Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mebroot/torpig infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 paul van dijk

paul van dijk

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 01 September 2012 - 12:00 PM

hi, after been helped with a virus here before on my own computer (which was extremely nice) i am now returning for a computer of a friend

the laptop was quarantained by the provider (on her own connection) because of a mebroot/torpig infection.

we tried several antivirus programs, resetting windows to an earlier date but this didn't work. when running a fresh windows install from cd somehow i get a bluescreen (cant remember what) might not have anything to do with the virus.

i'd rather try and remove the virus instead of trying a full wipe. i am aware of the risks.

below you'll find the logs. btw the gmer program looked a bit different from the screenshots in the guide, a lot of buttons were grey. when i attempted to run in normal windows mode it didn't put anything in the log and gave an error, when repeating the same in safe mode i got the log as attached.

thanks in advance.

btw the gmer/dds were put in /downloads by me/browser and copied to the desktop.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by ilona at 16:02:30 on 2012-09-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.1913.731 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe
C:\Users\ilona\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Users\ilona\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.nl/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe /STARTUP
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Facebook Update] "C:\Users\ilona\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spotify Web Helper] "C:\Users\ilona\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM
mRun: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STARTUP
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Toevoegen aan TOSHIBA Bulletin Board - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 62.179.104.196 213.46.228.196
TCP: Interfaces\{2F587BD2-20DE-4C2A-8276-D26A1461CDEA} : NameServer = 131.174.78.16,131.174.78.17
TCP: Interfaces\{9BA13107-39FA-4CB3-9F15-A7F946381A69} : DhcpNameServer = 62.179.104.196 213.46.228.196
TCP: Interfaces\{9BA13107-39FA-4CB3-9F15-A7F946381A69}\A5967676F61303335343 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9BA13107-39FA-4CB3-9F15-A7F946381A69}\E435D275946494D27455543545 : DhcpNameServer = 213.75.63.36
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}
{AA58ED58-01DD-4d91-8333-CF10577473F7}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F3C88694-EFFA-4d78-B409-54B7B2535B14}
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
mRun-x64: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM
mRun-x64: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\ilona\AppData\Roaming\Mozilla\Firefox\Profiles\pkfzkv1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Users\ilona\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2011-5-25 1811456]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-9-9 2358656]
R3 CeKbFilter;CeKbFilter;C:\Windows\system32\DRIVERS\CeKbFilter.sys --> C:\Windows\system32\DRIVERS\CeKbFilter.sys [?]
R3 PGEffect;Pangu effect driver;C:\Windows\system32\DRIVERS\pgeffect.sys --> C:\Windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-5-25 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Updateservice (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-15 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-8 250056]
S3 gupdatem;Google Update-service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-9-1 114144]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-2-10 112080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies-service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-09-01 10:47:44 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-31 21:36:26 98816 ----a-w- C:\Windows\sed.exe
2012-08-31 21:36:26 518144 ----a-w- C:\Windows\SWREG.exe
2012-08-31 21:36:26 256000 ----a-w- C:\Windows\PEV.exe
2012-08-31 21:36:26 208896 ----a-w- C:\Windows\MBR.exe
2012-08-31 21:35:24 -------- d-----w- C:\ComboFix
2012-08-19 16:51:00 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-08-19 16:51:00 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-19 16:51:00 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-19 16:50:57 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-19 16:50:57 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-19 16:50:56 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-19 16:50:56 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-19 16:50:56 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-19 16:50:55 67072 ----a-w- C:\Windows\splwow64.exe
2012-08-19 16:50:49 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-19 16:50:48 956928 ----a-w- C:\Windows\System32\localspl.dll
.
==================== Find3M ====================
.
2012-08-26 12:40:59 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-26 12:40:59 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
.
============= FINISH: 16:10:21,18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 01 September 2012 - 12:57 PM

Hello paul van dijk,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.


Do you have a USB Flash Drive you can use?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 01 September 2012 - 01:14 PM

hi, thanks for the reply

i've got a usb stick and another computer to download stuff on if things dont go as planned.

i've got email notifications on, and will be checking in regularly.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 01 September 2012 - 07:04 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 01 September 2012 - 10:36 PM

when i try loading windows in this mode from advanced boot options windows starts loading with the startup screen but even after 15 minutes nothing happens. when i try starting windows from the cd i get a bluescreen when it is loading (i checked with a different windows cd but that one had the same problem) - i will keep trying but not sure if this will work.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 01 September 2012 - 11:59 PM

Hello make sure you read the direction very carefully. We are not trying to load windows. We trying to get into the System Recovery options. Then into Command Prompt.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 02 September 2012 - 06:33 AM

err yes i'm sorry i'm not fluent in english and i may not have described that correctly.

what i do is get the boot menu with f8, choose 'uw computer herstellen' which is dutch for 'repair your computer' (first option) then it says 'loading files' but this screen just doesn't go away.

from the cd i get a bluescreen when the files are loading right after i tap the key to boot from cd.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 02 September 2012 - 09:48 AM

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


2. NOte: Make sure to save it to your desktop and run it.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.



Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

Edited by fireman4it, 02 September 2012 - 09:57 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 02 September 2012 - 05:59 PM

hi,

for some readon i cannot get tdsskiller to load. i tried in safe mode, normal mode and as administrator but when i look at the process list it starts but after about a second or two just dissapears. i don't see any loading screen or anything.

combofix says avg is running even though as far as i can see (and tried in safe mode too, with no avg processes on) it is off. it did run though. the log is below.

the computer is running fine, but i cannot check the quarantaine on the other connection because that is on another adress and not near.

ComboFix 12-09-01.01 - ilona 02-09-2012 19:23:35.2.1 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.1913.1286 [GMT 2:00]
Gestart vanuit: c:\users\ilona\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Nieuw herstelpunt werd aangemaakt
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
c:\programdata\windows\ccdxmmde.dat
c:\programdata\windows\drss.dat
c:\programdata\Windows\xessmsxe.dat
c:\users\ilona\AppData\Roaming\Acipi\esips.ewy
c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-08-02 to 2012-09-02 ))))))))))))))))))))))))))))))
.
.
2012-09-02 17:52 . 2012-09-02 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-01 13:53 . 2012-09-01 13:53 -------- d-----w- c:\users\ilona\AppData\Local\Mozilla
2012-09-01 13:53 . 2012-09-01 13:53 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-08-19 16:51 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-19 16:51 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-19 16:51 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-19 16:51 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-19 16:50 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-19 16:50 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-19 16:50 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-19 16:50 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-19 16:50 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-19 16:50 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-19 16:50 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-19 16:50 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 12:40 . 2012-04-08 06:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-26 12:40 . 2011-11-22 17:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-23 15:23 . 2011-09-09 19:04 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-06-09 05:43 . 2012-07-12 19:44 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-12 19:44 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-12 19:44 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-12 19:44 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-12 19:44 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-12 19:44 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-12 19:44 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-01_00.06.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-08-31 20:58 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-01 15:43 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-31 20:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-01 15:43 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-01 15:43 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-31 20:58 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-09-02 17:56 57826 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2011-09-07 07:26 . 2012-09-01 11:34 11008 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2009-07-14 05:10 . 2012-09-02 17:56 50712 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-08-30 15:35 . 2012-09-01 15:52 20302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2169142549-2474990769-1338660946-1000_UserData.bin
+ 2012-01-31 02:46 . 2012-01-31 02:46 36944 c:\windows\system32\drivers\avgrkx64.sys
+ 2011-12-23 11:32 . 2011-12-23 11:32 47696 c:\windows\system32\drivers\avgmfx64.sys
+ 2012-04-19 02:50 . 2012-04-19 02:50 28480 c:\windows\system32\drivers\avgidsha.sys
+ 2012-01-03 07:45 . 2012-01-03 07:45 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\ViewerPS.dll
+ 2012-01-03 20:51 . 2012-01-03 20:51 37296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\reader_sl.exe
+ 2012-01-03 07:44 . 2012-01-03 07:44 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\PDFPrevHndlr.dll
+ 2012-01-03 20:15 . 2012-01-03 20:15 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\eula.exe
+ 2012-01-03 19:52 . 2012-01-03 19:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\acrotextextractor.exe
+ 2012-01-03 06:19 . 2012-01-03 06:19 16824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroRd32Info.exe
+ 2012-01-03 06:16 . 2012-01-03 06:16 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\acroiehelpershim.dll
+ 2012-01-03 06:16 . 2012-01-03 06:16 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroIEHelper.dll
+ 2012-09-02 17:08 . 2012-09-02 17:08 2452 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-08-31 23:59 . 2012-08-31 23:59 2452 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-09-11 15:18 . 2012-09-01 10:47 2754 c:\windows\system32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
- 2012-09-01 00:00 . 2012-09-01 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-02 17:54 . 2012-09-02 17:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-01 00:00 . 2012-09-01 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-09-02 17:54 . 2012-09-02 17:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-30 18:55 . 2012-09-02 03:11 264222 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-11-21 16:48 . 2012-09-02 16:20 702250 c:\windows\system32\perfh013.dat
- 2010-11-21 16:48 . 2012-08-31 22:53 702250 c:\windows\system32\perfh013.dat
- 2009-07-14 02:36 . 2012-08-31 22:53 616694 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-02 16:20 616694 c:\windows\system32\perfh009.dat
+ 2010-11-21 16:48 . 2012-09-02 16:20 133992 c:\windows\system32\perfc013.dat
- 2010-11-21 16:48 . 2012-08-31 22:53 133992 c:\windows\system32\perfc013.dat
- 2009-07-14 02:36 . 2012-08-31 22:53 106816 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-09-02 16:20 106816 c:\windows\system32\perfc009.dat
+ 2012-02-22 03:25 . 2012-02-22 03:25 289872 c:\windows\system32\drivers\avgldx64.sys
- 2009-07-14 05:01 . 2012-08-31 23:59 277220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-09-02 17:08 277220 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-03 06:23 . 2012-01-03 06:23 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\pdfshell.dll
+ 2012-01-03 06:22 . 2012-01-03 06:22 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\nppdf32.dll
+ 2011-04-22 11:26 . 2011-04-22 11:26 688128 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\JP2KLib.dll
+ 2009-01-18 14:00 . 2009-01-18 14:00 598016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AXSLE.dll
+ 2012-01-03 07:43 . 2012-01-03 07:43 550360 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AdobeCollabSync.exe
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\adobearmhelper.exe
+ 2012-01-02 08:07 . 2012-01-02 08:07 843712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\adobearm.exe
+ 2012-01-03 06:40 . 2012-01-03 06:40 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroRdIF.dll
+ 2012-01-03 20:50 . 2012-01-03 20:50 357808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroRd32.exe
+ 2012-01-03 06:16 . 2012-01-03 06:16 665008 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroPDF.dll
+ 2012-01-03 07:38 . 2012-01-03 07:38 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\acrobroker.exe
+ 2012-01-03 07:08 . 2012-01-03 07:08 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\a3dutility.exe
- 2011-08-30 15:31 . 2012-08-31 21:06 1689800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-30 15:31 . 2012-09-01 14:49 1689800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-30 16:13 . 2012-09-02 17:08 7032852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2169142549-2474990769-1338660946-1000-8192.dat
+ 2011-11-22 21:49 . 2012-09-01 14:49 1332228 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2169142549-2474990769-1338660946-1000-12288.dat
+ 2012-09-01 00:58 . 2012-09-01 00:58 8452608 c:\windows\Installer\8367c.msi
+ 2012-03-27 15:47 . 2012-03-27 15:47 4959232 c:\windows\Installer\224ae6f.msp
+ 2012-07-31 16:18 . 2012-07-31 16:18 5018624 c:\windows\Installer\224ae6e.msp
+ 2012-01-04 08:57 . 2012-01-04 08:57 4001792 c:\windows\Installer\224ad94.msi
+ 2012-01-03 06:18 . 2012-01-03 06:18 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\rt3d.dll
+ 2011-11-17 14:50 . 2011-11-17 14:50 6543872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\authplay.dll
+ 2011-01-30 19:16 . 2011-01-30 19:16 5713408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AGM.dll
+ 2011-11-15 00:40 . 2012-09-01 11:34 44147300 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2169142549-2474990769-1338660946-1000-4096.dat
+ 2012-01-03 20:15 . 2012-01-03 20:15 20559288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73401B7449A0500000010\9.5.0\AcroRd32.dll
.
-- Snapshot teruggezet naar huidige datum --
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOPI.EXE"="c:\program files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe" [2011-02-18 845176]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-22 39408]
"Facebook Update"="c:\users\ilona\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-16 138096]
"Spotify Web Helper"="c:\users\ilona\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-23 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-22 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-03 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-15 34160]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOPI.EXE"="c:\program files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe" [2011-02-18 845176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Updateservice (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-15 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-26 250056]
R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-25 114144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-02-10 112080]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-07 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-27 1811456]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [2011-05-25 20592]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-08 38096]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-09-24 349800]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-11-02 1103464]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 137560]
.
.
Inhoud van de 'Gedeelde Taken' map
.
2012-09-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 12:40]
.
2012-09-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2169142549-2474990769-1338660946-1000Core.job
- c:\users\ilona\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-30 14:37]
.
2012-09-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2169142549-2474990769-1338660946-1000UA.job
- c:\users\ilona\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-11-30 14:37]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 17:14]
.
2012-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-22 17:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"Toshiba TEMPRO"="c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe" [2011-02-10 1546720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-07 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-07 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-07 410648]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-07-28 2120808]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-05 709976]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"Toshiba Registration"="c:\program files\TOSHIBA\Registration\ToshibaReminder.exe" [2011-04-11 150992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Bijkomende Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.nl/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Toevoegen aan TOSHIBA Bulletin Board - c:\program files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000
IE: {{97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - c:\program files\TOSHIBA\BulletinBoard\TosBBCom.dll
TCP: DhcpNameServer = 62.179.104.196 213.46.228.196
TCP: Interfaces\{2F587BD2-20DE-4C2A-8276-D26A1461CDEA}: NameServer = 131.174.78.16,131.174.78.17
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\users\ilona\AppData\Roaming\Mozilla\Firefox\Profiles\pkfzkv1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
.
- - - - ORPHANS VERWIJDERD - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
.
**************************************************************************
.
Voltooingstijd: 2012-09-02 20:15:38 - machine werd herstart
ComboFix-quarantined-files.txt 2012-09-02 18:15
.
Pre-Run: 54.883.217.408 bytes beschikbaar
Post-Run: 54.824.689.664 bytes beschikbaar
.
- - End Of File - - 7E0F99425B9F17BDD2A4C05061A1D3EF

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 02 September 2012 - 10:45 PM

well we will have to put it back on the network and see what it says.

1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 03 September 2012 - 03:50 PM

hi

for some reason this aswMBR program won't run either. i tried it in safemode, as administrator, in competability mode, with avg disabled, but it just won't start.

i can check how it is doing on the network later this week. can't get the aswMBR.exe file to run though. i tried quite a lot, run as admin, in safe mode, in competability mode, shutdown avg, even renamed the file put it in different folders. it just won't start same as with tdsskiller. could this have to do with the virus/other issues on the laptop or am i doing somethign wrong?

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 03 September 2012 - 05:22 PM

Hello,

Sometimes these programs just wont run. Please try the following.


1.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

2.
Please download Listparts64
Run the tool, click Scan and post the log (Result.txt) it makes.

Edited by fireman4it, 03 September 2012 - 05:23 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 03 September 2012 - 05:50 PM

roguekiller log: (didn't delete anything even though it asked me to do so)

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : ilona [Admin rights]
Mode : Scan -- Date : 09/04/2012 00:44:43

Bad processes : 0

Registry Entries : 7
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2F587BD2-20DE-4C2A-8276-D26A1461CDEA} : NameServer (131.174.78.16,131.174.78.17) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2F587BD2-20DE-4C2A-8276-D26A1461CDEA} : NameServer (131.174.78.16,131.174.78.17) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9320310AS +++++
--- User ---
[MBR] 6bb9a4996089356786e9d3276b38b52d
[BSP] 24038e227d95d68cb1b09dee3c9639a1 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 152622 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 313391104 | Size: 152212 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] ad5f305a2bd9a14a262b9633a4d5dbd7
[BSP] 24038e227d95d68cb1b09dee3c9639a1 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 152622 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 313391104 | Size: 152212 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625141760 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] ad5f305a2bd9a14a262b9633a4d5dbd7
[BSP] 24038e227d95d68cb1b09dee3c9639a1 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 152622 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 313391104 | Size: 152212 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625141760 | Size: 0 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



-------------------------

listparts64 log:

Scan result of Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by ilona at 04-09-2012 00:48:19
Running from C:\Users\ilona\Downloads
Service Pack 1 (X64) OS Language: Dutch Standard
Attention: Could not load system hive.Fout: Het proces heeft geen toegang tot het bestand omdat het door een ander

proces wordt gebruikt.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ======================

2012-09-04 00:47 - 2012-09-04 00:48 - 01454439 ____A (Farbar) C:\Users\ilona\Downloads\FRST64.exe
2012-09-04 00:44 - 2012-09-04 00:44 - 00002748 ____A C:\Users\ilona\Desktop\RKreport[1].txt
2012-09-04 00:43 - 2012-09-04 00:44 - 00000000 ____D C:\Users\ilona\Desktop\RK_Quarantine
2012-09-04 00:42 - 2012-09-04 00:42 - 01378816 ____A C:\Users\ilona\Desktop\RogueKiller.exe
2012-09-04 00:42 - 2012-09-04 00:42 - 00012345 ____A C:\Users\ilona\Desktop\bERs_KjD.htm.part.htm
2012-09-03 22:53 - 2012-09-03 22:53 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-09-03 22:53 - 2012-09-03 22:53 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-03 22:53 - 2012-09-03 22:53 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-03 22:53 - 2012-09-03 22:53 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-03 22:53 - 2012-09-03 22:53 - 00000000 ____D C:\Program Files (x86)\Java
2012-09-03 22:53 - 2012-05-04 13:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-09-03 22:53 - 2012-05-04 11:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-09-03 21:31 - 2012-09-03 21:31 - 04731392 ____A (AVAST Software) C:\Users\ilona\Desktop\dsdfwMBR.exe
2012-09-03 21:30 - 2012-09-03 21:31 - 04731392 ____A (AVAST Software) C:\Users\ilona\Downloads\aswMBR.exe
2012-09-03 00:53 - 2012-09-03 00:53 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Downloads\tdsskiller(1).exe
2012-09-02 20:15 - 2012-09-02 20:15 - 00026850 ____A C:\ComboFix.txt
2012-09-02 19:17 - 2012-09-02 20:16 - 00000000 ____D C:\ComboFix
2012-09-02 19:14 - 2012-09-02 19:14 - 04742930 ____R (Swearware) C:\Users\ilona\Desktop\ComboFix.exe
2012-09-02 19:06 - 2012-09-02 19:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Downloads\tdsskiller.exe
2012-09-02 19:06 - 2012-09-02 19:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Desktop\tdsskiller.exe
2012-09-01 17:39 - 2012-09-01 17:39 - 00000270 ____A C:\Users\ilona\Desktop\ark.log
2012-09-01 16:15 - 2012-09-01 16:15 - 00294216 ____A C:\Users\ilona\Downloads\gmer.zip
2012-09-01 16:14 - 2012-09-01 16:13 - 00302592 ____A C:\Users\ilona\Desktop\p64rro2h.exe
2012-09-01 16:13 - 2012-09-01 16:13 - 00302592 ____A C:\Users\ilona\Downloads\p64rro2h.exe
2012-09-01 16:12 - 2012-09-01 16:12 - 00017190 ____A C:\Users\ilona\Desktop\DDS.txt
2012-09-01 16:12 - 2012-09-01 16:12 - 00003932 ____A C:\Users\ilona\Desktop\Attach.txt
2012-09-01 16:02 - 2012-09-01 16:01 - 00607260 ____R (Swearware) C:\Users\ilona\Desktop\dds.com
2012-09-01 16:01 - 2012-09-01 16:01 - 00607260 ____A (Swearware) C:\Users\ilona\Downloads\dds.com
2012-09-01 15:53 - 2012-09-01 15:54 - 00000000 ____D C:\Users\ilona\AppData\Roaming\Mozilla
2012-09-01 15:53 - 2012-09-01 15:53 - 00001141 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-09-01 15:53 - 2012-09-01 15:53 - 00000000 ____D C:\Users\ilona\AppData\Local\Mozilla
2012-09-01 15:53 - 2012-09-01 15:53 - 00000000 ____D C:\Users\All Users\Mozilla
2012-09-01 15:53 - 2012-09-01 15:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-09-01 15:53 - 2012-09-01 15:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-09-01 15:52 - 2012-09-01 15:52 - 18196136 ____A (Mozilla) C:\Users\ilona\Downloads\Firefox Setup 15.0.exe
2012-09-01 15:51 - 2012-09-01 15:51 - 00027520 ____A C:\Users\ilona\AppData\Local\dt.dat
2012-09-01 15:01 - 2012-09-01 15:01 - 00457624 ____A C:\Windows\Minidump\090112-34757-01.dmp
2012-09-01 13:45 - 2012-09-03 22:43 - 00001398 ____A C:\Windows\setupact.log
2012-09-01 13:45 - 2012-09-02 19:54 - 00002148 ____A C:\Windows\PFRO.log
2012-09-01 13:45 - 2012-09-01 15:01 - 318982674 ____A C:\Windows\MEMORY.DMP
2012-09-01 13:45 - 2012-09-01 13:46 - 00509160 ____A C:\Windows\Minidump\090112-41605-01.dmp
2012-09-01 13:45 - 2012-09-01 13:45 - 00000000 ____A C:\Windows\setuperr.log
2012-09-01 12:49 - 2012-09-01 12:51 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-31 23:36 - 2011-06-26 08:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-31 23:36 - 2010-11-07 19:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-31 23:36 - 2009-04-20 06:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-31 23:36 - 2000-08-31 02:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-31 23:36 - 2000-08-31 02:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-31 23:36 - 2000-08-31 02:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-31 23:36 - 2000-08-31 02:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-31 23:36 - 2000-08-31 02:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-31 23:32 - 2012-09-02 20:16 - 00000000 ____D C:\Qoobox
2012-08-31 23:31 - 2012-09-01 02:11 - 00000000 ____D C:\Windows\erdnt
2012-08-31 23:30 - 2012-08-31 23:31 - 04741990 ____R (Swearware) C:\Users\ilona\Downloads\ComboFix.exe
2012-08-23 17:27 - 2012-06-29 06:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-23 17:27 - 2012-06-29 06:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-23 17:27 - 2012-06-29 05:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-23 17:27 - 2012-06-29 05:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-23 17:27 - 2012-06-29 05:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-23 17:27 - 2012-06-29 05:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-23 17:27 - 2012-06-29 05:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-23 17:27 - 2012-06-29 05:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-23 17:27 - 2012-06-29 05:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-23 17:27 - 2012-06-29 05:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-23 17:27 - 2012-06-29 05:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-23 17:27 - 2012-06-29 05:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-23 17:27 - 2012-06-29 05:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-23 17:27 - 2012-06-29 05:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-23 17:27 - 2012-06-29 02:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-23 17:27 - 2012-06-29 02:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-23 17:27 - 2012-06-29 02:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-23 17:27 - 2012-06-29 02:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-23 17:27 - 2012-06-29 02:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-23 17:27 - 2012-06-29 02:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-23 17:27 - 2012-06-29 02:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-23 17:27 - 2012-06-29 02:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-23 17:27 - 2012-06-29 02:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-23 17:27 - 2012-06-29 02:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-23 17:27 - 2012-06-29 02:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-23 17:27 - 2012-06-29 02:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-23 17:27 - 2012-06-29 02:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-23 17:27 - 2012-06-29 01:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-19 18:51 - 2012-07-05 00:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-19 18:51 - 2012-07-05 00:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-19 18:51 - 2012-07-05 00:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-19 18:51 - 2012-07-04 23:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-19 18:51 - 2012-07-04 23:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-19 18:50 - 2012-07-18 20:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-19 18:50 - 2012-05-14 07:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-19 18:50 - 2012-05-05 10:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-19 18:50 - 2012-05-05 09:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-19 18:50 - 2012-02-11 08:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-19 18:50 - 2012-02-11 08:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-19 18:50 - 2012-02-11 08:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-19 18:50 - 2012-02-11 07:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-08 21:03 - 2012-09-01 15:01 - 00000000 ____D C:\Windows\Minidump
2012-08-08 14:07 - 2012-08-14 00:09 - 00000000 ____D C:\Users\ilona\Desktop\27 juli


==================== 3 Months Modified Files ================================

2012-09-04 00:44 - 2012-09-04 00:44 - 00002748 ____A C:\Users\ilona\Desktop\RKreport[1].txt
2012-09-04 00:42 - 2012-09-04 00:42 - 01378816 ____A C:\Users\ilona\Desktop\RogueKiller.exe
2012-09-04 00:42 - 2012-09-04 00:42 - 00012345 ____A C:\Users\ilona\Desktop\bERs_KjD.htm.part.htm
2012-09-04 00:40 - 2012-04-08 08:14 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-04 00:36 - 2011-11-22 19:14 - 00001054 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-04 00:08 - 2011-05-25 15:57 - 01556141 ____A C:\Windows\WindowsUpdate.log
2012-09-03 22:53 - 2012-09-03 22:53 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-09-03 22:53 - 2012-09-03 22:53 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-03 22:53 - 2012-09-03 22:53 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-03 22:53 - 2012-09-03 22:53 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-03 22:53 - 2011-11-22 19:16 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-09-03 22:51 - 2009-07-14 06:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-03 22:51 - 2009-07-14 06:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-03 22:49 - 2010-11-21 18:48 - 00702250 ____A C:\Windows\System32\perfh013.dat
2012-09-03 22:49 - 2010-11-21 18:48 - 00133992 ____A C:\Windows\System32\perfc013.dat
2012-09-03 22:49 - 2009-07-14 07:13 - 01551050 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-03 22:44 - 2011-11-22 19:14 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-03 22:44 - 2009-07-14 07:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-03 22:43 - 2012-09-01 13:45 - 00001398 ____A C:\Windows\setupact.log
2012-09-03 21:31 - 2012-09-03 21:31 - 04731392 ____A (AVAST Software) C:\Users\ilona\Desktop\dsdfwMBR.exe
2012-09-03 21:31 - 2012-09-03 21:30 - 04731392 ____A (AVAST Software) C:\Users\ilona\Downloads\aswMBR.exe
2012-09-03 00:53 - 2012-09-03 00:53 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Downloads\tdsskiller(1).exe
2012-09-02 22:42 - 2011-11-30 14:31 - 00001084 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2169142549-2474990769-1338660946-1000UA.job
2012-09-02 20:15 - 2012-09-02 20:15 - 00026850 ____A C:\ComboFix.txt
2012-09-02 19:56 - 2009-07-14 04:34 - 00000215 ____A C:\Windows\system.ini
2012-09-02 19:54 - 2012-09-01 13:45 - 00002148 ____A C:\Windows\PFRO.log
2012-09-02 19:14 - 2012-09-02 19:14 - 04742930 ____R (Swearware) C:\Users\ilona\Desktop\ComboFix.exe
2012-09-02 19:06 - 2012-09-02 19:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Downloads\tdsskiller.exe
2012-09-02 19:06 - 2012-09-02 19:06 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\ilona\Desktop\tdsskiller.exe
2012-09-02 16:42 - 2011-11-30 14:31 - 00001062 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2169142549-2474990769-1338660946-1000Core.job
2012-09-01 17:39 - 2012-09-01 17:39 - 00000270 ____A C:\Users\ilona\Desktop\ark.log
2012-09-01 16:16 - 2011-07-16 22:21 - 00302592 ____A C:\Users\ilona\Desktop\gmer.exe
2012-09-01 16:15 - 2012-09-01 16:15 - 00294216 ____A C:\Users\ilona\Downloads\gmer.zip
2012-09-01 16:13 - 2012-09-01 16:14 - 00302592 ____A C:\Users\ilona\Desktop\p64rro2h.exe
2012-09-01 16:13 - 2012-09-01 16:13 - 00302592 ____A C:\Users\ilona\Downloads\p64rro2h.exe
2012-09-01 16:12 - 2012-09-01 16:12 - 00017190 ____A C:\Users\ilona\Desktop\DDS.txt
2012-09-01 16:12 - 2012-09-01 16:12 - 00003932 ____A C:\Users\ilona\Desktop\Attach.txt
2012-09-01 16:01 - 2012-09-01 16:02 - 00607260 ____R (Swearware) C:\Users\ilona\Desktop\dds.com
2012-09-01 16:01 - 2012-09-01 16:01 - 00607260 ____A (Swearware) C:\Users\ilona\Downloads\dds.com
2012-09-01 15:53 - 2012-09-01 15:53 - 00001141 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-09-01 15:52 - 2012-09-01 15:52 - 18196136 ____A (Mozilla) C:\Users\ilona\Downloads\Firefox Setup 15.0.exe
2012-09-01 15:51 - 2012-09-01 15:51 - 00027520 ____A C:\Users\ilona\AppData\Local\dt.dat
2012-09-01 15:01 - 2012-09-01 15:01 - 00457624 ____A C:\Windows\Minidump\090112-34757-01.dmp
2012-09-01 15:01 - 2012-09-01 13:45 - 318982674 ____A C:\Windows\MEMORY.DMP
2012-09-01 13:46 - 2012-09-01 13:45 - 00509160 ____A C:\Windows\Minidump\090112-41605-01.dmp
2012-09-01 13:45 - 2012-09-01 13:45 - 00000000 ____A C:\Windows\setuperr.log
2012-09-01 12:51 - 2012-09-01 12:49 - 00002021 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-09-01 02:59 - 2011-09-09 21:47 - 00000982 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-08-31 23:31 - 2012-08-31 23:30 - 04741990 ____R (Swearware) C:\Users\ilona\Downloads\ComboFix.exe
2012-08-26 14:40 - 2012-04-08 08:14 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-26 14:40 - 2011-11-22 19:14 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-23 17:46 - 2009-07-14 06:45 - 00292272 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-23 17:23 - 2011-09-09 21:04 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-18 20:15 - 2012-08-19 18:50 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-07 17:42 - 2009-07-14 07:08 - 00032582 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-05 00:16 - 2012-08-19 18:51 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-05 00:13 - 2012-08-19 18:51 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-05 00:13 - 2012-08-19 18:51 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 23:16 - 2012-08-19 18:51 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 23:14 - 2012-08-19 18:51 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-02 11:38 - 2012-07-02 11:38 - 00001153 ____A C:\Users\ilona\Desktop\AVG PC Tuneup 2011.lnk
2012-07-02 11:00 - 2012-07-02 11:00 - 00000136 ___AH C:\Users\All Users\-cBOj4zL3Z9BSZwr
2012-07-02 11:00 - 2012-07-02 11:00 - 00000000 ___AH C:\Users\All Users\-cBOj4zL3Z9BSZw
2012-07-02 11:00 - 2012-07-02 10:55 - 00000256 ___AH C:\Users\All Users\cBOj4zL3Z9BSZw
2012-06-29 09:12 - 2011-08-30 17:30 - 00063696 ___AH C:\Users\ilona\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-29 06:55 - 2012-08-23 17:27 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-29 06:09 - 2012-08-23 17:27 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-29 05:56 - 2012-08-23 17:27 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-29 05:49 - 2012-08-23 17:27 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-29 05:49 - 2012-08-23 17:27 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-29 05:48 - 2012-08-23 17:27 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-29 05:47 - 2012-08-23 17:27 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-29 05:45 - 2012-08-23 17:27 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-29 05:44 - 2012-08-23 17:27 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-29 05:43 - 2012-08-23 17:27 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-29 05:42 - 2012-08-23 17:27 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-29 05:40 - 2012-08-23 17:27 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-29 05:39 - 2012-08-23 17:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-29 05:35 - 2012-08-23 17:27 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-29 02:52 - 2012-08-23 17:27 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-29 02:27 - 2012-08-23 17:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-29 02:16 - 2012-08-23 17:27 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-29 02:09 - 2012-08-23 17:27 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-29 02:09 - 2012-08-23 17:27 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-29 02:08 - 2012-08-23 17:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-29 02:07 - 2012-08-23 17:27 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-29 02:06 - 2012-08-23 17:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-29 02:04 - 2012-08-23 17:27 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-29 02:04 - 2012-08-23 17:27 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-29 02:01 - 2012-08-23 17:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-29 02:01 - 2012-08-23 17:27 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-29 02:00 - 2012-08-23 17:27 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-29 01:57 - 2012-08-23 17:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-22 15:20 - 2012-06-22 15:20 - 00001109 ____A C:\Users\Public\Desktop\Mendeley Desktop.lnk
2012-06-14 21:27 - 2012-06-14 21:27 - 00099458 ___AH C:\Users\ilona\Downloads\_MG_67551.jpeg
2012-06-09 07:43 - 2012-07-12 21:44 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-09 06:41 - 2012-07-12 21:44 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: 2012-08-13 20:26:11
Restore point made on: 2012-08-23 17:23:42
Restore point made on: 2012-09-01 01:14:05
Restore point made on: 2012-09-03 22:52:21
Restore point made on: 2012-09-03 22:53:51

==================== Memory info ===========================

Percentage of memory in use: 58%
Total physical RAM: 1912.87 MB
Available physical RAM: 790.95 MB
Total Pagefile: 3825.73 MB
Available Pagefile: 2192.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Partitions ============================

1 Drive c: (WINDOWS) (Fixed) (Total:149.04 GB) (Free:50.75 GB) NTFS
2 Drive d: (Data) (Fixed) (Total:148.64 GB) (Free:141.79 GB) NTFS

Schfnr. Status Grootte Vrij Dyn GPT
-------- ------------- ------- ------- --- ---
Schf 0 Online 298 GB 8 MB



Last Boot: 2012-09-01 01:07

==================== End Of Log =============================

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:28 PM

Posted 03 September 2012 - 10:21 PM

We need to create a Windows 7 System Repair Disk. Note that this disk can only be used to access the Recovery Environment, not to reinstall Windows 7.
  • Press Windows Key + R, type recdisc.exe in the runbox and press enter.
  • If you get a UAC prompt, allow the application to run by clicking Yes. You will see the following:

    Posted Image

  • Make sure you have a blank CD or DVD in your CD/DVD drive and click Create disc. Note: If AutoPlay comes up, just close it.
  • When the System Repair Disk has been created, click Close and then OK. Your System Repair Disk is now ready for use.


Let me know when you have this disc created.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 paul van dijk

paul van dijk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 05 September 2012 - 05:52 PM

hi, the disc has been created.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users