Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with sirefef.ab. firewall disabled


  • This topic is locked This topic is locked
27 replies to this topic

#1 sohcrates

sohcrates

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 17 September 2012 - 08:10 PM

Hello,

I am running an HP elitebook laptop with 2 OS on 2 different hard drives. There is an XP drive that is managed by my company and I do not have admin rights for. That one is not a problem. My personal hard drive has windows 7 professional SP1 32 bit. This is the one with the problem.

I have contracted this awful sirefef trojan. It manifested itself a couple of days ago with strange website redirects. When I went to check MSE, I found that it had been disabled, and would not update or scan. My windows firewall had also been disabled. My initial research on the problem led me to uninstall and reinstall MSE. I did this, and it successfully installed and updated. It was also able to run scans, and found several variants of the sirefef virus. It quarantined some of them and tried to remove others. This killed the redirect problems, but the computer was still sluggish and I still could not enable the firewall.

Several reboots and rescans kept turning up the same sirefef .AN, .AO, .AG, and .AB upon every reboot. It would remove and/or quarantine them every time, and they would return after reboot. So I ran MWAB and TDSSkiller several times. This made it so that MSE wouldn't turn anything up when it ran, but I still can't turn the firewall on and the computer is still sluggish.

When I try to enable the firewall or change its settings, I get the following message: "Windows Firewall can't change some of your settings. Error code 0x80070424" If I try to access the advanced settings, I get: "There was an error opening the Windows Firewall with Advanced Security snap-in. the Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0x6D9"

After reading about other folks experience with this attack and the potential vulnerabilities, I am desparate to be rid of it, and to be sure I am rid of all of it. The machine in question is disconnected from the internet, and I have been only using a USB stick to move software and logs back and forth.

Here are the attached logs. Please help. Thank you in advance. The logs follow


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by User at 20:28:56 on 2012-09-17
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3014.1395 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Home Server\esClient.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE
C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Iminent\Iminent.exe
C:\Program Files\Iminent\Iminent.Messengers.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPToolbar.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: IMinent WebBooster (BHO): {a09ab6eb-31b5-454c-97ec-9b294d92ee2a} - c:\program files\iminent\Iminent.WebBooster.InternetExplorer.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [dhtne] rundll32.exe "c:\users\user\appdata\roaming\dhtne.dll",AddState
uRun: [ipipr] "c:\windows\system32\rundll32.exe" "c:\users\user\appdata\roaming\ipipr.dll",read_rows
mRun: [Broadcom Wireless Manager UI] c:\program files\broadcom\broadcom 802.11\WLTRAY.exe
mRun: [QLBController] c:\program files\hewlett-packard\hp hotkey support\QLBController.exe /start
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Iminent] c:\program files\iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"
mRun: [IminentMessenger] c:\program files\iminent\Iminent.Messengers.exe /startup
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\user\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - file://c:\users\user\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\user\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
Trusted Zone: homeserver.com\ethanmelissa
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://blueconnect.jetblue.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0EB90E60-D124-4741-9441-361A4C09EADA} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{2BEA2A0B-866E-440E-9233-44D93A41A265} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B88A5646-3ECF-4088-8868-5633504A7E89} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B88A5646-3ECF-4088-8868-5633504A7E89}\6616C6D6F657478614 : DhcpNameServer = 71.243.0.12 68.237.161.12 192.168.1.1
TCP: Interfaces\{B88A5646-3ECF-4088-8868-5633504A7E89}\6616C6D6F657478674 : DhcpNameServer = 71.243.0.12 68.237.161.12 192.168.1.1
TCP: Interfaces\{B88A5646-3ECF-4088-8868-5633504A7E89}\76F646661647865627F55707374716962737 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\k3yon9k6.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [2012-1-1 23640]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKslab2602c3;MpKslab2602c3;c:\programdata\microsoft\microsoft antimalware\definition updates\{98b79dfd-1e92-47fa-b587-c64fff2fc49b}\MpKslab2602c3.sys [2012-9-17 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-1-1 81920]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]
R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-1-11 92216]
R2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2011-1-28 281656]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-1-26 26168]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2012-1-1 13336]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-1-1 2656280]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2011-1-21 2708784]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2012-1-1 238760]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2012-1-1 269824]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2012-1-1 143960]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2012-1-1 41088]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 141440]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2012-7-29 401920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-20 114144]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-5 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-20 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
.
=============== Created Last 30 ================
.
2012-09-17 20:08:49 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{98b79dfd-1e92-47fa-b587-c64fff2fc49b}\offreg.dll
2012-09-17 20:08:49 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{98b79dfd-1e92-47fa-b587-c64fff2fc49b}\MpKslab2602c3.sys
2012-09-17 15:54:42 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{98b79dfd-1e92-47fa-b587-c64fff2fc49b}\mpengine.dll
2012-09-17 02:10:46 -------- d-----w- c:\users\user\appdata\roaming\OpenCandy
2012-09-17 01:46:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-09-16 22:39:19 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2012-09-16 22:39:00 -------- d-----w- c:\programdata\Malwarebytes
2012-09-16 22:38:59 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-16 22:38:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-16 22:32:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-16 22:10:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-16 22:10:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-16 16:11:38 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{47ab7a45-e3ff-41de-a842-1cb9c84f9843}\gapaengine.dll
2012-09-16 16:10:50 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-15 20:11:29 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-15 12:36:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-09-15 12:23:05 -------- d-----w- c:\users\user\appdata\local\{1D0499B4-FF30-11E1-8271-B8AC6F996F26}
2012-09-15 12:23:03 399872 ----a-w- c:\users\user\appdata\roaming\ipipr.dll
2012-09-15 12:22:16 158208 ----a-w- c:\users\user\appdata\roaming\dhtne.dll
2012-09-13 14:20:01 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-13 14:20:01 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-13 14:20:00 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-13 14:20:00 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-13 14:20:00 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-13 14:20:00 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-11 00:30:41 -------- d-----w- c:\windows\WindowsMobile
2012-08-23 03:57:30 -------- d-----w- c:\users\user\appdata\roaming\DAEMON Tools Lite
2012-08-23 03:57:21 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-08-22 13:23:33 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-08-21 07:00:59 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-08-21 07:00:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-19 16:44:40 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-19 16:44:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-19 16:44:39 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-19 16:44:39 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-19 16:44:37 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-19 16:44:37 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-19 16:44:37 102912 ----a-w- c:\windows\system32\browser.dll
.
==================== Find3M ====================
.
2012-09-15 20:11:25 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-15 20:11:25 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-15 12:28:52 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-15 12:28:52 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-08 01:11:11 967 ----a-w- c:\windows\ScUnin.pif
2012-08-08 01:11:11 68096 ----a-w- c:\windows\ScUnin.exe
2012-07-06 19:23:23 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-07-05 20:59:58 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 20:29:35.22 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-17 20:57:28
Windows 6.1.7601 Service Pack 1 Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0
Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\afldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E3F3C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E78D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\uhjhbkfp.sys The system cannot find the path specified. !
? C:\Users\User\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2320] kernel32.dll!CreateThread 7651DCC2 5 Bytes JMP 611C75E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!EnableWindow 778C8D02 5 Bytes JMP 61209EB4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!GetAsyncKeyState 778CA256 5 Bytes JMP 611ADEDD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CallNextHookEx 778CABE1 5 Bytes JMP 61227FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!UnhookWindowsHookEx 778CADF9 5 Bytes JMP 6124ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DefWindowProcA 778CBB1C 7 Bytes JMP 611C980D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateWindowExA 778CBF40 5 Bytes JMP 611D3643 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!SetWindowsHookExW 778CE30C 5 Bytes JMP 612025B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateWindowExW 778CEC7C 5 Bytes JMP 612303B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!GetKeyState 778D2B4D 5 Bytes JMP 611ADDB3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!IsDialogMessageW 778D4104 5 Bytes JMP 613599AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DefWindowProcW 778D507D 7 Bytes JMP 61228042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateDialogParamA 778E1F42 5 Bytes JMP 61359218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!IsDialogMessage 778E2019 5 Bytes JMP 61359982 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DialogBoxParamW 778E3B9B 5 Bytes JMP 61161893 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateDialogIndirectParamA 778E721D 5 Bytes JMP 61359288 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateDialogIndirectParamW 778EEA10 5 Bytes JMP 613592C0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DialogBoxIndirectParamW 778F3B7F 5 Bytes JMP 61358EE6 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!EndDialog 778F3BA3 5 Bytes JMP 61359C56 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!CreateDialogParamW 778F5630 5 Bytes JMP 61359250 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!SetKeyboardState 778F695A 5 Bytes JMP 6135A273 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!SendInput 778F7019 5 Bytes JMP 6135A21B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!SetCursorPos 7790C1B0 5 Bytes JMP 6135A2F4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DialogBoxParamA 7790CF42 5 Bytes JMP 61358E81 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!DialogBoxIndirectParamA 7790D274 5 Bytes JMP 61358F4B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!MessageBoxIndirectA 7791E869 5 Bytes JMP 61358E08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!MessageBoxIndirectW 7791E963 5 Bytes JMP 61358D8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!MessageBoxExA 7791E9C9 5 Bytes JMP 61358D2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!MessageBoxExW 7791E9ED 5 Bytes JMP 61358CC7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] USER32.dll!keybd_event 7791EC3B 5 Bytes JMP 6135A1D8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] SHELL32.dll!RealDriveType + 173D 7684FE30 4 Bytes [CF, 01, 3F, 72]
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] SHELL32.dll!RealDriveType + 1745 7684FE38 8 Bytes [E0, 61, 3E, 72, 79, F7, 3E, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[2320] ole32.dll!OleLoadFromStream 765B6143 5 Bytes JMP 613596B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!EnableWindow 778C8D02 5 Bytes JMP 61209EB4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxParamW 778E3B9B 5 Bytes JMP 61161893 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxIndirectParamW 778F3B7F 5 Bytes JMP 61358EE6 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxParamA 7790CF42 5 Bytes JMP 61358E81 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxIndirectParamA 7790D274 5 Bytes JMP 61358F4B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxIndirectA 7791E869 5 Bytes JMP 61358E08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxIndirectW 7791E963 5 Bytes JMP 61358D8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxExA 7791E9C9 5 Bytes JMP 61358D2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxExW 7791E9ED 5 Bytes JMP 61358CC7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] kernel32.dll!CreateThread 7651DCC2 5 Bytes JMP 611C75E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!EnableWindow 778C8D02 5 Bytes JMP 61209EB4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!GetAsyncKeyState 778CA256 5 Bytes JMP 611ADEDD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CallNextHookEx 778CABE1 5 Bytes JMP 61227FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!UnhookWindowsHookEx 778CADF9 5 Bytes JMP 6124ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DefWindowProcA 778CBB1C 7 Bytes JMP 611C980D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateWindowExA 778CBF40 5 Bytes JMP 611D3643 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!SetWindowsHookExW 778CE30C 5 Bytes JMP 612025B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateWindowExW 778CEC7C 5 Bytes JMP 612303B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!GetKeyState 778D2B4D 5 Bytes JMP 611ADDB3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!IsDialogMessageW 778D4104 5 Bytes JMP 613599AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DefWindowProcW 778D507D 7 Bytes JMP 61228042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateDialogParamA 778E1F42 5 Bytes JMP 61359218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!IsDialogMessage 778E2019 5 Bytes JMP 61359982 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamW 778E3B9B 5 Bytes JMP 61161893 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateDialogIndirectParamA 778E721D 5 Bytes JMP 61359288 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateDialogIndirectParamW 778EEA10 5 Bytes JMP 613592C0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamW 778F3B7F 5 Bytes JMP 61358EE6 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!EndDialog 778F3BA3 5 Bytes JMP 61359C56 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateDialogParamW 778F5630 5 Bytes JMP 61359250 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!SetKeyboardState 778F695A 5 Bytes JMP 6135A273 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!SendInput 778F7019 5 Bytes JMP 6135A21B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!SetCursorPos 7790C1B0 5 Bytes JMP 6135A2F4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamA 7790CF42 5 Bytes JMP 61358E81 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamA 7790D274 5 Bytes JMP 61358F4B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectA 7791E869 5 Bytes JMP 61358E08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectW 7791E963 5 Bytes JMP 61358D8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExA 7791E9C9 5 Bytes JMP 61358D2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExW 7791E9ED 5 Bytes JMP 61358CC7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!keybd_event 7791EC3B 5 Bytes JMP 6135A1D8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] SHELL32.dll!RealDriveType + 173D 7684FE30 4 Bytes [CF, 01, 3F, 72]
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] SHELL32.dll!RealDriveType + 1745 7684FE38 8 Bytes [E0, 61, 3E, 72, 79, F7, 3E, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ole32.dll!OleLoadFromStream 765B6143 5 Bytes JMP 613596B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf41dfdc1
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf463b1fb
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf41dfdc1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf463b1fb (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 17 September 2012 - 09:55 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 September 2012 - 04:33 AM

Hi Gringo,

Thanks so much for the quick reply. I have done as you have asked and here are the logs. Roguekiller produced 2 logs so I have included them both. I tried to enable windows firewall again, and got the same result as before. Let me know what to do next. Thanks again.

# AdwCleaner v2.002 - Logfile created 09/18/2012 at 05:19:48
# Updated 16/09/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : User - ETHAN2
# Boot Mode : Normal
# Running from : C:\Users\User\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\defaults\pref\all-iminent.js
Folder Deleted : C:\Program Files\Iminent
Folder Deleted : C:\ProgramData\Iminent
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Iminent

***** [Registry] *****

Key Deleted : HKCU\Software\Iminent
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{01994268-3C10-4044-A1EA-7A9C1B739A11}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Iminent.WebBooster.InternetExplorer.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{01A602A0-D0B9-445B-8081-719E4177C4A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02C9C7B0-C7C8-4AAC-A9E4-55295BF60F8F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0398B101-6DA7-473F-A290-17D2FBC88CC0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0CC36196-8589-4B80-A771-D659411D7F90}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{143D96F9-EB64-48B3-B192-91C2C41A1F43}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{14F7D91F-F669-45C9-9F42-BACBFDB86EAD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{187A6488-6E71-4A2A-B118-7BEFBFE58257}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{26C9BBE4-6D45-4AB6-A5B4-E068C9F5EF6D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2D065204-A024-4C39-8A38-EE7078EC7ACF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{30F5476C-677B-4DB0-B397-51F5BFD86840}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{351798B1-C1D2-45AB-92B4-4D6C2D6AB5AF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AEA1BEF-6195-46F4-ACA2-0ED14F7EFA1B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3D7F9AC3-BAC3-4E51-81D7-D121D79E550A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4498C5E9-93C6-4142-B6BE-F0C6DC48B77A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{479BF2D6-E362-4A99-B1AB-BC764D7B97AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{492A108F-51D0-4BD8-899D-AD4AB2893064}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4B6D6E60-FBD2-4E79-BF4B-886BC98F1797}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5C176BA0-6FC0-4EBD-8ACF-24AC592506B6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60893E02-2E5B-43F9-A93A-BAD60C2DF6EF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6D39931F-451E-4BDD-BAF4-37FB96DBBA5D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C684D2-C35D-4284-976A-D862F53ADB81}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{796D822A-C3F9-4A97-BAAB-42FE7628EA63}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{79EF3691-EC1A-4705-A01A-D2E36EC11758}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82F41418-8E64-47EB-A7F1-4702A974D289}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{85D920CE-63A7-46DC-8992-41D1D2E07FAD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{895ED5E8-ABB4-40C3-A0CA-2571964268E2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8AAC123A-1959-4A45-BFC5-E2D50783098A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A07956CD-81F8-4A03-B524-5D87E690DC83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B5E3B26B-6E5C-4865-A63D-58D04B10E245}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B84D2DC5-42B2-4E5E-BF61-7B48152FF8EF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B89D5309-0367-4494-A92F-3D4C94F88307}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C014EBF8-8854-448B-B5A4-557C4090EDCE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C31191DB-2F64-464C-B97C-6AC81ACB7AAC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C342C7A7-F622-4EF3-8B7F-ABB9FBE73F14}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C4765B07-BC2F-477B-925C-B2BF24887823}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C875C0A1-09E3-48D5-9F8E-BD337796FD14}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD126DA6-FF5B-4181-AC13-54A62240D2FA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D8F01233-2DE6-4EE7-8988-37263F00651B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DD438708-AAB4-422D-A322-B619589F5680}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E812AE43-7799-4E67-8CF8-4104297A2D16}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F0BAAEC7-9AE0-49FF-9C4B-86E774FF397F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F92193FD-2243-4401-9ACC-49FF30885898}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD21B8A2-910B-45AC-9C10-45E6A8B84984}
Key Deleted : HKLM\SOFTWARE\Classes\Iminent
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Business.Tinyfying.DownloadArgs
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Business.Tinyfying.LinkToPromoteArgs
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Business.Tinyfying.RawDataArgs
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Business.Tinyfying.TinyUrlArgs
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Business.Tinyfying.ViralLinkArgs
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.ClientCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.ContractBase
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.AddToUserContentCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.CheckLoginStatusCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.CleanCacheCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GameOverCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetCreditCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetInstallationContextCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetLoginStatusCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetLoginStatusResult
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetVariableCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.GetVariableResult
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.InstallationContextResult
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.LoadContentCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.LoadContentCommandResult
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.LoginCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.LoginStatusChangedCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.LogoutCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.MergeIdentityCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.MyAccountCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.PlayContentCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.PostContentCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.RecycleViewsCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.SetVariableCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.ShowBrowserWindowCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.ShowControlCenterCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.ShowPluginWindowCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.UserContentChangedCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.VariableChangedCallback
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.WarmUpCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.DataContracts.WelcomeCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.ServerCommand
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.Communication.ServerResult
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.LightContent
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.LightUri
Key Deleted : HKLM\SOFTWARE\Classes\Iminent.Mediator.MediatorServiceProxy
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.ActiveContentHandle.1
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.ActiveContentHandler
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.BrowserHelperObject
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.BrowserHelperObject.1
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.ScriptExtender
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.ScriptExtender.1
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.TinyUrlHandler
Key Deleted : HKLM\SOFTWARE\Classes\IminentWebBooster.TinyUrlHandler.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ACA608DB-A210-4253-B799-3FD24E9A7BF5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C58D664A-3DBC-4925-AE74-0382007DF113}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C776D7F4-BA85-4B75-AAFC-3A0A11FE6E36}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A9CAF365-EA35-45DA-BD8B-2EFA09D374AC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\igdhbblpcellaljokkpfhcjlagemhgjl
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0AF350D9-3916-454B-AC53-0B0B65F41301}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Iminent]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [IminentMessenger]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [webbooster@iminent.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

*************************

AdwCleaner[S1].txt - [15247 octets] - [18/09/2012 05:19:48]

########## EOF - C:\AdwCleaner[S1].txt - [15308 octets] ##########


RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 09/18/2012 05:25:39

Bad processes : 2
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

Registry Entries : 19
[RUN][BLACKLIST DLL] HKCU\[...]\Run : dhtne (rundll32.exe "C:\Users\User\AppData\Roaming\dhtne.dll",AddState) -> FOUND
[RUN][BLACKLIST DLL] HKCU\[...]\Run : ipipr ("C:\Windows\System32\rundll32.exe" "C:\Users\User\AppData\Roaming\ipipr.dll",read_rows) -> FOUND
[RUN][BLACKLIST DLL] HKUS\S-1-5-21-1239216563-742608307-2203677320-1000[...]\Run : dhtne (rundll32.exe "C:\Users\User\AppData\Roaming\dhtne.dll",AddState) -> FOUND
[RUN][BLACKLIST DLL] HKUS\S-1-5-21-1239216563-742608307-2203677320-1000[...]\Run : ipipr ("C:\Windows\System32\rundll32.exe" "C:\Users\User\AppData\Roaming\ipipr.dll",read_rows) -> FOUND
[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1239216563-742608307-2203677320-1000\$a748334173ef91d33f0270daa452db7c\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1239216563-742608307-2203677320-1000\$a748334173ef91d33f0270daa452db7c\L --> FOUND

Driver : [LOADED]

Infection : ZeroAccess|Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK3261GSYN +++++
--- User ---
[MBR] 4d1ea09c3daa47594dda760aae202677
[BSP] 1e9a9fbfe5699e8ed9971a50665f56bd : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 289883 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 593682075 | Size: 15359 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 3c2f499494cd63c91638c8367bccd96d
[BSP] 68983dad2104e766036c2ad96a1dd331 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 61440 Mo
2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167999488 | Size: 1001 Mo
3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 171999232 | Size: 2000 Mo

+++++ PhysicalDrive1: WDC WD5000BUCT-63PUZY0 +++++
--- User ---
[MBR] 174ccddabc5458ba523f3465f2836666
[BSP] ed4539c1c6102265a530b71268be29d6 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Remove -- Date : 09/18/2012 05:26:08

Bad processes : 2
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

Registry Entries : 17
[RUN][BLACKLIST DLL] HKCU\[...]\Run : dhtne (rundll32.exe "C:\Users\User\AppData\Roaming\dhtne.dll",AddState) -> DELETED
[RUN][BLACKLIST DLL] HKCU\[...]\Run : ipipr ("C:\Windows\System32\rundll32.exe" "C:\Users\User\AppData\Roaming\ipipr.dll",read_rows) -> DELETED
[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1239216563-742608307-2203677320-1000\$a748334173ef91d33f0270daa452db7c\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$a748334173ef91d33f0270daa452db7c\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1239216563-742608307-2203677320-1000\$a748334173ef91d33f0270daa452db7c\L --> REMOVED

Driver : [LOADED]

Infection : ZeroAccess|Root.MBR

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK3261GSYN +++++
--- User ---
[MBR] 4d1ea09c3daa47594dda760aae202677
[BSP] 1e9a9fbfe5699e8ed9971a50665f56bd : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 289883 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 593682075 | Size: 15359 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 3c2f499494cd63c91638c8367bccd96d
[BSP] 68983dad2104e766036c2ad96a1dd331 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 61440 Mo
2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167999488 | Size: 1001 Mo
3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 171999232 | Size: 2000 Mo

+++++ PhysicalDrive1: WDC WD5000BUCT-63PUZY0 +++++
--- User ---
[MBR] 174ccddabc5458ba523f3465f2836666
[BSP] ed4539c1c6102265a530b71268be29d6 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 18 September 2012 - 07:10 AM

Hello

download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 September 2012 - 03:23 PM

Hi Gringo.

Thanks for the reply. I am on the road for a couple of days. My computer doesn't have a recovery partition, and I didn't bring my windows 7 CDs with me. Is there another way to enter the system recovery options? Can I make recovery discs from my computer?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 18 September 2012 - 04:01 PM

Yes you can - http://www.howtogeek.com/howto/5409/create-a-system-repair-disc-in-windows-7/


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 September 2012 - 05:42 PM

Hi Gringo,

I successfully created a system restore disc, but am having trouble. After I choose english as my language and keyboard input method, it asks me which operating system I would like to repair, but it doesn't list any OS. I offers the opportunity to provide drivers, but I don't know where to find them. Any idea what to do here? Remember I have 2 hard drives on this computer, each with an OS on it. The problem OS is the windows 7 one. The XP OS is fine.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 18 September 2012 - 07:27 PM

during this time can you remove the XP drive?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 19 September 2012 - 10:04 AM

OK Gringo,

It took some doing, but I managed to get the XP drive out and successfully used the FRST tool.

Here are the reports.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-09-2012
Ran by SYSTEM at 19-09-2012 10:44:57
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe [4934144 2011-12-31] (Broadcom Corporation)
HKLM\...\Run: [QLBController] C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start [299576 2011-01-28] (Hewlett-Packard Company)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [843868 2011-01-27] (IDT, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-26] (Intel Corporation)
HKLM\...\Run: [NUSB3MON] "C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2184488 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124512 2007-05-21] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2567272 2011-07-19] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-09-03] (CANON INC.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Windows Home Server.lnk
ShortcutTarget: Windows Home Server.lnk -> C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe (Microsoft Corporation)
Startup: C:\Users\User\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

3 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com)
2 arXfrSvc; "C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe" [239472 2011-01-10] (Microsoft Corporation)
2 esClient; "C:\Program Files\Windows Home Server\esClient.exe" [97136 2011-01-10] (Microsoft Corporation)
2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [281656 2011-01-28] (Hewlett-Packard Company)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-09-07] (Mozilla Foundation)
2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-27] (IDT, Inc.)
2 vcsFPService; C:\Windows\system32\vcsFPService.exe [2708784 2011-01-21] (Validity Sensors, Inc.)
2 WHSConnector; "C:\Program Files\Windows Home Server\WHSConnector.exe" [376688 2011-01-10] (Microsoft Corporation)
2 wltrysvc; "C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE" "C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe" [4267520 2011-12-31] (Broadcom Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 BCM42RLY; C%3

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 19 September 2012 - 01:15 PM

Hello


That is only part of the report


can you resend it to me or rerun FRST again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 19 September 2012 - 01:33 PM

Sorry about that. Don't know what happened. This should be all of it.


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-09-2012
Ran by SYSTEM at 19-09-2012 10:44:57
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe [4934144 2011-12-31] (Broadcom Corporation)
HKLM\...\Run: [QLBController] C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start [299576 2011-01-28] (Hewlett-Packard Company)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe [843868 2011-01-27] (IDT, Inc.)
HKLM\...\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-26] (Intel Corporation)
HKLM\...\Run: [NUSB3MON] "C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2184488 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124512 2007-05-21] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2567272 2011-07-19] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-09-03] (CANON INC.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [326144 2009-10-23] (Amazon.com)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Windows Home Server.lnk
ShortcutTarget: Windows Home Server.lnk -> C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe (Microsoft Corporation)
Startup: C:\Users\User\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ===================

3 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com)
2 arXfrSvc; "C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe" [239472 2011-01-10] (Microsoft Corporation)
2 esClient; "C:\Program Files\Windows Home Server\esClient.exe" [97136 2011-01-10] (Microsoft Corporation)
2 hpHotkeyMonitor; C:\Program Files\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [281656 2011-01-28] (Hewlett-Packard Company)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-09-07] (Mozilla Foundation)
2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-27] (IDT, Inc.)
2 vcsFPService; C:\Windows\system32\vcsFPService.exe [2708784 2011-01-21] (Validity Sensors, Inc.)
2 WHSConnector; "C:\Program Files\Windows Home Server\WHSConnector.exe" [376688 2011-01-10] (Microsoft Corporation)
2 wltrysvc; "C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE" "C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe" [4267520 2011-12-31] (Broadcom Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18496 2011-12-31] (Broadcom Corporation)
3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-12-20] (Intel Corporation)
0 johci; C:\Windows\System32\DRIVERS\johci.sys [23640 2011-01-18] (JMicron Technology Corp.)
3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [62336 2010-12-10] (Renesas Electronics Corporation)
3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [141440 2010-12-10] (Renesas Electronics Corporation)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1784192 2010-12-21] ()
1 mcaeezjx; \??\C:\Windows\system32\drivers\mcaeezjx.sys [x]
4 sptd; C:\Windows\\SystemRoot\System32\Drivers\sptd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-19 10:44 - 2012-09-19 10:44 - 00000000 ____D C:\FRST
2012-09-18 01:23 - 2012-09-18 01:29 - 00000000 ____D C:\Users\User\Desktop\antivirus
2012-09-18 01:19 - 2012-09-18 01:19 - 00015378 ____A C:\AdwCleaner[S1].txt
2012-09-17 16:26 - 2012-09-17 16:26 - 00000020 ____A C:\Users\User\defogger_reenable
2012-09-17 03:05 - 2012-09-17 03:05 - 00019866 ____A C:\Users\User\Downloads\FPS_EAW1.rar
2012-09-17 03:04 - 2012-09-17 03:04 - 09591104 ____A (DT Soft Ltd.) C:\Users\User\Downloads\DTLite4356-0091.exe
2012-09-17 03:02 - 2012-09-17 03:02 - 00021430 ____A C:\Users\User\Downloads\YASU_107.rar
2012-09-16 18:28 - 2012-09-16 18:28 - 00000000 ____A C:\26517f16-3abf-4f16-b614-dc11db949628.dmp
2012-09-16 18:10 - 2012-09-16 18:10 - 00000000 ____D C:\Users\User\AppData\Roaming\OpenCandy
2012-09-16 18:01 - 2012-09-16 18:01 - 00001447 ____A C:\Users\User\Desktop\DTLite - Shortcut.lnk
2012-09-16 17:46 - 2012-09-17 07:44 - 00691696 ____A (Duplex Secure Ltd.) C:\Windows\System32\Drivers\sptd.sys
2012-09-16 14:39 - 2012-09-16 14:39 - 00000000 ____D C:\Users\User\AppData\Roaming\Malwarebytes
2012-09-16 14:39 - 2012-09-16 14:39 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-16 14:38 - 2012-09-16 14:39 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-09-16 14:38 - 2012-09-07 13:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-16 14:32 - 2012-09-16 14:32 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-09-16 14:10 - 2012-09-17 07:42 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-09-16 14:10 - 2012-09-17 03:06 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-09-16 08:10 - 2012-09-16 08:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-15 12:11 - 2012-09-15 12:11 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-15 12:11 - 2012-09-15 12:11 - 00000000 ____D C:\Program Files\Java
2012-09-15 12:11 - 2012-09-15 12:11 - 00000000 ____D C:\Program Files\Common Files\Java
2012-09-15 04:36 - 2012-09-15 04:36 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-09-15 04:23 - 2012-09-18 01:22 - 00000000 ____A C:\Users\User\AppData\Local\
2012-09-15 04:23 - 2012-09-15 04:23 - 00399872 ____A C:\Users\User\AppData\Roaming\ipipr.dll
2012-09-15 04:23 - 2012-09-15 04:23 - 00000000 ____D C:\Users\User\AppData\Local\{1D0499B4-FF30-11E1-8271-B8AC6F996F26}
2012-09-15 04:22 - 2012-09-15 04:22 - 00158208 ____A C:\Users\User\AppData\Roaming\dhtne.dll
2012-09-13 06:20 - 2012-08-22 09:16 - 01292144 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-13 06:20 - 2012-08-22 09:16 - 00712048 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-13 06:20 - 2012-08-22 09:16 - 00240496 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-13 06:20 - 2012-08-22 09:16 - 00187760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-13 06:20 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-13 06:20 - 2012-07-04 11:45 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-10 16:31 - 2012-09-10 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2012-09-10 16:30 - 2012-09-10 16:31 - 00000000 ____D C:\Windows\WindowsMobile
2012-09-07 01:55 - 2012-09-07 01:55 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-09-04 09:43 - 2012-09-04 09:43 - 00001126 ____A C:\Users\User\Desktop\Dropbox - Shortcut.lnk
2012-08-29 07:03 - 2012-08-29 07:03 - 00000000 ____D C:\Users\User\Desktop\NJO
2012-08-22 20:15 - 2012-08-22 20:15 - 00000719 ____A C:\Users\Public\Desktop\iLivid.lnk
2012-08-22 19:57 - 2012-09-16 18:16 - 00000000 ____D C:\Users\User\AppData\Roaming\DAEMON Tools Lite
2012-08-22 19:57 - 2012-09-16 18:16 - 00000000 ____D C:\Users\All Users\DAEMON Tools Lite
2012-08-22 05:58 - 2012-08-22 05:58 - 00000992 ____A C:\Users\User\Desktop\User - Shortcut.lnk
2012-08-22 05:56 - 2012-08-22 05:56 - 00000953 ____A C:\Users\User\Desktop\Program Files - Shortcut.lnk
2012-08-22 05:27 - 2012-08-22 05:51 - 00000000 ____D C:\Users\User\Desktop\Kindle books from Jayson
2012-08-22 05:23 - 2012-08-22 05:23 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-20 23:01 - 2012-07-06 11:23 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-08-20 23:01 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-20 23:01 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-20 23:01 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-20 23:01 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-20 23:01 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-20 23:01 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-20 23:01 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-20 23:01 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-20 23:01 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-20 23:01 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-20 23:01 - 2011-02-18 22:30 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2012-08-20 23:01 - 2011-02-18 22:30 - 00739840 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-08-20 23:00 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-20 23:00 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-20 23:00 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-20 23:00 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

==================== 3 Months Modified Files ==================

2012-09-19 06:18 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-19 06:18 - 2009-07-13 20:39 - 00034780 ____A C:\Windows\setupact.log
2012-09-18 14:22 - 2009-07-13 20:34 - 00010112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-18 14:22 - 2009-07-13 20:34 - 00010112 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-18 14:21 - 2011-12-31 22:49 - 00781868 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-18 14:19 - 2012-01-01 01:35 - 02065932 ____A C:\Windows\WindowsUpdate.log
2012-09-18 01:22 - 2012-09-15 04:23 - 00000000 ____A C:\Users\User\AppData\Local\
2012-09-18 01:21 - 2012-07-07 07:12 - 00016584 ____A C:\Windows\PFRO.log
2012-09-18 01:19 - 2012-09-18 01:19 - 00015378 ____A C:\AdwCleaner[S1].txt
2012-09-17 16:26 - 2012-09-17 16:26 - 00000020 ____A C:\Users\User\defogger_reenable
2012-09-17 07:44 - 2012-09-16 17:46 - 00691696 ____A (Duplex Secure Ltd.) C:\Windows\System32\Drivers\sptd.sys
2012-09-17 03:05 - 2012-09-17 03:05 - 00019866 ____A C:\Users\User\Downloads\FPS_EAW1.rar
2012-09-17 03:04 - 2012-09-17 03:04 - 09591104 ____A (DT Soft Ltd.) C:\Users\User\Downloads\DTLite4356-0091.exe
2012-09-17 03:02 - 2012-09-17 03:02 - 00021430 ____A C:\Users\User\Downloads\YASU_107.rar
2012-09-16 18:28 - 2012-09-16 18:28 - 00000000 ____A C:\26517f16-3abf-4f16-b614-dc11db949628.dmp
2012-09-16 18:01 - 2012-09-16 18:01 - 00001447 ____A C:\Users\User\Desktop\DTLite - Shortcut.lnk
2012-09-16 08:11 - 2012-06-20 13:45 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-15 12:11 - 2012-09-15 12:11 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-15 12:11 - 2012-09-15 12:11 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-15 12:11 - 2012-07-29 13:08 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-09-15 12:11 - 2012-07-29 13:08 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-15 04:28 - 2012-06-20 13:52 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-15 04:28 - 2012-06-20 13:52 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-15 04:23 - 2012-09-15 04:23 - 00399872 ____A C:\Users\User\AppData\Roaming\ipipr.dll
2012-09-15 04:22 - 2012-09-15 04:22 - 00158208 ____A C:\Users\User\AppData\Roaming\dhtne.dll
2012-09-13 23:00 - 2012-06-20 15:02 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-10 16:31 - 2012-09-10 16:31 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2012-09-07 13:04 - 2012-09-16 14:38 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-04 09:43 - 2012-09-04 09:43 - 00001126 ____A C:\Users\User\Desktop\Dropbox - Shortcut.lnk
2012-08-22 20:15 - 2012-08-22 20:15 - 00000719 ____A C:\Users\Public\Desktop\iLivid.lnk
2012-08-22 09:16 - 2012-09-13 06:20 - 01292144 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 09:16 - 2012-09-13 06:20 - 00712048 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 09:16 - 2012-09-13 06:20 - 00240496 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 09:16 - 2012-09-13 06:20 - 00187760 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-22 05:58 - 2012-08-22 05:58 - 00000992 ____A C:\Users\User\Desktop\User - Shortcut.lnk
2012-08-22 05:56 - 2012-08-22 05:56 - 00000953 ____A C:\Users\User\Desktop\Program Files - Shortcut.lnk
2012-08-22 05:23 - 2012-08-22 05:23 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-21 04:28 - 2009-07-13 20:33 - 00413264 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-10 12:47 - 2012-08-10 12:47 - 00001126 ____A C:\Users\Public\Desktop\RAR File Open Knife - Free Opener.lnk
2012-08-10 12:47 - 2012-08-10 12:47 - 00000596 ____A C:\Windows\System32\InstallUtil.InstallLog
2012-08-08 23:11 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-08-08 18:00 - 2011-12-31 23:06 - 00110344 ____A C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-07 20:31 - 2012-08-07 20:31 - 00015954 ____A C:\Windows\DirectX.log
2012-08-07 17:11 - 2012-08-07 17:11 - 00068096 ____A (Blizzard Entertainment) C:\Windows\ScUnin.exe
2012-08-07 17:11 - 2012-08-07 17:11 - 00012306 ____A C:\Windows\scunin.dat
2012-08-07 17:11 - 2012-08-07 17:11 - 00000967 ____A C:\Windows\ScUnin.pif
2012-08-02 08:57 - 2012-09-13 06:20 - 00490496 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-07-31 13:42 - 2012-07-31 13:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-07-31 12:52 - 2012-07-31 12:52 - 00000903 ____A C:\Users\User\Desktop\HomeSeer(home-auto) - Shortcut.lnk
2012-07-30 02:37 - 2012-07-30 02:37 - 00291238 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-07-30 02:37 - 2012-07-30 02:37 - 00285274 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-07-29 16:38 - 2012-07-29 16:38 - 00000120 ____A C:\Windows\QUICKEN.INI
2012-07-26 04:22 - 2012-07-25 18:47 - 07749632 ____A C:\Users\User\Desktop\ETHAN LOGBOOK.lbk
2012-07-18 09:47 - 2012-08-19 08:44 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 03:56 - 2012-07-11 03:56 - 00002194 ____A C:\Users\User\Desktop\schedule.ics
2012-07-09 10:47 - 2012-07-09 10:47 - 00002597 ____A C:\Users\Public\Desktop\Navtech PBS.lnk
2012-07-06 11:23 - 2012-08-20 23:01 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-07-05 12:59 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-07-04 13:16 - 2012-08-19 08:44 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-19 08:44 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-19 08:44 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 11:45 - 2012-09-13 06:20 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-06-28 16:52 - 2012-08-20 23:00 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-20 23:00 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-20 23:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-20 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-20 23:00 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-20 23:00 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-20 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-20 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-20 23:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-20 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-20 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-20 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-20 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-20 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 16:20 - 2012-06-26 16:20 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4006.36 MB
Available physical RAM: 3416.24 MB
Total Pagefile: 4004.64 MB
Available Pagefile: 3418.84 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.7 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:376.98 GB) NTFS
3 Drive f: () (Removable) (Total:1.91 GB) (Free:1.82 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 1953 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1952 MB 122 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1952 MB Healthy

=========================================================

Last Boot: 2012-09-15 20:56

==================== End Of Log ============================

Farbar Recovery Scan Tool (x86) Version: 18-09-2012
Ran by SYSTEM at 2012-09-19 10:47:27
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 19 September 2012 - 02:37 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
1 mcaeezjx; \??\C:\Windows\system32\drivers\mcaeezjx.sys [x]
2012-09-15 04:23 - 2012-09-18 01:22 - 00000000 ____A C:\Users\User\AppData\Local\
2012-09-15 04:23 - 2012-09-15 04:23 - 00399872 ____A C:\Users\User\AppData\Roaming\ipipr.dll
2012-09-15 04:23 - 2012-09-15 04:23 - 00000000 ____D C:\Users\User\AppData\Local\{1D0499B4-FF30-11E1-8271-B8AC6F996F26}
2012-09-15 04:22 - 2012-09-15 04:22 - 00158208 ____A C:\Users\User\AppData\Roaming\dhtne.dll
2012-08-22 20:15 - 2012-08-22 20:15 - 00000719 ____A C:\Users\Public\Desktop\iLivid.lnk


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 19 September 2012 - 08:27 PM

Here you go Gringo:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-09-2012
Ran by SYSTEM at 2012-09-19 21:23:24 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
mcaeezjx service deleted successfully.
C:\Users\User\AppData\Local\ moved successfully.
C:\Users\User\AppData\Roaming\ipipr.dll moved successfully.
C:\Users\User\AppData\Local\{1D0499B4-FF30-11E1-8271-B8AC6F996F26} moved successfully.
C:\Users\User\AppData\Roaming\dhtne.dll moved successfully.
C:\Users\Public\Desktop\iLivid.lnk moved successfully.

==== End of Fixlog ====

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:48 AM

Posted 19 September 2012 - 10:18 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 sohcrates

sohcrates
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 September 2012 - 06:32 AM

Here is the log gringo. Everything seemed to go smoothly with combofix. I didn't get any funny messages, and I didn't have to reboot. It rebooted once on its own before preparing the log. I have not had a lot of time to try different things on the computer, and it still is not connected to the internet, so I'm not sure exactly how its running, but I still can't turn the firewall on.

ComboFix 12-09-18.07 - User 09/20/2012 7:06.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3014.2066 [GMT -4:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))
.
.
2012-09-19 18:44 . 2012-09-19 18:44 -------- d-----w- C:\FRST
2012-09-17 15:54 . 2012-08-28 05:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{98B79DFD-1E92-47FA-B587-C64FFF2FC49B}\mpengine.dll
2012-09-17 02:10 . 2012-09-17 02:10 -------- d-----w- c:\users\User\AppData\Roaming\OpenCandy
2012-09-17 01:46 . 2012-09-17 15:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-09-16 22:39 . 2012-09-16 22:39 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2012-09-16 22:39 . 2012-09-16 22:39 -------- d-----w- c:\programdata\Malwarebytes
2012-09-16 22:38 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-16 22:38 . 2012-09-16 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-16 22:32 . 2012-09-16 22:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-16 22:10 . 2012-09-17 15:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-16 22:10 . 2012-09-17 11:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-16 16:11 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{47AB7A45-E3FF-41DE-A842-1CB9C84F9843}\gapaengine.dll
2012-09-16 16:10 . 2012-09-16 16:10 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-15 20:11 . 2012-09-15 20:11 -------- d-----w- c:\program files\Common Files\Java
2012-09-15 20:11 . 2012-09-15 20:11 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-15 20:11 . 2012-09-15 20:11 -------- d-----w- c:\program files\Java
2012-09-15 12:36 . 2012-09-15 12:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-09-13 14:20 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-13 14:20 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-13 14:20 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-13 14:20 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-13 14:20 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-13 14:20 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 00:30 . 2012-09-11 00:31 -------- d-----w- c:\windows\WindowsMobile
2012-08-23 03:57 . 2012-09-17 02:16 -------- d-----w- c:\users\User\AppData\Roaming\DAEMON Tools Lite
2012-08-23 03:57 . 2012-09-17 02:16 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-08-22 13:23 . 2012-08-22 13:23 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-15 20:11 . 2012-07-29 21:08 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-15 20:11 . 2012-07-29 21:08 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-15 12:28 . 2012-06-20 21:52 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-15 12:28 . 2012-06-20 21:52 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-08 01:11 . 2012-08-08 01:11 967 ----a-w- c:\windows\ScUnin.pif
2012-08-08 01:11 . 2012-08-08 01:11 68096 ----a-w- c:\windows\ScUnin.exe
2012-07-18 17:47 . 2012-08-19 16:44 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 19:23 . 2012-08-21 07:01 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-07-05 20:59 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-07-04 21:14 . 2012-08-19 16:44 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-19 16:44 102912 ----a-w- c:\windows\system32\browser.dll
2012-06-29 00:16 . 2012-08-21 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-21 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-21 07:00 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-21 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-21 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-27 00:20 . 2012-06-27 00:20 45056 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{491EAC1A-8ECB-45D5-97D1-0583D5676914}\ProMash.exe1_491EAC1A8ECB45D597D10583D5676914.exe
2012-06-27 00:20 . 2012-06-27 00:20 45056 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{491EAC1A-8ECB-45D5-97D1-0583D5676914}\ProMash.exe_491EAC1A8ECB45D597D10583D5676914.exe
2012-09-07 09:55 . 2012-09-07 09:55 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11\WLTRAY.exe" [2012-01-01 4934144]
"QLBController"="c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-01-28 299576]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-27 843868]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-26 283160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-07 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-07 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-07 178200]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-02-04 2184488]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2567272]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-7-24 26909544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2012-6-20 603504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x]
R3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [x]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [x]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://c:\users\User\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\User\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: homeserver.com\ethanmelissa
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\k3yon9k6.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-63655008.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3620)
c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Broadcom\Broadcom 802.11\bcmwltry.exe
c:\windows\ehome\ehsched.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\eHome\EhTray.exe
.
**************************************************************************
.
Completion time: 2012-09-20 07:26:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-20 11:26
.
Pre-Run: 404,203,028,480 bytes free
Post-Run: 404,160,712,704 bytes free
.
- - End Of File - - 24678119911E8804C0FE0ADD042DE532




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users