Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
37 replies to this topic

#1 Tythen

Tythen

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 04:26 AM

I was told to repost in this forum. You can see my old post in, http://www.bleepingcomputer.com/forums/topic465942.html,

Running Vista 32-bit on a Dell inspirion 1400.

About two weeks ago now, I stupidly clicked a link in an email I though was real. Afterwards I noticed that whenever I used internet explorer and clicked on a link from google (example I keep using Guild wars 2) I am redirected to add site, or click here now sites. Also I began noticing that when I am connected online, I would get random sound clips of advertisements for all sorts of things, even when Im not using internet explorer. No windows would open, just the clips. I would taskmanger to see 5-7 internet explorer processes running.

Shortly after that, whenever I would start my computer, normally and in safe modes, about 5 minutes in I would get a window stating that, "Windows has occurred a critical error and needs to shut down. Your computer will be automaticly restart in one minute. Save your work now." However, boopme helped and resolved that issue.

Still having the redirect and hidden explorer issues though.

Thank you for your help.
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Optimus Prime at 23:25:28 on 2012-08-24
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Optimus Prime\Desktop\dds.com
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070830
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_271_ActiveX.exe -update activex
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
LSP: mswsock.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 128.163.37.132 128.163.1.11
TCP: Interfaces\{4AB51A51-7188-4277-AE54-1DD42C1AAE84} : DhcpNameServer = 128.163.37.132 128.163.1.11
TCP: Interfaces\{5CDFBF58-CCCC-4F37-9FFB-C8B8E24A86DA} : DhcpNameServer = 192.168.1.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service
R? AESTFilters;Andrea ST Filters Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? ElRawDisk;ElRawDisk
R? FontCache;Windows Font Cache Service
R? GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? hitmanpro36;HitmanPro 3.6 Support Driver
R? LinksysUpdater;Linksys Updater
R? MBAMProtector;MBAMProtector
R? MBAMService;MBAMService
R? MpFilter;Microsoft Malware Protection Driver
R? NisDrv;Microsoft Network Inspection System
R? NisSrv;Microsoft Network Inspection
R? nosGetPlusHelper;getPlus® Helper 3004
R? nvUpdatusService;NVIDIA Update Service Daemon
R? PDFsFilter;PDFsFilter
R? SASDIFSV;SASDIFSV
R? SASENUM;SASENUM
R? SASKUTIL;SASKUTIL
R? Stereo Service;NVIDIA Stereoscopic 3D Driver Service
R? uts_bus;UTStarcom USB Composite Device driver (WDM)
R? uts_mdfl;UTStarcom USB Modem Filter
R? uts_mdm;UTStarcom USB Modem Drivers
R? uts_serd;UTStarcom USB Diagnostic Serial Port (WDM)
R? WMZuneComm;Zune Windows Mobile Connectivity Service
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
S? ioloSystemService;iolo System Service
.
=============== Created Last 30 ================
.
2012-08-24 03:41:26 89088 ----a-w- c:\users\optimus prime\mbr.exe
2012-08-24 03:25:45 89088 -c--a-w- C:\mbr.exe
2012-08-23 04:08:48 858 ----a-w- c:\programdata\onwnaaa.tmp
2012-08-23 03:51:42 885 ----a-w- c:\programdata\lrloaaa.tmp
2012-08-22 06:07:20 892 ----a-w- c:\programdata\opdqaaa.tmp
2012-08-22 03:56:12 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-21 23:06:38 919 ----a-w- c:\programdata\emdvbaa.tmp
2012-08-21 22:08:32 881 ----a-w- c:\programdata\fsooaaa.tmp
2012-08-21 07:11:55 894 ----a-w- c:\programdata\lpemaaa.tmp
2012-08-21 06:20:21 899 ----a-w- c:\programdata\jgtoaaa.tmp
2012-08-21 06:10:37 4731392 -c--a-w- C:\aswMBR.exe
2012-08-21 05:53:56 -------- dc----w- C:\TDSSKiller_Quarantine
2012-08-21 05:15:11 335 -c--a-w- C:\FixExe.reg
2012-08-21 05:14:01 1587616 -c--a-w- C:\rkill.exe
2012-08-20 20:50:03 43480 ----a-w- c:\windows\system32\drivers\ledrccqx.sys
2012-08-19 01:20:13 862 ----a-w- c:\programdata\aykraaa.tmp
2012-08-19 01:18:51 908 ----a-w- c:\programdata\whnsbaa.tmp
2012-08-19 01:16:28 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2012-08-19 01:16:28 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ebd19be8-064e-4b8e-a518-dc4222bd0c02}\gapaengine.dll
2012-08-19 01:15:12 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{61e59e09-e95d-4097-86e6-b7348301a8dc}\mpengine.dll
2012-08-19 01:12:47 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-17 02:09:27 891 ----a-w- c:\programdata\awdpaaa.tmp
2012-08-17 02:01:54 890 ----a-w- c:\programdata\xthwbaa.tmp
2012-08-17 02:01:49 894 ----a-w- c:\programdata\mqfuaaa.tmp
2012-08-16 23:49:00 885 ----a-w- c:\programdata\kdgsaaa.tmp
2012-08-16 01:22:40 888 ----a-w- c:\programdata\zgtuaaa.tmp
2012-08-16 01:22:35 873 ----a-w- c:\programdata\ygtuaaa.tmp
2012-08-14 05:14:18 888 ----a-w- c:\programdata\hlnnaaa.tmp
2012-08-13 10:02:21 660 ----a-w- c:\programdata\wnylaaa.tmp
2012-08-13 09:56:38 893 ----a-w- c:\programdata\bwdpaaa.tmp
2012-08-13 09:07:00 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-08-11 10:07:52 -------- d-----w- c:\program files\PC Tools
2012-08-11 10:04:55 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-11 10:04:51 -------- d-----w- c:\program files\common files\PC Tools
2012-08-11 10:04:13 -------- d-----w- c:\programdata\PC Tools
2012-08-11 10:04:11 -------- d-----w- c:\users\optimus prime\appdata\roaming\TestApp
2012-08-11 09:34:51 -------- d-----w- c:\programdata\HitmanPro
2012-08-11 00:07:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-08-10 09:33:21 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
2012-08-10 09:29:03 74703 ----a-w- c:\windows\system32\mfc45.dat
2012-07-31 22:30:17 -------- d-----w- c:\program files\Eidos Interactive
2012-07-27 21:00:23 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-08-22 04:27:22 279552 ----a-w- c:\windows\system32\services.exe
2012-08-15 07:21:39 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 07:21:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-02 16:45:38 40504 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-08-02 16:45:28 22456 ----a-w- c:\windows\system32\smrgdf.exe
2012-08-02 15:27:34 2096360 ----a-w- c:\windows\system32\Incinerator32.dll
2012-08-02 15:21:18 26248 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 23:28:53.82 ===============

Attached Files


Edited by Tythen, 25 August 2012 - 02:35 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 04:54 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 07:30 PM

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-08-2012
Ran by SYSTEM at 25-08-2012 18:56:57
Running from F:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [159744 2007-05-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [] [x]
HKLM\...\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" [184320 2007-04-16] (CyberLink Corp.)
HKLM\...\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe [17920 2007-03-16] ( )
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2010-07-19] (Google)
HKLM\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2008-08-13] (SupportSoft, Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2007-09-07] (IDT, Inc.)
HKLM\...\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [642856 2008-12-12] (Cisco Systems, Inc.)
HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Optimus Prime\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2008-08-13] (SupportSoft, Inc.)
HKU\Optimus Prime\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4777856 2012-07-23] (SUPERAntiSpyware.com)
HKU\Optimus Prime\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Optimus Prime\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-01] (Google Inc.)
HKU\UpdatusUser\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Tcpip\Parameters: [DhcpNameServer] 128.163.37.132 128.163.1.11
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-17] (SUPERAntiSpyware.com)
3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2007-03-19] ()
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [46080 2009-04-10] (Microsoft Corporation)
3 getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [33176 2009-03-03] (NOS Microsystems Ltd.)
3 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-19] (Google)
2 ioloSystemService; "C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe" [1027792 2012-08-02] (iolo technologies, LLC)
4 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 nmservice; "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" [642856 2008-12-12] (Cisco Systems, Inc.)
2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [201968 2008-08-13] (SupportSoft, Inc.)
2 LinksysUpdater; "C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
3 WMZuneComm; "c:\Program Files\Zune\WMZuneComm.exe" [x]
3 ZuneNetworkSvc; "c:\Program Files\Zune\ZuneNss.exe" [x]
3 ZuneWlanCfgSvc; "c:\Program Files\Zune\ZuneWlanCfgSvc.exe" [x]

========================== Drivers (Whitelisted) =============

1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [26248 2012-08-02] (EldoS Corporation)
3 hitmanpro36; \??\C:\Windows\system32\drivers\hitmanpro36.sys [27424 2012-08-13] ()
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22344 2012-07-03] (Malwarebytes Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-08-02] (Raxco Software, Inc.)
2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [24880 2008-12-12] (Cisco Systems, Inc.)
2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [26416 2008-12-12] (Cisco Systems, Inc.)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36528 2006-07-23] (Sonic Solutions)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-02-19] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [67664 2011-08-03] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 uts_bus; C:\Windows\System32\DRIVERS\uts_bus.sys [84352 2007-12-05] (MCCI)
3 uts_mdfl; C:\Windows\System32\DRIVERS\uts_mdfl.sys [14976 2007-12-05] (MCCI Corporation)
3 uts_mdm; C:\Windows\System32\DRIVERS\uts_mdm.sys [110848 2007-12-05] (MCCI)
3 uts_serd; C:\Windows\System32\DRIVERS\uts_serd.sys [90880 2007-12-05] (MCCI)
3 .cdrom; \* [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\OPTIMU~1\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-25 14:38 - 2012-08-25 14:38 - 00901756 ____A (Farbar) C:\Users\Optimus Prime\Downloads\FRST.exe
2012-08-25 14:38 - 2012-08-25 14:38 - 00000000 ___DC C:\FRST
2012-08-25 13:47 - 2012-08-25 13:47 - 02193184 ____A C:\Users\Optimus Prime\Downloads\tdsskiller (1).zip
2012-08-25 13:31 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-25 13:31 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-25 13:31 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-25 13:31 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-25 13:31 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-25 13:31 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-25 13:31 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-25 13:31 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-25 13:30 - 2012-08-25 13:43 - 00000000 __SDC C:\32788R22FWJFW
2012-08-25 13:30 - 2012-08-25 13:30 - 00000000 ____D C:\Windows\erdnt
2012-08-25 13:29 - 2012-08-25 13:29 - 00001195 ____A C:\Users\Optimus Prime\Desktop\checkup.txt
2012-08-25 13:24 - 2012-08-25 13:25 - 00881581 ____A C:\Users\Optimus Prime\Downloads\SecurityCheck.exe
2012-08-25 01:27 - 2012-08-25 01:27 - 02193184 ____A C:\Users\Optimus Prime\Downloads\tdsskiller.zip
2012-08-25 01:27 - 2012-08-25 01:27 - 00000000 ____D C:\Users\Optimus Prime\Downloads\tdsskiller
2012-08-25 01:22 - 2012-08-25 01:22 - 00008043 ____A C:\Users\Optimus Prime\Desktop\ark.txt
2012-08-25 01:21 - 2012-08-25 01:21 - 00008043 ____A C:\Users\Optimus Prime\Desktop\gmer scan.log
2012-08-24 19:44 - 2012-08-24 19:44 - 00294216 ____A C:\Users\Optimus Prime\Downloads\gmer.zip
2012-08-24 19:42 - 2012-08-24 19:42 - 00302592 ____A C:\Users\Optimus Prime\Downloads\pwn2eu1r.exe
2012-08-24 19:35 - 2012-08-24 19:35 - 00004661 ____A C:\Users\Optimus Prime\Desktop\attach.txt
2012-08-24 19:34 - 2012-08-24 19:34 - 00010905 ____A C:\Users\Optimus Prime\Desktop\dds.txt
2012-08-24 19:24 - 2012-08-24 19:24 - 00607260 ____R (Swearware) C:\Users\Optimus Prime\Desktop\dds.com
2012-08-24 19:22 - 2012-08-24 19:22 - 00000488 ____A C:\Users\Optimus Prime\Desktop\defogger_disable.log
2012-08-24 19:22 - 2012-08-24 19:22 - 00000000 ____A C:\Users\Optimus Prime\defogger_reenable
2012-08-24 19:21 - 2012-08-24 19:22 - 00050477 ____A C:\Users\Optimus Prime\Downloads\Defogger.exe
2012-08-23 19:41 - 2012-08-23 19:25 - 00089088 ____A C:\Users\Optimus Prime\mbr.exe
2012-08-23 19:30 - 2012-08-23 19:40 - 00000294 ___AC C:\mbr.log
2012-08-23 19:26 - 2012-08-23 19:41 - 00000294 ____A C:\Users\Optimus Prime\mbr.log
2012-08-23 19:25 - 2012-08-23 19:25 - 00089088 ___AC C:\mbr.exe
2012-08-23 19:25 - 2012-08-23 19:25 - 00089088 ____A C:\Users\Optimus Prime\Downloads\mbr.exe
2012-08-22 21:02 - 2012-08-22 21:02 - 00000795 ____A C:\Windows\setupact.log
2012-08-22 21:02 - 2012-08-22 21:02 - 00000000 ____A C:\Windows\setuperr.log
2012-08-22 20:08 - 2012-08-22 20:08 - 00000858 ____A C:\Users\All Users\onwnaaa.tmp
2012-08-22 19:56 - 2012-08-22 19:56 - 00000774 ____A C:\Users\Optimus Prime\bootkit report.txt
2012-08-22 19:51 - 2012-08-22 19:51 - 00000885 ____A C:\Users\All Users\lrloaaa.tmp
2012-08-22 19:50 - 2012-08-22 19:50 - 00044607 ____A C:\Users\Optimus Prime\Downloads\bootkit_remover.zip
2012-08-22 19:50 - 2012-08-22 19:50 - 00000000 ____D C:\Users\Optimus Prime\Downloads\bootkit_remover
2012-08-21 22:07 - 2012-08-21 22:07 - 00000892 ____A C:\Users\All Users\opdqaaa.tmp
2012-08-21 20:22 - 2012-08-25 13:35 - 00003968 ____A C:\Windows\PFRO.log
2012-08-21 19:56 - 2012-08-21 19:56 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-21 19:26 - 2012-08-21 19:28 - 00025151 ____A C:\Users\Optimus Prime\Desktop\Result.txt
2012-08-21 19:25 - 2012-08-21 19:26 - 00751391 ____A (Farbar) C:\Users\Optimus Prime\Downloads\MiniToolBox (1).exe
2012-08-21 19:25 - 2012-08-21 19:25 - 00751391 ____A (Farbar) C:\Users\Optimus Prime\Downloads\MiniToolBox.exe
2012-08-21 19:24 - 2012-08-21 19:32 - 00001308 ____A C:\Users\Optimus Prime\Desktop\GooredFix.txt
2012-08-21 19:24 - 2012-08-21 19:32 - 00000000 ____D C:\Users\Optimus Prime\Desktop\GooredFix Backups
2012-08-21 19:24 - 2012-08-21 19:24 - 00071398 ____A (jpshortstuff) C:\Users\Optimus Prime\Downloads\GooredFix.exe
2012-08-21 15:06 - 2012-08-21 15:06 - 00000919 ____A C:\Users\All Users\emdvbaa.tmp
2012-08-21 14:49 - 2012-08-21 14:50 - 69384240 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\msert.exe
2012-08-21 14:08 - 2012-08-21 14:08 - 00000881 ____A C:\Users\All Users\fsooaaa.tmp
2012-08-21 13:51 - 2012-08-21 13:51 - 00001923 ___AC C:\aswMBR.txt
2012-08-21 13:51 - 2012-08-21 13:51 - 00000512 ___AC C:\MBR.dat
2012-08-20 23:11 - 2012-08-20 23:11 - 00000894 ____A C:\Users\All Users\lpemaaa.tmp
2012-08-20 22:20 - 2012-08-20 22:20 - 00000899 ____A C:\Users\All Users\jgtoaaa.tmp
2012-08-20 22:10 - 2012-08-20 22:09 - 04731392 ___AC (AVAST Software) C:\aswMBR.exe
2012-08-20 21:53 - 2012-08-25 13:40 - 00000000 ___DC C:\TDSSKiller_Quarantine
2012-08-20 21:15 - 2012-08-20 20:57 - 00000335 ___AC C:\FixExe.reg
2012-08-20 21:15 - 2012-08-20 20:57 - 00000335 ____A C:\Users\Optimus Prime\Desktop\FixExe.reg
2012-08-20 21:14 - 2012-08-20 20:58 - 01587616 ___AC (Bleeping Computer, LLC) C:\rkill.exe
2012-08-20 21:13 - 2012-08-20 20:58 - 01587616 ____A (Bleeping Computer, LLC) C:\Users\Optimus Prime\Desktop\rkill.exe
2012-08-20 21:12 - 2012-08-25 14:01 - 00007632 ____A C:\Users\Optimus Prime\Desktop\Rkill.txt
2012-08-20 13:33 - 2012-08-20 13:33 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Optimus Prime\Desktop\TDSSKiller.exe
2012-08-20 12:50 - 2012-08-20 12:50 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ledrccqx.sys
2012-08-18 17:20 - 2012-08-18 17:20 - 00000862 ____A C:\Users\All Users\aykraaa.tmp
2012-08-18 17:18 - 2012-08-18 17:18 - 00000908 ____A C:\Users\All Users\whnsbaa.tmp
2012-08-18 17:12 - 2012-08-18 17:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-18 17:10 - 2012-08-18 17:10 - 10288512 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\bleepyouvirus.exe
2012-08-16 18:09 - 2012-08-16 18:09 - 00000891 ____A C:\Users\All Users\awdpaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000894 ____A C:\Users\All Users\mqfuaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000890 ____A C:\Users\All Users\xthwbaa.tmp
2012-08-16 15:49 - 2012-08-16 15:49 - 00000885 ____A C:\Users\All Users\kdgsaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000888 ____A C:\Users\All Users\zgtuaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000873 ____A C:\Users\All Users\ygtuaaa.tmp
2012-08-13 21:14 - 2012-08-13 21:14 - 00000888 ____A C:\Users\All Users\hlnnaaa.tmp
2012-08-13 02:02 - 2012-08-13 02:02 - 00000660 ____A C:\Users\All Users\wnylaaa.tmp
2012-08-13 01:56 - 2012-08-13 01:56 - 00000893 ____A C:\Users\All Users\bwdpaaa.tmp
2012-08-13 01:10 - 2012-08-13 01:10 - 10288512 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\mseinstall.exe
2012-08-13 01:07 - 2012-08-13 01:07 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-08-13 01:05 - 2012-08-13 01:05 - 00000704 ____A C:\Windows\System32\.crusader
2012-08-11 02:07 - 2012-08-11 02:07 - 00000000 ____D C:\Program Files\PC Tools
2012-08-11 02:05 - 2012-08-11 02:08 - 02276214 ____A C:\Windows\System32\Drivers\Cat.DB
2012-08-11 02:04 - 2012-08-12 20:27 - 00000000 ____D C:\Program Files\Common Files\PC Tools
2012-08-11 02:04 - 2012-08-12 20:04 - 00000000 ____D C:\Users\All Users\PC Tools
2012-08-11 02:04 - 2012-08-11 02:04 - 00000000 ____D C:\Users\Optimus Prime\AppData\Roaming\TestApp
2012-08-11 02:04 - 2012-06-22 11:34 - 00203120 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD.sys
2012-08-11 02:03 - 2012-08-11 02:03 - 04122616 ____A (PC Tools) C:\Users\Optimus Prime\Downloads\sdsetup.exe
2012-08-11 01:34 - 2012-08-13 01:05 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-08-11 01:33 - 2012-08-11 01:33 - 07758424 ____A (SurfRight B.V.) C:\Users\Optimus Prime\Downloads\HitmanPro36.exe
2012-08-10 16:07 - 2012-08-10 19:23 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-08-10 01:33 - 2012-08-02 07:21 - 00068464 ____A (Raxco Software, Inc.) C:\Windows\System32\Drivers\PDFsFilter.sys
2012-08-10 01:29 - 2012-08-10 01:29 - 00074703 ____A C:\Windows\System32\mfc45.dat
2012-08-08 00:54 - 2012-08-08 00:54 - 00000000 ____D C:\Windows\Sun
2012-08-06 12:36 - 2012-08-06 12:37 - 00000000 ____D C:\Program Files\QuickTime
2012-08-01 19:20 - 2012-08-23 21:21 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-31 14:34 - 2012-07-31 14:34 - 00001022 ____A C:\Users\Optimus Prime\Desktop\Play Soul Reaver.lnk
2012-07-31 14:30 - 2012-07-31 14:30 - 00000000 ____D C:\Program Files\Eidos Interactive
2012-07-27 13:00 - 2012-08-10 20:09 - 00000000 ____D C:\Windows\pss


============ 3 Months Modified Files ========================

2012-08-25 14:38 - 2012-08-25 14:38 - 00901756 ____A (Farbar) C:\Users\Optimus Prime\Downloads\FRST-1.exe
2012-08-25 14:38 - 2012-08-25 14:38 - 00901756 ____A (Farbar) C:\Users\Optimus Prime\Downloads\FRST.exe
2012-08-25 14:37 - 2006-11-02 02:33 - 00712780 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-25 14:36 - 2010-06-20 01:10 - 00002281 ____A C:\Users\Public\Desktop\Safari.lnk
2012-08-25 14:36 - 2007-11-13 21:36 - 00008592 ____A C:\Users\Optimus Prime\AppData\Local\d3d9caps.dat
2012-08-25 14:01 - 2012-08-20 21:12 - 00007632 ____A C:\Users\Optimus Prime\Desktop\Rkill.txt
2012-08-25 13:47 - 2012-08-25 13:47 - 02193184 ____A C:\Users\Optimus Prime\Downloads\tdsskiller (1).zip
2012-08-25 13:35 - 2012-08-21 20:22 - 00003968 ____A C:\Windows\PFRO.log
2012-08-25 13:29 - 2012-08-25 13:29 - 00001195 ____A C:\Users\Optimus Prime\Desktop\checkup.txt
2012-08-25 13:25 - 2012-08-25 13:24 - 00881581 ____A C:\Users\Optimus Prime\Downloads\SecurityCheck.exe
2012-08-25 01:27 - 2012-08-25 01:27 - 02193184 ____A C:\Users\Optimus Prime\Downloads\tdsskiller.zip
2012-08-25 01:22 - 2012-08-25 01:22 - 00008043 ____A C:\Users\Optimus Prime\Desktop\ark.txt
2012-08-25 01:21 - 2012-08-25 01:21 - 00008043 ____A C:\Users\Optimus Prime\Desktop\gmer scan.log
2012-08-24 23:59 - 2007-08-29 09:28 - 00001076 ____A C:\Windows\bthservsdp.dat
2012-08-24 23:59 - 2006-11-02 04:58 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-24 23:59 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-24 23:59 - 2006-11-02 04:45 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-24 23:59 - 2006-11-02 04:45 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-24 23:48 - 2007-08-29 09:27 - 01175566 ____A C:\Windows\WindowsUpdate.log
2012-08-24 23:42 - 2011-01-01 11:26 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-24 19:45 - 2011-07-16 18:21 - 00302592 ____A C:\Users\Optimus Prime\Desktop\gmer.exe
2012-08-24 19:44 - 2012-08-24 19:44 - 00294216 ____A C:\Users\Optimus Prime\Downloads\gmer.zip
2012-08-24 19:42 - 2012-08-24 19:42 - 00302592 ____A C:\Users\Optimus Prime\Downloads\pwn2eu1r.exe
2012-08-24 19:35 - 2012-08-24 19:35 - 00004661 ____A C:\Users\Optimus Prime\Desktop\attach.txt
2012-08-24 19:34 - 2012-08-24 19:34 - 00010905 ____A C:\Users\Optimus Prime\Desktop\dds.txt
2012-08-24 19:24 - 2012-08-24 19:24 - 00607260 ____R (Swearware) C:\Users\Optimus Prime\Desktop\dds.com
2012-08-24 19:22 - 2012-08-24 19:22 - 00000488 ____A C:\Users\Optimus Prime\Desktop\defogger_disable.log
2012-08-24 19:22 - 2012-08-24 19:22 - 00000000 ____A C:\Users\Optimus Prime\defogger_reenable
2012-08-24 19:22 - 2012-08-24 19:21 - 00050477 ____A C:\Users\Optimus Prime\Downloads\Defogger.exe
2012-08-23 21:21 - 2012-08-01 19:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-23 21:19 - 2011-01-01 11:26 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-23 19:41 - 2012-08-23 19:26 - 00000294 ____A C:\Users\Optimus Prime\mbr.log
2012-08-23 19:40 - 2012-08-23 19:30 - 00000294 ___AC C:\mbr.log
2012-08-23 19:25 - 2012-08-23 19:41 - 00089088 ____A C:\Users\Optimus Prime\mbr.exe
2012-08-23 19:25 - 2012-08-23 19:25 - 00089088 ___AC C:\mbr.exe
2012-08-23 19:25 - 2012-08-23 19:25 - 00089088 ____A C:\Users\Optimus Prime\Downloads\mbr.exe
2012-08-23 01:30 - 2007-09-15 16:42 - 00030208 ____A C:\Users\Optimus Prime\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-22 21:02 - 2012-08-22 21:02 - 00000795 ____A C:\Windows\setupact.log
2012-08-22 21:02 - 2012-08-22 21:02 - 00000000 ____A C:\Windows\setuperr.log
2012-08-22 20:29 - 2012-06-17 01:54 - 00001973 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-08-22 20:08 - 2012-08-22 20:08 - 00000858 ____A C:\Users\All Users\onwnaaa.tmp
2012-08-22 19:56 - 2012-08-22 19:56 - 00000774 ____A C:\Users\Optimus Prime\bootkit report.txt
2012-08-22 19:51 - 2012-08-22 19:51 - 00000885 ____A C:\Users\All Users\lrloaaa.tmp
2012-08-22 19:50 - 2012-08-22 19:50 - 00044607 ____A C:\Users\Optimus Prime\Downloads\bootkit_remover.zip
2012-08-21 22:07 - 2012-08-21 22:07 - 00000892 ____A C:\Users\All Users\opdqaaa.tmp
2012-08-21 20:27 - 2009-09-16 21:08 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-08-21 19:32 - 2012-08-21 19:24 - 00001308 ____A C:\Users\Optimus Prime\Desktop\GooredFix.txt
2012-08-21 19:28 - 2012-08-21 19:26 - 00025151 ____A C:\Users\Optimus Prime\Desktop\Result.txt
2012-08-21 19:26 - 2012-08-21 19:25 - 00751391 ____A (Farbar) C:\Users\Optimus Prime\Downloads\MiniToolBox (1).exe
2012-08-21 19:25 - 2012-08-21 19:25 - 00751391 ____A (Farbar) C:\Users\Optimus Prime\Downloads\MiniToolBox.exe
2012-08-21 19:24 - 2012-08-21 19:24 - 00071398 ____A (jpshortstuff) C:\Users\Optimus Prime\Downloads\GooredFix.exe
2012-08-21 15:06 - 2012-08-21 15:06 - 00000919 ____A C:\Users\All Users\emdvbaa.tmp
2012-08-21 14:50 - 2012-08-21 14:49 - 69384240 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\msert.exe
2012-08-21 14:08 - 2012-08-21 14:08 - 00000881 ____A C:\Users\All Users\fsooaaa.tmp
2012-08-21 13:51 - 2012-08-21 13:51 - 00001923 ___AC C:\aswMBR.txt
2012-08-21 13:51 - 2012-08-21 13:51 - 00000512 ___AC C:\MBR.dat
2012-08-20 23:11 - 2012-08-20 23:11 - 00000894 ____A C:\Users\All Users\lpemaaa.tmp
2012-08-20 22:20 - 2012-08-20 22:20 - 00000899 ____A C:\Users\All Users\jgtoaaa.tmp
2012-08-20 22:09 - 2012-08-20 22:10 - 04731392 ___AC (AVAST Software) C:\aswMBR.exe
2012-08-20 20:58 - 2012-08-20 21:14 - 01587616 ___AC (Bleeping Computer, LLC) C:\rkill.exe
2012-08-20 20:58 - 2012-08-20 21:13 - 01587616 ____A (Bleeping Computer, LLC) C:\Users\Optimus Prime\Desktop\rkill.exe
2012-08-20 20:57 - 2012-08-20 21:15 - 00000335 ___AC C:\FixExe.reg
2012-08-20 20:57 - 2012-08-20 21:15 - 00000335 ____A C:\Users\Optimus Prime\Desktop\FixExe.reg
2012-08-20 19:44 - 2012-02-20 16:21 - 00002243 ____A C:\Windows\epplauncher.mif
2012-08-20 13:33 - 2012-08-20 13:33 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Optimus Prime\Desktop\TDSSKiller.exe
2012-08-20 12:50 - 2012-08-20 12:50 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ledrccqx.sys
2012-08-18 17:20 - 2012-08-18 17:20 - 00000862 ____A C:\Users\All Users\aykraaa.tmp
2012-08-18 17:18 - 2012-08-18 17:18 - 00000908 ____A C:\Users\All Users\whnsbaa.tmp
2012-08-18 17:10 - 2012-08-18 17:10 - 10288512 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\bleepyouvirus.exe
2012-08-18 17:07 - 2007-09-15 16:48 - 00006206 ____A C:\Users\Optimus Prime\AppData\Roaming\wklnhst.dat
2012-08-16 18:09 - 2012-08-16 18:09 - 00000891 ____A C:\Users\All Users\awdpaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000894 ____A C:\Users\All Users\mqfuaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000890 ____A C:\Users\All Users\xthwbaa.tmp
2012-08-16 15:49 - 2012-08-16 15:49 - 00000885 ____A C:\Users\All Users\kdgsaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000888 ____A C:\Users\All Users\zgtuaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000873 ____A C:\Users\All Users\ygtuaaa.tmp
2012-08-14 23:21 - 2012-07-18 13:02 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-14 23:21 - 2011-11-30 05:52 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-13 21:14 - 2012-08-13 21:14 - 00000888 ____A C:\Users\All Users\hlnnaaa.tmp
2012-08-13 02:02 - 2012-08-13 02:02 - 00000660 ____A C:\Users\All Users\wnylaaa.tmp
2012-08-13 01:56 - 2012-08-13 01:56 - 00000893 ____A C:\Users\All Users\bwdpaaa.tmp
2012-08-13 01:10 - 2012-08-13 01:10 - 10288512 ____A (Microsoft Corporation) C:\Users\Optimus Prime\Downloads\mseinstall.exe
2012-08-13 01:07 - 2012-08-13 01:07 - 00027424 ____A C:\Windows\System32\Drivers\hitmanpro36.sys
2012-08-13 01:07 - 2006-11-02 04:44 - 00320392 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-13 01:05 - 2012-08-13 01:05 - 00000704 ____A C:\Windows\System32\.crusader
2012-08-11 02:08 - 2012-08-11 02:05 - 02276214 ____A C:\Windows\System32\Drivers\Cat.DB
2012-08-11 02:03 - 2012-08-11 02:03 - 04122616 ____A (PC Tools) C:\Users\Optimus Prime\Downloads\sdsetup.exe
2012-08-11 01:33 - 2012-08-11 01:33 - 07758424 ____A (SurfRight B.V.) C:\Users\Optimus Prime\Downloads\HitmanPro36.exe
2012-08-10 01:33 - 2011-11-28 12:31 - 00001913 ____A C:\Users\Optimus Prime\Desktop\System Mechanic.lnk
2012-08-10 01:29 - 2012-08-10 01:29 - 00074703 ____A C:\Windows\System32\mfc45.dat
2012-08-10 00:33 - 2012-06-17 01:54 - 00000806 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-08-06 12:48 - 2011-11-17 01:53 - 00001666 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-08-02 08:45 - 2011-11-28 12:31 - 00040504 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
2012-08-02 08:45 - 2011-11-28 12:31 - 00022456 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
2012-08-02 07:27 - 2011-11-28 12:31 - 02096360 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
2012-08-02 07:21 - 2012-08-10 01:33 - 00068464 ____A (Raxco Software, Inc.) C:\Windows\System32\Drivers\PDFsFilter.sys
2012-08-02 07:21 - 2011-11-28 12:30 - 00026248 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys
2012-07-31 14:34 - 2012-07-31 14:34 - 00001022 ____A C:\Users\Optimus Prime\Desktop\Play Soul Reaver.lnk
2012-07-26 01:13 - 2012-01-01 18:48 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-10 23:08 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-03 09:46 - 2009-12-18 09:21 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-22 11:34 - 2012-08-11 02:04 - 00203120 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD.sys
2012-06-17 01:50 - 2012-06-17 01:48 - 03862112 ____A (Piriform Ltd) C:\Users\Optimus Prime\Downloads\ccsetup319_exe
2012-06-13 05:40 - 2012-07-10 23:12 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-10 19:43 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-10 19:43 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-10 19:43 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-10 19:43 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-20 19:25 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 19:25 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 19:25 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 19:24 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 19:24 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 19:25 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 19:24 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-20 19:24 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-20 19:24 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-10 23:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-10 23:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-10 23:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-10 23:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-10 23:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-10 23:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-10 23:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-10 23:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-10 23:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-10 23:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-10 23:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-10 23:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-10 23:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-10 23:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 16:04 - 2012-07-10 19:43 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-10 19:43 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll


ZeroAccess:
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}\L
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}\U
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}\L\00000004.@
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}\L\201d3dde

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2009-09-16 21:08] - [2009-04-10 22:28] - 2951168 ____A (Microsoft Corporation) 522BCAF161CF54C270C825A906CBF9E9

C:\Windows\System32\winlogon.exe
[2009-09-16 21:07] - [2009-04-10 22:28] - 0338944 ____A (Microsoft Corporation) 77E3217555453ECCD7A2665CC7F0E4E1

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2008-06-23 21:39] - [2009-04-10 22:28] - 0046080 ____A (Microsoft Corporation) EE6012E36C1235A4F51116366B6FA69F

C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


===================== Memory info ==========================

Percentage of memory in use: 11%
Total physical RAM: 4093.23 MB
Available physical RAM: 3612.29 MB
Total Pagefile: 3836.37 MB
Available Pagefile: 3680.26 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB

===================== Partitions ===========================

1 Drive c: (OS) (Fixed) (Total:136.48 GB) (Free:32.17 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:9.9 GB) NTFS
3 Drive e: (VISTA_32_BASIC) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
4 Drive f: () (Removable) (Total:29.8 GB) (Free:12.21 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1024 KB
Disk 1 Online 30 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 71 MB 32 KB
Partition 2 Primary 10 GB 71 MB
Partition 3 Primary 136 GB 10 GB
Partition 0 Extended 2560 MB 147 GB
Partition 4 Logical 2559 MB 147 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 71 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C OS NTFS Partition 136 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : DD
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 30 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT32 Removable 30 GB Healthy

==================================================================================

Last Boot: 2012-08-25 14:06

======================= End Of Log ==========================

Now Search.txt

Farbar Recovery Scan Tool Version: 25-08-2012
Ran by SYSTEM at 2012-08-25 20:18:02
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-16 21:08] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-06-23 21:41] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2009-09-16 21:08] - [2012-08-21 20:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 07:50 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start

HKLM\...\Run: [] [x]
2012-08-22 20:08 - 2012-08-22 20:08 - 00000858 ____A C:\Users\All Users\onwnaaa.tmp
2012-08-22 19:51 - 2012-08-22 19:51 - 00000885 ____A C:\Users\All Users\lrloaaa.tmp
2012-08-21 22:07 - 2012-08-21 22:07 - 00000892 ____A C:\Users\All Users\opdqaaa.tmp
2012-08-21 15:06 - 2012-08-21 15:06 - 00000919 ____A C:\Users\All Users\emdvbaa.tmp
2012-08-21 14:08 - 2012-08-21 14:08 - 00000881 ____A C:\Users\All Users\fsooaaa.tmp
2012-08-20 23:11 - 2012-08-20 23:11 - 00000894 ____A C:\Users\All Users\lpemaaa.tmp
2012-08-20 22:20 - 2012-08-20 22:20 - 00000899 ____A C:\Users\All Users\jgtoaaa.tmp
2012-08-20 12:50 - 2012-08-20 12:50 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ledrccqx.sys
2012-08-18 17:20 - 2012-08-18 17:20 - 00000862 ____A C:\Users\All Users\aykraaa.tmp
2012-08-18 17:18 - 2012-08-18 17:18 - 00000908 ____A C:\Users\All Users\whnsbaa.tmp
2012-08-16 18:09 - 2012-08-16 18:09 - 00000891 ____A C:\Users\All Users\awdpaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000894 ____A C:\Users\All Users\mqfuaaa.tmp
2012-08-16 18:01 - 2012-08-16 18:01 - 00000890 ____A C:\Users\All Users\xthwbaa.tmp
2012-08-16 15:49 - 2012-08-16 15:49 - 00000885 ____A C:\Users\All Users\kdgsaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000888 ____A C:\Users\All Users\zgtuaaa.tmp
2012-08-15 17:22 - 2012-08-15 17:22 - 00000873 ____A C:\Users\All Users\ygtuaaa.tmp
2012-08-13 21:14 - 2012-08-13 21:14 - 00000888 ____A C:\Users\All Users\hlnnaaa.tmp
2012-08-13 02:02 - 2012-08-13 02:02 - 00000660 ____A C:\Users\All Users\wnylaaa.tmp
2012-08-13 01:56 - 2012-08-13 01:56 - 00000893 ____A C:\Users\All Users\bwdpaaa.tmp
C:\Windows\Installer\{8aad7d06-a2b9-d9b6-2b4e-6dbaccc9e76c}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Note: If you already have a copy of ComboFix on your desktop > right click and delete it

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 09:06 PM

ComboFix 12-08-25.04 - Optimus Prime 08/25/2012 21:29:39.1.2 - x86
Running from: c:\users\Optimus Prime\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Optimus Prime\AppData\Local\._Revolution_
c:\users\Optimus Prime\AppData\Local\{2AD73750-2637-4EA3-A6A0-7C6991F63712}
c:\users\Optimus Prime\AppData\Local\{2AD73750-2637-4EA3-A6A0-7C6991F63712}\chrome.manifest
c:\users\Optimus Prime\AppData\Local\{2AD73750-2637-4EA3-A6A0-7C6991F63712}\chrome\content\overlay.xul
c:\users\Optimus Prime\AppData\Local\{2AD73750-2637-4EA3-A6A0-7C6991F63712}\install.rdf
c:\users\Optimus Prime\AppData\Roaming\Start
c:\users\Optimus Prime\AppData\Roaming\Start\temp_BB40E0B5\flash.10.0.32.18.ocx
c:\users\Optimus Prime\EULA.txt
c:\users\Optimus Prime\mbr.exe
c:\windows\$NtUninstallKB56777$
c:\windows\expert
c:\windows\expert\X6826.INI
c:\windows\expl.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\samsrv.dll . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.cdrom
.
.
((((((((((((((((((((((((( Files Created from 2012-07-26 to 2012-08-26 )))))))))))))))))))))))))))))))
.
.
2012-08-26 01:45 . 2012-08-26 01:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-26 01:45 . 2012-08-26 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-26 01:45 . 2012-08-26 01:48 -------- d-----w- c:\users\Optimus Prime\AppData\Local\temp
2012-08-25 22:38 . 2012-08-26 02:56 -------- dc----w- C:\FRST
2012-08-24 03:25 . 2012-08-24 03:25 89088 -c--a-w- C:\mbr.exe
2012-08-22 03:56 . 2012-08-22 03:56 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-21 06:10 . 2012-08-21 06:09 4731392 -c--a-w- C:\aswMBR.exe
2012-08-21 05:53 . 2012-08-25 21:40 -------- dc----w- C:\TDSSKiller_Quarantine
2012-08-21 05:15 . 2012-08-21 04:57 335 -c--a-w- C:\FixExe.reg
2012-08-21 05:14 . 2012-08-21 04:58 1587616 -c--a-w- C:\rkill.exe
2012-08-19 01:16 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-08-19 01:16 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EBD19BE8-064E-4B8E-A518-DC4222BD0C02}\gapaengine.dll
2012-08-19 01:15 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{61E59E09-E95D-4097-86E6-B7348301A8DC}\mpengine.dll
2012-08-19 01:12 . 2012-08-19 01:13 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 09:07 . 2012-08-13 09:07 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-08-11 10:07 . 2012-08-11 10:07 -------- d-----w- c:\program files\PC Tools
2012-08-11 10:04 . 2012-06-22 19:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-11 10:04 . 2012-08-13 04:27 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-11 10:04 . 2012-08-13 04:04 -------- d-----w- c:\programdata\PC Tools
2012-08-11 10:04 . 2012-08-11 10:04 -------- d-----w- c:\users\Optimus Prime\AppData\Roaming\TestApp
2012-08-11 09:34 . 2012-08-13 09:05 -------- d-----w- c:\programdata\HitmanPro
2012-08-11 00:07 . 2012-08-11 03:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-08-10 09:33 . 2012-08-02 15:21 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
2012-08-10 09:29 . 2012-08-10 09:29 74703 ----a-w- c:\windows\system32\mfc45.dat
2012-08-08 08:54 . 2012-08-08 08:54 -------- d-----w- c:\windows\Sun
2012-08-06 20:36 . 2012-08-06 20:37 -------- d-----w- c:\program files\QuickTime
2012-07-31 22:30 . 2012-07-31 22:30 -------- d-----w- c:\program files\Eidos Interactive
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-22 04:27 . 2009-09-17 05:08 279552 ----a-w- c:\windows\system32\services.exe
2012-08-15 07:21 . 2012-07-18 21:02 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 07:21 . 2011-11-30 13:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-02 16:45 . 2011-11-28 20:31 40504 ----a-w- c:\windows\system32\iolobtdfg.exe
2012-08-02 16:45 . 2011-11-28 20:31 22456 ----a-w- c:\windows\system32\smrgdf.exe
2012-08-02 15:27 . 2011-11-28 20:31 2096360 ----a-w- c:\windows\system32\Incinerator32.dll
2012-08-02 15:21 . 2011-11-28 20:30 26248 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2012-07-03 17:46 . 2009-12-18 17:21 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40 . 2012-07-11 07:12 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47 . 2012-07-11 03:43 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 03:43 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 03:43 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-21 03:25 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 03:25 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 03:24 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 03:24 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 03:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 03:25 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 03:24 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 03:24 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 03:24 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-11 07:04 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 07:04 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 07:04 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 07:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 07:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04 . 2012-07-11 03:43 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 03:43 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-23 4777856]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-01 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-21 159744]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 17920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-20 30192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe" [2012-08-15 686792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\04208014.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\29134233.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-31 00:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 21:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-01-01 19:30 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2011-08-05 16:29 159456 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-18 07:21]
.
2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-01 19:26]
.
2012-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-01 19:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4070830
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 128.163.37.132 128.163.1.11
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MsMpSvc
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-25 21:51
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{DC0F2F93-27FA-4F84-ACAA-9416F90B9511}"=hex:51,66,7a,6c,4c,1d,38,12,fd,2c,1c,
d8,c8,69,ea,0a,d3,bc,d7,56,fc,55,d1,05
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{EAD3A971-6A23-4246-8691-C9244E858967}"=hex:51,66,7a,6c,4c,1d,38,12,1f,aa,c0,
ee,11,24,28,07,f9,87,8a,64,4b,db,cd,73
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:1b,88,77,00,49,75,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,9d,38,55,72,e4,91,44,a8,7d,ad,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,9d,38,55,72,e4,91,44,a8,7d,ad,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3408)
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\iolo\Common\Lib\ioloServiceManager.exe
c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\java.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2012-08-25 21:58:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-26 01:57
.
Pre-Run: 34,507,083,776 bytes free
Post-Run: 34,264,870,912 bytes free
.
- - End Of File - - F38D395D3E6800B9D49E0AD180811576

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 09:14 PM

we need to use the FRST tool again to search for replacements for the infected files found by ComboFix


  • please enter System Recovery Options and select Command Prompt
  • Run FRST

    Type the following in the edit box after "Search:" so it looks like this:

    Search: explorer.exe;winlogon.exe;samsrv.dll


    Click the Search button and post the log it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 09:36 PM

Will post the results in a moment, just wanted to thank you for all your help!

#8 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 09:48 PM

Farbar Recovery Scan Tool Version: 25-08-2012
Ran by SYSTEM at 2012-08-25 22:36:01
Running from F:\

================== Search: "explorer.exe;winlogon.exe;samsrv.dll" ===================

C:\Windows\explorer.exe
[2009-09-16 21:08] - [2009-04-10 22:28] - 2951168 ____A (Microsoft Corporation) 522BCAF161CF54C270C825A906CBF9E9

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2009-09-16 21:07] - [2009-04-10 22:28] - 0314368 ____A (Microsoft Corporation) 898E7C06A350D4A1A64A9EA264D55452

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
[2008-06-23 21:41] - [2008-01-18 23:33] - 0314880 ____A (Microsoft Corporation) C2610B6BDBEFC053BBDAB4F1B965CB24

C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2006-11-02 00:44] - [2006-11-02 01:45] - 0308224 ____A (Microsoft Corporation) 9F75392B9128A91ABAFB044EA350BAAD

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2009-09-16 21:08] - [2009-04-10 22:27] - 2926592 ____A (Microsoft Corporation) D07D4C3038F3578FFCE1C0237F2A1253

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2008-12-24 04:35] - [2008-10-29 19:59] - 2927616 ____A (Microsoft Corporation) 50BA5850147410CDE89C523AD3BC606E

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008-12-24 04:35] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[2008-06-23 21:42] - [2008-01-18 23:33] - 2927104 ____A (Microsoft Corporation) FFA764631CB70A30065C12EF8E174F9F

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008-12-24 04:35] - [2008-10-27 18:15] - 2923520 ____A (Microsoft Corporation) E7156B0B74762D9DE0E66BDCDE06E5FB

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008-12-24 04:35] - [2008-10-28 22:20] - 2923520 ____A (Microsoft Corporation) 37440D09DEAE0B672A04DCCF7ABF06BE

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2006-11-02 00:47] - [2006-11-02 01:45] - 2923520 ____A (Microsoft Corporation) FD8C53FB002217F6F888BCF6F5D7084D

C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6002.18005_none_b3d9d2699e1659b0\samsrv.dll
[2009-09-16 21:08] - [2009-04-10 22:28] - 0483328 ____A (Microsoft Corporation) 7808BF0E367ED7348808879CEF482AB3

C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\samsrv.dll
[2008-06-23 21:42] - [2008-01-18 23:36] - 0478720 ____A (Microsoft Corporation) 1EACFF296A418F23B38BBC02E337F38B

C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6000.16386_none_afb79761a4097d90\samsrv.dll
[2006-11-02 00:45] - [2006-11-02 01:46] - 0474624 ____A (Microsoft Corporation) 22054E4E3CF6174CFCE6AB2776DA22A0

C:\Windows\System32\samsrv.dll
[2009-09-16 21:08] - [2009-04-10 22:28] - 0483328 ____A (Microsoft Corporation) 7808BF0E367ED7348808879CEF482AB3

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012-01-01 18:48] - [2012-07-03 09:46] - 0217672 ____A () 8A7F34F0BBD076EC3815680A7309114F

=== End Of Search ===

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 09:56 PM

Please run the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe | C:\Windows\explorer.exe
C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6002.18005_none_b3d9d2699e1659b0\samsrv.dll | C:\Windows\System32\samsrv.dll
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe | c:\windows\system32\winlogon.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 10:09 PM

I am now getting the blue screen lock out.

0x000000F4 (0x000000003, 0x8829A7F0,08829A93C,0x8262EAB0)

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 10:26 PM

that's strange because that error is usually due to a hardware issue

Please boot into the Recovery Environment as you did for FRST, but instead of choosing the Command Prompt, choose "System Restore" and restore the machine to the last restore point that is available prior to running the last ComboFix script

let me know if the computer will now boot normally

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 10:38 PM

It says no restore points have been created on my computer system disk

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 10:39 PM

Please run a FRST scan and post the log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Tythen

Tythen
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 25 August 2012 - 10:42 PM

I rebooted into safe mode with networking, blue screen again.

0x000000F4 (0x000000003, 0x8839D628, 0x8839D774, 0x8262AAB0)

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:58 AM

Posted 25 August 2012 - 10:45 PM

it's another FRST scan from the recovery environment that I am looking for

these instructions (minus the search)

http://www.bleepingcomputer.com/forums/topic466400.html/page__view__findpost__p__2818757

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users