!RegisterMessagePumpHook + 2F1 764F8B9E 7 Bytes JMP 6914C453 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3156] USER32.dll!IsDialogMessageW + 340 76504444 7 Bytes JMP 6914C3E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3156] USER32.dll!GetWindowInfo 76504B5E 5 Bytes JMP 68F0BACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3156] USER32.dll!ToUnicodeEx + 71 76512223 7 Bytes JMP 68F0C0F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateFile + 6 76F155CE 4 Bytes [28, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateFile + B 76F155D3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateKey + 6 76F1560E 4 Bytes [68, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateKey + B 76F15613 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateMutant + 6 76F1564E 4 Bytes [68, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateMutant + B 76F15653 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateSection + 6 76F156EE 4 Bytes [A8, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtCreateSection + B 76F156F3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtMapViewOfSection + 6 76F15C2E 4 Bytes CALL 75F16337 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtMapViewOfSection + B 76F15C33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenFile + 6 76F15CDE 4 Bytes [68, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenFile + B 76F15CE3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenKey + 6 76F15D0E 4 Bytes [A8, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenKey + B 76F15D13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenKeyEx + 6 76F15D1E 4 Bytes CALL 75F16424 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenKeyEx + B 76F15D23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenMutant + 6 76F15D5E 4 Bytes [28, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenMutant + B 76F15D63 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcess + 6 76F15D8E 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcess + 6 76F15D8E 4 Bytes [68, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcess + B 76F15D93 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcessToken + 6 76F15D9E 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcessToken + 6 76F15D9E 4 Bytes [A8, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcessToken + B 76F15DA3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcessTokenEx + 6 76F15DAE 4 Bytes [68, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenProcessTokenEx + B 76F15DB3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenSection + 6 76F15DCE 4 Bytes CALL 75F164D5 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenSection + B 76F15DD3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThread + 6 76F15E0E 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThread + 6 76F15E0E 4 Bytes [28, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThread + B 76F15E13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThreadToken + 6 76F15E1E 4 Bytes [28, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThreadToken + B 76F15E23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThreadTokenEx + 6 76F15E2E 4 Bytes [A8, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtOpenThreadTokenEx + B 76F15E33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtQueryAttributesFile + 6 76F15F3E 4 Bytes [A8, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtQueryAttributesFile + B 76F15F43 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtQueryFullAttributesFile + 6 76F15FEE 4 Bytes CALL 75F166F3 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtQueryFullAttributesFile + B 76F15FF3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtSetInformationFile + 6 76F1663E 4 Bytes [28, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtSetInformationFile + B 76F16643 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtSetInformationThread + 6 76F1669E 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtSetInformationThread + 6 76F1669E 4 Bytes CALL 75F16DA6 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtSetInformationThread + B 76F166A3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtUnmapViewOfSection + 6 76F169BE 4 Bytes [28, 05, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ntdll.dll!NtUnmapViewOfSection + B 76F169C3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] kernel32.dll!CreateProcessW 74B0204D 5 Bytes JMP 00010030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] kernel32.dll!CreateProcessA 74B02082 5 Bytes JMP 00010070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!DeleteObject 76455F14 5 Bytes JMP 000A01B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SelectObject 76456640 5 Bytes JMP 000A05F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetTextColor 76456906 5 Bytes JMP 000A09F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetBkMode 764569B1 5 Bytes JMP 000A08B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!DeleteDC 76456EAA 5 Bytes JMP 000A0170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetDeviceCaps 76456F7F 5 Bytes JMP 000A03B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!ExtSelectClipRgn 76457114 5 Bytes JMP 000A02F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SelectClipRgn 76457242 5 Bytes JMP 000A05B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetStretchBltMode 76457705 5 Bytes JMP 000A0670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetCurrentObject 76457917 5 Bytes JMP 000A0370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextMetricsW 76457B8F 5 Bytes JMP 000A0DF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextAlign 76457DAF 5 Bytes JMP 000A0D30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!IntersectClipRect 76457DFE 5 Bytes JMP 000A03F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!ExtTextOutW 76458192 5 Bytes JMP 000A0930
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetTextAlign 7645828E 5 Bytes JMP 000A09B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetClipBox 76458525 5 Bytes JMP 000A0330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!MoveToEx 76458C21 5 Bytes JMP 000A0470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!StretchDIBits 7645A53E 5 Bytes JMP 000A0730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!RestoreDC 7645A67B 5 Bytes JMP 000A0530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SaveDC 7645A74B 5 Bytes JMP 000A0570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextExtentPoint32W 7645B4B5 5 Bytes JMP 000A0630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextFaceW 7645B73A 2 Bytes JMP 000A0CF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextFaceW + 3 7645B73D 2 Bytes [C4, 89]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetFontData 7645BCC4 5 Bytes JMP 000A0C30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetWorldTransform 7645C90A 5 Bytes JMP 000A06B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!CreateDCA 7645CCA9 5 Bytes JMP 000A00B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!CreateDCW 7645CF79 5 Bytes JMP 000A00F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!CreateICW 7645CFD0 5 Bytes JMP 000A0130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextMetricsA 7645D0F2 5 Bytes JMP 000A0DB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!Rectangle 7645F1FF 5 Bytes JMP 000A0970
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!LineTo 7645F59B 5 Bytes JMP 000A0430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetICMMode 7645FAA4 5 Bytes JMP 000A0D70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!ExtTextOutA 764603F9 5 Bytes JMP 000A08F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!ExtEscape 76462949 5 Bytes JMP 000A02B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!Escape 76463939 5 Bytes JMP 000A0270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetTextFaceA 76463E6A 5 Bytes JMP 000A0CB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetPolyFillMode 7646D851 5 Bytes JMP 000A0AF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SetMiterLimit 7646DA0D 5 Bytes JMP 000A0B30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!EndPage 764700D7 5 Bytes JMP 000A0230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!ResetDCW 7647050D 5 Bytes JMP 000A0A70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!GetGlyphOutlineW 7647C1BA 5 Bytes JMP 000A0C70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!CreateScalableFontResourceW 7647E817 5 Bytes JMP 000A0B70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!AddFontResourceW 7647EC13 5 Bytes JMP 000A0BB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!RemoveFontResourceW 7647F109 5 Bytes JMP 000A0BF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!AbortDoc 76484C63 5 Bytes JMP 000A0030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!EndDoc 764850AA 5 Bytes JMP 000A01F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!StartPage 76485195 5 Bytes JMP 000A06F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!StartDocW 76485BB0 5 Bytes JMP 000A07B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!BeginPath 7648635D 5 Bytes JMP 000A07F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!SelectClipPath 764863B4 5 Bytes JMP 000A0AB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!CloseFigure 7648640F 5 Bytes JMP 000A0070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!EndPath 76486466 5 Bytes JMP 000A0A30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!StrokePath 76486699 5 Bytes JMP 000A0770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!FillPath 76486726 5 Bytes JMP 000A0830
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!PolylineTo 76486B94 5 Bytes JMP 000A04F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!PolyBezierTo 76486C25 5 Bytes JMP 000A04B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] GDI32.dll!PolyDraw 76486CD7 5 Bytes JMP 000A0870
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!ActivateKeyboardLayout 764F8203 5 Bytes JMP 000B04F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!ScreenToClient 764FA506 7 Bytes JMP 000B0670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!RegisterClipboardFormatA 764FC091 5 Bytes JMP 000B02F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!RegisterClipboardFormatW 764FDF8D 5 Bytes JMP 000B02B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!SetCursor 76503075 5 Bytes JMP 000B0530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!MonitorFromWindow 76503622 7 Bytes JMP 000B0630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!PostMessageW 7650447B 5 Bytes JMP 000B05F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!IsWindowVisible 76504D69 7 Bytes JMP 000B06B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClientRect 765054DD 7 Bytes JMP 000B05B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!MapWindowPoints 76505CAA 5 Bytes JMP 000B0570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetParent 76506029 7 Bytes JMP 000B06F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!EmptyClipboard 7651290C 5 Bytes JMP 000B0130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!SetClipboardData 76512962 5 Bytes JMP 000B0170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardData 76512BA7 5 Bytes JMP 000B0030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardFormatNameW 76515FD2 5 Bytes JMP 000B0230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!SetClipboardViewer 76516FF6 5 Bytes JMP 000B04B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardFormatNameA 7651700A 5 Bytes JMP 000B0270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!ChangeClipboardChain 7652147C 5 Bytes JMP 000B0430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetTopWindow 765224D9 7 Bytes JMP 000B0730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!CloseClipboard 7652446C 5 Bytes JMP 000B00B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!OpenClipboard 7652447E 5 Bytes JMP 000B0070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!IsClipboardFormatAvailable 765244FF 5 Bytes JMP 000B00F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardSequenceNumber 76524513 5 Bytes JMP 000B0330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardOwner 76524525 5 Bytes JMP 000B0370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!CountClipboardFormats 7652470A 5 Bytes JMP 000B01F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!EnumClipboardFormats 765247EC 5 Bytes JMP 000B01B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetOpenClipboardWindow 7652480B 5 Bytes JMP 000B03F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!SetCursorPos 7653C1B0 5 Bytes JMP 000B0770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetClipboardViewer 76554AF7 5 Bytes JMP 000B0470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] USER32.dll!GetPriorityClipboardFormat 76554BF9 5 Bytes JMP 000B03B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ole32.dll!OleSetClipboard 76260045 5 Bytes JMP 000C0030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ole32.dll!OleIsCurrentClipboard 762636B2 5 Bytes JMP 000C0070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe[3300] ole32.dll!OleGetClipboard 7628FDCD 5 Bytes JMP 000C00B0
.text C:\Program Files\Mozilla Firefox\firefox.exe[3808] ntdll.dll!LdrGetProcedureAddress + 26 76F32239 7 Bytes JMP 68D8B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3808] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 74B493D6 7 Bytes JMP 6903B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3808] kernel32.dll!QueryPerformanceCounter + 13 74B4C435 7 Bytes JMP 6903B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3808] GDI32.dll!GetViewportOrgEx + 26C 7645884B 7 Bytes JMP 6903B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\43355759 \Device\KLMD13082012_208040_B 93139046.sys

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Any help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 24 August 2012 - 04:33 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Edited by hamluis, 24 August 2012 - 06:10 PM.
Moved from Am I infected to Malware Removal Logs - Hamluis.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 August 2012 - 05:12 PM

Thanks for all your help.

FRST:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 23-08-2012 02
Ran by SYSTEM at 24-08-2012 12:03:53
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" [2416480 2012-01-24] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\amai\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4777856 2012-07-09] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 24.25.227.55 209.18.47.61 24.25.227.53

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-11] (SUPERAntiSpyware.com)
2 AVGIDSAgent; "C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe" [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134736 2011-07-11] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [23120 2011-07-11] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24272 2011-07-11] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [16720 2011-10-04] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [230608 2011-10-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [40016 2011-08-08] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-09-13] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [295248 2011-07-11] (AVG Technologies CZ, s.r.o.)
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-07-15] (DT Soft Ltd)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-24 12:48 - 2012-08-24 12:48 - 00302592 ____A C:\Users\amai\Downloads\lydkp622.exe
2012-08-24 12:03 - 2012-08-24 12:03 - 00000000 ____D C:\FRST
2012-08-24 11:54 - 2012-08-24 11:54 - 00002205 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-24 11:52 - 2012-08-24 13:09 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-24 11:52 - 2012-08-24 12:09 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-24 11:52 - 2012-08-24 11:54 - 00000000 ____D C:\Program Files\Google
2012-08-24 11:52 - 2012-08-24 11:52 - 00000000 ____D C:\Users\amai\AppData\Roaming\SUPERAntiSpyware.com
2012-08-24 11:51 - 2012-08-24 11:52 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-08-24 11:51 - 2012-08-24 11:51 - 19377792 ____A (SUPERAntiSpyware.com) C:\Users\amai\Downloads\SUPERAntiSpyware.exe
2012-08-24 11:51 - 2012-08-24 11:51 - 00001965 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-24 11:51 - 2012-08-24 11:51 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-08-24 11:49 - 2012-08-24 11:52 - 00002588 ____A C:\Users\amai\Desktop\Rkill.txt
2012-08-24 11:49 - 2012-08-24 11:49 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\amai\Downloads\rkill.exe
2012-08-24 11:41 - 2012-08-24 11:41 - 00050477 ____A C:\Users\amai\Downloads\Defogger.exe
2012-08-24 11:41 - 2012-08-24 11:41 - 00000156 ____A C:\Users\amai\defogger_reenable
2012-08-24 11:40 - 2012-08-24 11:40 - 00030473 ____A C:\Users\amai\Desktop\ark.txt
2012-08-24 11:11 - 2012-08-24 11:11 - 00302592 ____A C:\Users\amai\Downloads\u79ktn6m.exe
2012-08-24 11:09 - 2012-08-24 12:46 - 00011532 ____A C:\Users\amai\Desktop\DDS.txt
2012-08-24 11:09 - 2012-08-24 11:09 - 00012480 ____A C:\Users\amai\Desktop\Attach.txt
2012-08-24 10:44 - 2012-08-24 10:45 - 00607260 ____R (Swearware) C:\Users\amai\Downloads\dds.com
2012-08-24 10:41 - 2012-08-24 10:41 - 00063042 ____A C:\Users\amai\Desktop\tdsskiller.txt
2012-08-24 10:38 - 2012-08-24 11:07 - 00008641 ____A C:\Users\amai\Desktop\aswMBR.txt
2012-08-24 10:38 - 2012-08-24 11:07 - 00000512 ____A C:\Users\amai\Desktop\MBR.dat
2012-08-24 10:06 - 2012-08-24 10:06 - 02322184 ____A (ESET) C:\Users\amai\Downloads\esetsmartinstaller_enu.exe
2012-08-24 09:59 - 2012-08-24 09:59 - 04731392 ____A (AVAST Software) C:\Users\amai\Downloads\aswMBR.exe
2012-08-24 09:58 - 2012-08-24 10:40 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-08-24 09:56 - 2012-08-24 09:56 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\amai\Downloads\tdsskiller.exe
2012-08-24 09:06 - 2012-08-24 09:06 - 00000000 ____D C:\Windows\pss
2012-08-24 08:32 - 2012-08-24 08:32 - 00000000 ____D C:\Windows\System32\appmgmt
2012-08-24 07:18 - 2012-08-24 09:14 - 00000000 ____D C:\sh4ldr
2012-08-24 07:18 - 2012-08-24 07:18 - 00000000 ____D C:\Program Files\Enigma Software Group
2012-08-24 07:15 - 2012-08-24 09:13 - 00000000 ____D C:\Windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-24 07:15 - 2012-08-24 07:15 - 00000000 ____D C:\Program Files\Common Files\Wise Installation Wizard
2012-08-24 05:29 - 2012-08-24 05:29 - 00000000 ___HD C:\$AVG
2012-08-24 05:21 - 2012-08-24 05:21 - 00000000 ____D C:\Program Files\Common Files\Java
2012-08-24 05:20 - 2012-08-24 05:16 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-08-24 05:20 - 2012-08-24 05:16 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-24 05:19 - 2012-08-24 05:16 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-24 05:19 - 2012-08-24 05:16 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-24 05:19 - 2012-08-24 05:16 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-08-24 05:14 - 2012-08-24 05:14 - 00000000 ____D C:\Users\All Users\McAfee
2012-08-24 05:12 - 2012-08-24 05:14 - 00894952 ____A (Oracle Corporation) C:\Users\amai\Downloads\jxpiinstall.exe
2012-08-24 04:42 - 2012-08-24 04:44 - 00000000 ____D C:\Users\amai\AppData\Roaming\AVG
2012-08-24 04:40 - 2012-08-24 04:40 - 00001104 ____A C:\Users\amai\Desktop\AVG PC Tuneup 2011.lnk
2012-08-24 04:31 - 2012-08-24 04:31 - 00000000 ____D C:\Users\amai\AppData\Roaming\AVG2012
2012-08-24 04:28 - 2012-08-24 04:28 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-24 04:25 - 2012-08-24 06:55 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-08-24 04:25 - 2012-08-24 04:43 - 00000000 ____D C:\Users\All Users\AVG2012
2012-08-24 04:24 - 2012-08-24 04:40 - 00000000 ____D C:\Program Files\AVG
2012-08-24 04:18 - 2012-08-24 11:12 - 00000000 ____D C:\Users\All Users\MFAData
2012-08-16 15:08 - 2012-08-16 15:08 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-14 12:14 - 2012-08-14 12:14 - 00145184 ____A C:\Windows\Minidump\081412-20248-01.dmp
2012-08-14 03:18 - 2012-08-14 03:18 - 00145192 ____A C:\Windows\Minidump\081412-33275-01.dmp
2012-08-14 00:21 - 2012-08-14 03:23 - 00000000 ____D C:\Users\amai\AppData\Roaming\Opera
2012-08-14 00:21 - 2012-08-14 03:23 - 00000000 ____D C:\Program Files\Opera
2012-08-14 00:21 - 2012-08-14 00:21 - 00000000 ____D C:\Users\amai\AppData\Local\Opera
2012-08-13 00:12 - 2012-08-13 00:12 - 00145184 ____A C:\Windows\Minidump\081212-18704-01.dmp
2012-08-11 17:48 - 2012-08-11 17:48 - 00000000 ____D C:\Windows\Sun
2012-08-10 03:40 - 2012-08-10 03:40 - 00000000 ____D C:\Users\amai\AppData\Roaming\WinRAR
2012-08-10 03:39 - 2012-08-10 03:39 - 01234120 ____A C:\Users\amai\Downloads\wrar380.exe
2012-08-10 03:39 - 2012-08-10 03:39 - 00000000 ____D C:\Program Files\WinRAR
2012-08-09 00:41 - 2012-08-09 00:41 - 00000243 ____A C:\Users\amai\dsj.xml
2012-08-09 00:41 - 2012-08-09 00:41 - 00000000 ____N C:\Users\amai\G3sessionisrunning
2012-08-09 00:41 - 2012-08-09 00:41 - 00000000 ____D C:\Users\amai\G3
2012-08-06 00:15 - 2012-08-10 03:52 - 00000000 ____D C:\Users\amai\Desktop\New folder

============ 3 Months Modified Files ========================

2012-08-24 13:46 - 2012-04-24 00:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-24 13:09 - 2012-08-24 11:52 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-24 12:48 - 2012-08-24 12:48 - 00302592 ____A C:\Users\amai\Downloads\lydkp622.exe
2012-08-24 12:46 - 2012-08-24 11:09 - 00011532 ____A C:\Users\amai\Desktop\DDS.txt
2012-08-24 12:09 - 2012-08-24 11:52 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-24 11:54 - 2012-08-24 11:54 - 00002205 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-24 11:52 - 2012-08-24 11:49 - 00002588 ____A C:\Users\amai\Desktop\Rkill.txt
2012-08-24 11:51 - 2012-08-24 11:51 - 19377792 ____A (SUPERAntiSpyware.com) C:\Users\amai\Downloads\SUPERAntiSpyware.exe
2012-08-24 11:51 - 2012-08-24 11:51 - 00001965 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-24 11:49 - 2012-08-24 11:49 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\amai\Downloads\rkill.exe
2012-08-24 11:41 - 2012-08-24 11:41 - 00050477 ____A C:\Users\amai\Downloads\Defogger.exe
2012-08-24 11:41 - 2012-08-24 11:41 - 00000156 ____A C:\Users\amai\defogger_reenable
2012-08-24 11:40 - 2012-08-24 11:40 - 00030473 ____A C:\Users\amai\Desktop\ark.txt
2012-08-24 11:11 - 2012-08-24 11:11 - 00302592 ____A C:\Users\amai\Downloads\u79ktn6m.exe
2012-08-24 11:09 - 2012-08-24 11:09 - 00012480 ____A C:\Users\amai\Desktop\Attach.txt
2012-08-24 11:07 - 2012-08-24 10:38 - 00008641 ____A C:\Users\amai\Desktop\aswMBR.txt
2012-08-24 11:07 - 2012-08-24 10:38 - 00000512 ____A C:\Users\amai\Desktop\MBR.dat
2012-08-24 10:45 - 2012-08-24 10:44 - 00607260 ____R (Swearware) C:\Users\amai\Downloads\dds.com
2012-08-24 10:41 - 2012-08-24 10:41 - 00063042 ____A C:\Users\amai\Desktop\tdsskiller.txt
2012-08-24 10:10 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-24 10:10 - 2009-07-13 20:34 - 00013456 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-24 10:06 - 2012-08-24 10:06 - 02322184 ____A (ESET) C:\Users\amai\Downloads\esetsmartinstaller_enu.exe
2012-08-24 10:03 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-24 10:03 - 2009-07-13 20:39 - 00022700 ____A C:\Windows\setupact.log
2012-08-24 10:02 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-24 09:59 - 2012-08-24 09:59 - 04731392 ____A (AVAST Software) C:\Users\amai\Downloads\aswMBR.exe
2012-08-24 09:56 - 2012-08-24 09:56 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\amai\Downloads\tdsskiller.exe
2012-08-24 09:08 - 2012-04-30 21:08 - 00008606 ____A C:\Windows\PFRO.log
2012-08-24 08:22 - 2012-01-03 19:04 - 01128914 ____A C:\Windows\WindowsUpdate.log
2012-08-24 06:05 - 2009-07-13 20:53 - 00013392 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-24 05:16 - 2012-08-24 05:20 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-08-24 05:16 - 2012-08-24 05:20 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-24 05:16 - 2012-08-24 05:19 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-24 05:16 - 2012-08-24 05:19 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-24 05:16 - 2012-08-24 05:19 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-08-24 05:16 - 2012-04-28 05:01 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-08-24 05:14 - 2012-08-24 05:12 - 00894952 ____A (Oracle Corporation) C:\Users\amai\Downloads\jxpiinstall.exe
2012-08-24 04:40 - 2012-08-24 04:40 - 00001104 ____A C:\Users\amai\Desktop\AVG PC Tuneup 2011.lnk
2012-08-24 04:28 - 2012-08-24 04:28 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-14 17:26 - 2012-04-24 00:51 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-14 17:26 - 2012-01-03 21:21 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-14 12:14 - 2012-08-14 12:14 - 00145184 ____A C:\Windows\Minidump\081412-20248-01.dmp
2012-08-14 12:14 - 2012-05-05 00:18 - 150191102 ____A C:\Windows\MEMORY.DMP
2012-08-14 03:18 - 2012-08-14 03:18 - 00145192 ____A C:\Windows\Minidump\081412-33275-01.dmp
2012-08-13 14:31 - 2012-01-03 21:11 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 00:12 - 2012-08-13 00:12 - 00145184 ____A C:\Windows\Minidump\081212-18704-01.dmp
2012-08-10 03:39 - 2012-08-10 03:39 - 01234120 ____A C:\Users\amai\Downloads\wrar380.exe
2012-08-09 00:41 - 2012-08-09 00:41 - 00000243 ____A C:\Users\amai\dsj.xml
2012-08-09 00:41 - 2012-08-09 00:41 - 00000000 ____N C:\Users\amai\G3sessionisrunning
2012-07-15 20:39 - 2012-07-15 20:39 - 00001900 ____A C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2012-07-15 20:38 - 2012-07-15 20:38 - 00242240 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-07-15 20:21 - 2012-07-15 20:21 - 00002281 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-07-15 15:29 - 2012-07-15 04:01 - 1472607585 ____A C:\Users\amai\Downloads\Insanity Workout.rar
2012-07-15 03:40 - 2012-07-15 03:40 - 00000937 ____A C:\Users\Public\Desktop\BitTorrent.lnk
2012-07-15 03:38 - 2012-07-15 03:38 - 01091480 ____A (BitTorrent, Inc.) C:\Users\amai\Downloads\BitTorrent9.exe
2012-07-15 03:36 - 2009-07-13 20:33 - 00266808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 22:06 - 2012-04-30 00:35 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-12 13:05 - 2012-07-12 13:05 - 01552064 ____A (W3i, LLC) C:\Users\amai\Downloads\movie_player_1280.exe
2012-07-05 08:35 - 2012-07-05 08:34 - 00000595 ____A C:\Windows\wmsetup.log
2012-07-05 08:34 - 2012-07-05 08:34 - 25740256 ____A (Microsoft Corporation) C:\Users\amai\Downloads\wmp11-windowsxp-x86-enu.exe
2012-07-05 08:34 - 2012-07-05 08:33 - 01528184 ____A (Microsoft Corporation) C:\Users\amai\Downloads\GenuineCheck.exe
2012-06-22 15:36 - 2012-06-22 15:36 - 01506304 ____A C:\Windows\Minidump\062212-21996-01.dmp
2012-06-11 18:40 - 2012-07-13 22:06 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 20:41 - 2012-07-12 12:15 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 16:59 - 2012-06-06 16:29 - 1975730792 ____A C:\Users\amai\Downloads\Swiss Account Movie DL.mp4
2012-06-06 16:45 - 2012-06-06 16:27 - 1209842981 ____A C:\Users\amai\Downloads\LLGFullVersion_02.mp4
2012-06-05 21:05 - 2012-07-12 12:15 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-12 12:15 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-12 12:15 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-02 17:19 - 2012-06-23 04:50 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 17:12 - 2012-06-23 04:50 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 14:19 - 2012-06-23 04:50 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-23 04:50 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-23 04:50 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-23 04:50 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-23 04:50 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-23 04:50 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-23 04:50 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 01:07 - 2012-07-13 22:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-13 22:07 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-13 22:07 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-13 22:07 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-13 22:07 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 22:07 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-13 22:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-13 22:07 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 22:07 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 22:07 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-13 22:07 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-13 22:07 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 22:07 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 22:07 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 20:45 - 2012-07-12 12:15 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-12 12:15 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-12 12:15 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-12 12:15 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-12 12:15 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-31 14:25 - 2012-01-03 21:24 - 00237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


ZeroAccess:
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\L
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\U
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\L\00000004.@
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}\L\201d3dde

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 2008.56 MB
Available physical RAM: 1605.36 MB
Total Pagefile: 2008.56 MB
Available Pagefile: 1614.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:352.86 GB) NTFS
3 Drive f: (Expansion Drive) (Fixed) (Total:698.64 GB) (Free:405.72 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 698 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 698 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Expansion D NTFS Partition 698 GB Healthy

==================================================================================

Last Boot: 2012-08-15 18:57

======================= End Of Log ==========================


Search:

Farbar Recovery Scan Tool Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-24 12:05:14
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-08-24 10:02] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 24 August 2012 - 06:08 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 August 2012 - 08:04 PM

Thanks again for your help.

Here's the logs:

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 23-08-2012 02
Ran by SYSTEM at 2012-08-24 14:31:08 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{e994c2e2-ee91-ee92-3c1f-5df956e2a886} moved successfully.

==== End of Fixlog ====



Combofix:

ComboFix 12-08-24.02 - amai 08/24/2012 14:42:46.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2009.1270 [GMT -10:00]
Running from: c:\users\amai\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\Autorun.inf
F:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
.
.
2012-08-25 00:48 . 2012-08-25 00:53 -------- d-----w- c:\users\amai\AppData\Local\temp
2012-08-25 00:48 . 2012-08-25 00:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-24 20:03 . 2012-08-24 20:03 -------- d-----w- C:\FRST
2012-08-24 19:52 . 2012-08-24 19:52 -------- d-----w- c:\users\amai\AppData\Roaming\SUPERAntiSpyware.com
2012-08-24 19:52 . 2012-08-24 19:54 -------- d-----w- c:\program files\Google
2012-08-24 19:51 . 2012-08-24 19:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-24 19:51 . 2012-08-24 19:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-24 17:58 . 2012-08-24 18:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-24 15:18 . 2012-08-24 17:14 -------- d-----w- C:\sh4ldr
2012-08-24 15:18 . 2012-08-24 15:18 -------- d-----w- c:\program files\Enigma Software Group
2012-08-24 15:15 . 2012-08-24 17:13 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-24 15:15 . 2012-08-24 15:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-08-24 13:29 . 2012-08-24 13:29 -------- d-----w- C:\$AVG
2012-08-24 13:21 . 2012-08-24 13:21 -------- d-----w- c:\program files\Common Files\Java
2012-08-24 13:20 . 2012-08-24 13:16 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 13:19 . 2012-08-24 13:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-24 13:14 . 2012-08-24 13:14 -------- d-----w- c:\programdata\McAfee
2012-08-24 12:42 . 2012-08-24 12:44 -------- d-----w- c:\users\amai\AppData\Roaming\AVG
2012-08-24 12:25 . 2012-08-25 00:25 -------- d-----w- c:\windows\system32\drivers\AVG
2012-08-24 12:25 . 2012-08-24 12:43 -------- d-----w- c:\programdata\AVG2012
2012-08-24 12:24 . 2012-08-24 12:40 -------- d-----w- c:\program files\AVG
2012-08-24 12:18 . 2012-08-25 00:25 -------- d-----w- c:\programdata\MFAData
2012-08-16 23:08 . 2012-08-16 23:08 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-15 07:14 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{250CCF3B-FE02-4984-ACED-72243D9783BD}\mpengine.dll
2012-08-14 08:21 . 2012-08-14 08:21 -------- d-----w- c:\users\amai\AppData\Local\Opera
2012-08-14 08:21 . 2012-08-14 11:23 -------- d-----w- c:\program files\Opera
2012-08-13 22:13 . 2012-08-13 22:13 184320 ----a-w- c:\programdata\Microsoft\Windows\DRM\F1CD.tmp
2012-08-12 01:48 . 2012-08-12 01:48 -------- d-----w- c:\windows\Sun
2012-08-09 08:41 . 2012-08-09 08:41 -------- d-----w- c:\users\amai\G3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 18:02 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe
2012-08-24 13:16 . 2012-04-28 13:01 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 01:26 . 2012-04-24 08:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:26 . 2012-01-04 05:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-16 04:38 . 2012-07-16 04:38 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-12 02:40 . 2012-07-14 06:06 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-12 20:15 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-12 20:15 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-12 20:15 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-03 01:19 . 2012-06-23 12:50 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:12 . 2012-06-23 12:50 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:19 . 2012-06-23 12:50 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 12:50 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 12:50 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 12:50 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 12:50 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 12:50 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 12:50 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:33 . 2012-07-14 06:07 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-14 06:07 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-14 06:07 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-14 06:07 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-14 06:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-12 20:15 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-12 20:15 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-12 20:15 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-12 20:15 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-12 20:15 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 22:25 . 2012-01-04 05:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-19 05:36 . 2012-01-04 05:23 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 4777856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 01:26]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-24 19:52]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-24 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
FF - ProfilePath - c:\users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.swagbucks.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=63395&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-43355759.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\taskhost.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
.
**************************************************************************
.
Completion time: 2012-08-24 14:59:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-25 00:59
.
Pre-Run: 378,778,218,496 bytes free
Post-Run: 378,689,859,584 bytes free
.
- - End Of File - - AB61BB59FB7AC87191FAEC00FEC0C85E

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 24 August 2012 - 08:38 PM

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 25 August 2012 - 01:27 AM

Here's the MBAM logs:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.25.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
amai :: AMAI-PC [administrator]

8/24/2012 3:50:16 PM
mbam-log-2012-08-24 (15-50-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 182195
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\amai\Downloads\movie_player_1280.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.

(end)


ESET failed twice before actually completing the scan.


And the ESET logs:

C:\ProgramData\Microsoft\Windows\DRM\F1CD.tmp a variant of Win32/Kryptik.AKAP trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NP trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\zasubsys0000\file0000\tsk0000.dta Win32/Sirefef.FC trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\zasubsys0000\zafs0000\tsk0003.dta Win32/Conedex.D trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\zasubsys0000\zafs0000\tsk0005.dta Win32/Conedex.E trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\zasubsys0000\zafs0000\tsk0006.dta a variant of Win32/Sirefef.FA trojan
C:\TDSSKiller_Quarantine\24.08.2012_07.57.11\zasubsys0000\zafs0000\tsk0007.dta a variant of Win32/Sirefef.FD trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NP trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.22.23\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0001.dta Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NP trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\24.08.2012_08.39.40\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan
C:\Users\All Users\Microsoft\Windows\DRM\F1CD.tmp a variant of Win32/Kryptik.AKAP trojan
C:\Users\amai\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgbgdgddadigddcgcdhdddedagcdg\background.html Win32/BHO.OEI trojan
C:\Users\amai\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120824024408503.rsc multiple threats
C:\Users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\extensions\akykugggso@akykugggso.org.xpi JS/Redirector.NCA trojan

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 25 August 2012 - 07:27 AM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\ProgramData\Microsoft\Windows\DRM\F1CD.tmp 
C:\Users\All Users\Microsoft\Windows\DRM\F1CD.tmp 
C:\Users\amai\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgbgdgddadigddcgcdhdddedagcdg\background.html 
C:\Users\amai\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120824024408503.rsc 
C:\Users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\extensions\akykugggso@akykugggso.org.xpi 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 25 August 2012 - 08:28 AM

Here's the next set of logs:

COMBOFIX:

ComboFix 12-08-25.04 - amai 08/25/2012 3:09.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2009.1196 [GMT -10:00]
Running from: c:\users\amai\Desktop\ComboFix.exe
Command switches used :: c:\users\amai\Desktop\CFScript.txt
AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Windows\DRM\F1CD.tmp"
"c:\users\All Users\Microsoft\Windows\DRM\F1CD.tmp"
"c:\users\amai\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgbgdgddadigddcgcdhdddedagcdg\background.html"
"c:\users\amai\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120824024408503.rsc"
"c:\users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\extensions\akykugggso@akykugggso.org.xpi"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\F1CD.tmp
c:\users\All Users\Microsoft\Windows\DRM\F1CD.tmp
c:\users\amai\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgbgdgddadigddcgcdhdddedagcdg\background.html
c:\users\amai\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120824024408503.rsc
c:\users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\extensions\akykugggso@akykugggso.org.xpi
.
.
((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
.
.
2012-08-25 13:15 . 2012-08-25 13:16 -------- d-----w- c:\users\amai\AppData\Local\temp
2012-08-25 13:15 . 2012-08-25 13:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-25 02:01 . 2012-08-25 02:01 -------- d-----w- c:\program files\ESET
2012-08-25 01:49 . 2012-08-25 01:49 -------- d-----w- c:\users\amai\AppData\Roaming\Malwarebytes
2012-08-25 01:49 . 2012-08-25 01:49 -------- d-----w- c:\programdata\Malwarebytes
2012-08-25 01:49 . 2012-08-25 01:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-25 01:49 . 2012-07-03 23:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-25 01:01 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-25 01:01 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-25 01:00 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-25 01:00 . 2012-02-11 05:40 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-25 01:00 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-24 20:03 . 2012-08-24 20:03 -------- d-----w- C:\FRST
2012-08-24 19:52 . 2012-08-24 19:52 -------- d-----w- c:\users\amai\AppData\Roaming\SUPERAntiSpyware.com
2012-08-24 19:52 . 2012-08-24 19:54 -------- d-----w- c:\program files\Google
2012-08-24 19:51 . 2012-08-24 19:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-24 19:51 . 2012-08-24 19:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-24 17:58 . 2012-08-24 18:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-24 15:18 . 2012-08-24 17:14 -------- d-----w- C:\sh4ldr
2012-08-24 15:18 . 2012-08-24 15:18 -------- d-----w- c:\program files\Enigma Software Group
2012-08-24 15:15 . 2012-08-24 17:13 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-24 15:15 . 2012-08-24 15:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-08-24 13:29 . 2012-08-24 13:29 -------- d-----w- C:\$AVG
2012-08-24 13:21 . 2012-08-24 13:21 -------- d-----w- c:\program files\Common Files\Java
2012-08-24 13:20 . 2012-08-24 13:16 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-24 13:19 . 2012-08-24 13:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-24 13:14 . 2012-08-24 13:14 -------- d-----w- c:\programdata\McAfee
2012-08-24 12:42 . 2012-08-24 12:44 -------- d-----w- c:\users\amai\AppData\Roaming\AVG
2012-08-24 12:25 . 2012-08-25 00:25 -------- d-----w- c:\windows\system32\drivers\AVG
2012-08-24 12:25 . 2012-08-24 12:43 -------- d-----w- c:\programdata\AVG2012
2012-08-24 12:24 . 2012-08-24 12:40 -------- d-----w- c:\program files\AVG
2012-08-24 12:18 . 2012-08-25 07:13 -------- d-----w- c:\programdata\MFAData
2012-08-16 23:08 . 2012-08-16 23:08 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-15 07:14 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{250CCF3B-FE02-4984-ACED-72243D9783BD}\mpengine.dll
2012-08-14 08:21 . 2012-08-14 08:21 -------- d-----w- c:\users\amai\AppData\Local\Opera
2012-08-14 08:21 . 2012-08-14 11:23 -------- d-----w- c:\program files\Opera
2012-08-12 01:48 . 2012-08-12 01:48 -------- d-----w- c:\windows\Sun
2012-08-09 08:41 . 2012-08-09 08:41 -------- d-----w- c:\users\amai\G3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-24 18:02 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe
2012-08-24 13:16 . 2012-04-28 13:01 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-15 01:26 . 2012-04-24 08:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:26 . 2012-01-04 05:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-16 04:38 . 2012-07-16 04:38 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-06 05:05 . 2012-07-12 20:15 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-12 20:15 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-12 20:15 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-03 01:19 . 2012-06-23 12:50 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:12 . 2012-06-23 12:50 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:19 . 2012-06-23 12:50 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 12:50 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 12:50 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 12:50 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 12:50 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 12:50 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 12:50 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 04:45 . 2012-07-12 20:15 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-12 20:15 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-12 20:15 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-12 20:15 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-12 20:15 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-31 22:25 . 2012-01-04 05:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-19 05:36 . 2012-01-04 05:23 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 4777856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 01:26]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-24 19:52]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-24 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
FF - ProfilePath - c:\users\amai\AppData\Roaming\Mozilla\Firefox\Profiles\w2xxkp9u.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.swagbucks.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=63395&p=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-25 03:18:23
ComboFix-quarantined-files.txt 2012-08-25 13:18
ComboFix2.txt 2012-08-25 00:59
.
Pre-Run: 383,799,742,464 bytes free
Post-Run: 384,779,272,192 bytes free
.
- - End Of File - - 8E0E48DD985A4E8DDE0C4CA3E3C2D704



RESULTS:

MiniToolBox by Farbar Version: 23-07-2012
Ran by amai (administrator) on 25-08-2012 at 03:23:22
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
Adobe Flash Player 11 Plugin (Version: 11.3.300.271)
Adobe Reader X (10.1.4) (Version: 10.1.4)
AVG 2012 (Version: 12.0.1913)
AVG 2012 (Version: 12.0.2437)
AVG 2012 (Version: 2012.0.1913)
AVG PC Tuneup (Version: 10.0.0.27)
BitTorrent (Version: 7.6.1)
Canon DIGITAL CAMERA Solution Disk Software Guide (Version: 1.4.0.1)
CANON iMAGE GATEWAY MyCamera Download Plugin (Version: 3.1.1.2)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.9.0.9)
Canon MOV Decoder (Version: 1.8.0.7)
Canon MOV Encoder (Version: 1.6.0.1)
Canon MovieEdit Task for ZoomBrowser EX (Version: 3.7.0.4)
Canon MP280 series MP Drivers
Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide (Version: 1.0.0.1)
Canon Utilities CameraWindow DC 8 (Version: 8.4.0.3)
Canon Utilities CameraWindow Launcher (Version: 7.5.0.2)
Canon Utilities Movie Uploader for YouTube (Version: 1.2.0.7)
Canon Utilities MyCamera (Version: 7.4.0.2)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Canon Utilities ZoomBrowser EX (Version: 6.7.0.24)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.5.0.9)
DAEMON Tools Lite (Version: 4.45.4.0315)
ESET Online Scanner v3
Google Chrome (Version: 21.0.1180.83)
Google Update Helper (Version: 1.3.21.115)
Java 7 Update 6 (Version: 7.0.60)
Java Auto Updater (Version: 2.1.9.0)
Java™ 6 Update 31 (Version: 6.0.310)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Word Viewer 2003 (Version: 11.0.8173.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
SUPERAntiSpyware (Version: 5.5.1012)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
WinRAR archiver
WinZip 16.5 (Version: 16.5.10095)

**** End of log ****


And last, FSS:

Farbar Service Scanner Version: 06-08-2012
Ran by amai (administrator) on 25-08-2012 at 03:27:19
Running from "C:\Users\amai\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 25 August 2012 - 09:21 AM

Your BITS registry key is missing so we need to replace it, please download the attached registry fix and save it to your desktop.
Right click and choose to Merge it into your registry (then delete the file as you wont need it again)

Now reboot the computer and check that windows update is working correctly.


[attachment=129172:bits7.reg]


NEXT


P2P - I see you have P2P software Bit Torrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and Features.



NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 25 August 2012 - 11:32 PM

CatByte,
Everything seems to be in working order with P2P software uninstalled. Thanks again for all your help.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 25 August 2012 - 11:37 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS, GMER and all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Lostinthesauce13

Lostinthesauce13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 27 August 2012 - 04:38 PM

Thanks again for all your help. :clapping:

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 27 August 2012 - 04:53 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:33 PM

Posted 27 August 2012 - 04:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users