Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection on Vista


  • This topic is locked This topic is locked
17 replies to this topic

#1 NSSHelp

NSSHelp

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 03 October 2012 - 02:28 PM

Vista 32 bit laptop. A friend asked me to check out some problems with IE not displaying pages. MBAM found rootkit.0access and supposedly removed. No other infections found. PC has Norton 360 installed originally and I installed avast! free as 2nd line. Neither find any infection. When booted to normal mode, get "host process for Windows Services has stopped working" error among others. Windows update service will not run. Vista locks up when I try to start event viewer or msconfig.

Thanks for any help you can provide.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Suzanne at 14:34:16 on 2012-10-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2429.2033 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.yahoo.com/?ilc=17
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.2.2.3\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.2.2.3\coIEPlg.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.89.70.2 64.89.74.2
TCP: Interfaces\{494AC0F6-A49A-45C5-B499-BF964C559884} : DhcpNameServer = 10.36.50.1
TCP: Interfaces\{5C53BE7A-AF18-497A-8A06-BD4792E4F871} : DhcpNameServer = 64.89.70.2 64.89.74.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-11 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120928.001\BHDrvx86.sys [2012-10-1 995488]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20121002.001\IDSvix86.sys [2012-10-2 386720]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-11 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502020.003\symtdiv.sys [2012-7-11 331384]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-2 58680]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-10-2 44808]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 N360;Norton 360;c:\program files\norton 360\engine\5.2.2.3\ccsvchst.exe [2012-7-11 130008]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-15 250568]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-9 106656]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-1 22856]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-12 30192]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-1 399432]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-1 676936]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
.
=============== Created Last 30 ================
.
2012-10-03 14:23:19 -------- d-----w- c:\users\suzanne\appdata\roaming\GlarySoft
2012-10-03 14:18:00 -------- d-----w- c:\program files\Glary Utilities
2012-10-02 22:37:25 -------- d-----w- c:\program files\Task Killer
2012-10-02 19:16:49 0 ----a-w- c:\windows\ativpsrm.bin
2012-10-02 19:11:27 -------- d-----w- C:\ATI
2012-10-02 14:53:42 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-02 14:52:43 41224 ----a-w- c:\windows\avastSS.scr
2012-10-02 14:52:23 -------- d-----w- c:\programdata\AVAST Software
2012-10-02 14:52:23 -------- d-----w- c:\program files\AVAST Software
2012-10-01 23:58:29 -------- d-----w- c:\users\suzanne\appdata\roaming\Malwarebytes
2012-10-01 23:58:21 -------- d-----w- c:\programdata\Malwarebytes
2012-10-01 23:58:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-01 23:58:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-01 23:55:57 -------- d-----w- c:\windows\pss
2012-09-08 14:54:35 -------- d-----w- c:\program files\CouponXplorer_5zEI
.
==================== Find3M ====================
.
2012-09-08 21:46:58 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 21:46:58 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:36:33.80 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 03 October 2012 - 08:49 PM

Hello NSSHelp,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 04 October 2012 - 09:49 AM

Machine appears to be running better. Boot up is quicker and was able to start Windows Update (did not d/l or apply any updates, just started service). Still getting error message "Host Process for Windows Services stopped working and was closed", after which no programs can be started.

ComboFix.txt posted below. Will attach TDSSKiller log due to length.



ComboFix 12-10-04.01 - Suzanne 10/04/2012 10:02:19.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2429.1591 [GMT -4:00]
Running from: c:\users\Suzanne\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Suzanne\AppData\Roaming\Love
c:\users\Suzanne\AppData\Roaming\Love\mari0\options.txt
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
.
.
2012-10-04 13:44 . 2012-10-04 13:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-03 23:49 . 2012-10-03 23:49 -------- d-----w- c:\windows\Microsoft Antimalware
2012-10-03 14:23 . 2012-10-03 14:30 -------- d-----w- c:\users\Suzanne\AppData\Roaming\GlarySoft
2012-10-03 14:18 . 2012-10-03 14:24 -------- d-----w- c:\program files\Glary Utilities
2012-10-02 22:37 . 2012-10-02 22:37 -------- d-----w- c:\program files\Task Killer
2012-10-02 19:23 . 2012-10-02 19:23 -------- d-----w- c:\programdata\ATI
2012-10-02 19:16 . 2012-10-02 19:16 0 ----a-w- c:\windows\ativpsrm.bin
2012-10-02 19:11 . 2012-10-02 19:11 -------- d-----w- C:\ATI
2012-10-02 14:53 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-02 14:52 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-10-02 14:52 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-02 14:52 . 2012-10-02 14:52 -------- d-----w- c:\programdata\AVAST Software
2012-10-02 14:52 . 2012-10-02 14:52 -------- d-----w- c:\program files\AVAST Software
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\users\Suzanne\AppData\Roaming\Malwarebytes
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\programdata\Malwarebytes
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-01 23:58 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-13 01:37 . 2012-09-13 01:37 -------- d-----w- c:\program files\Common Files\Skype
2012-09-08 14:54 . 2012-09-08 14:54 -------- d-----w- c:\program files\CouponXplorer_5zEI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 21:46 . 2012-07-15 10:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-08 21:46 . 2011-10-01 16:58 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.4.5.lnk]
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.4.5.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Suzanne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-06-29 23:12 638976 ----a-w- c:\program files\Camera Assistant Software for Gateway\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-18 16:53 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 17:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-11-17 21:58 815104 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-765033735-2753565194-454966272-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R3 59922409;59922409;c:\windows\system32\drivers\71985064.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 21:47]
.
2012-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-10-03 01:59]
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 23:08]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 23:08]
.
2012-08-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Suzanne.job
- c:\program files\Norton 360\Engine\5.2.2.3\navw32.exe [2012-07-11 00:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=17
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.89.70.2 64.89.74.2
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-59922409.sys
SafeBoot-68957894.sys
SafeBoot-74350351.sys
SafeBoot-93341998.sys
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-04 10:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
c:\windows\sttray.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wermgr.exe
.
**************************************************************************
.
Completion time: 2012-10-04 10:23:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-04 14:23
.
Pre-Run: 152,134,770,688 bytes free
Post-Run: 151,990,640,640 bytes free
.
- - End Of File - - A214292B5F8D21D121AD345021047E36

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 04 October 2012 - 09:32 PM

1.
Please re run TdssKiller if the following is still present please selct Delete or quarantine or Cure whichever is available.

09:44:44.0503 2024 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:44:44.0503 2024 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


2.
Do you have a USB Flash Drive you can use?

3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 04 October 2012 - 10:26 PM

Thanks for you help.

1. Deleted TDSSKiller item.

2. Yes, I have USB flash drive to use.


3.
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Suzanne [Admin rights]
Mode : Scan -- Date : 10/04/2012 23:14:47

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\59922409 (system32\drivers\71985064.sys) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\59922409 (system32\drivers\71985064.sys) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELL][BLPATH] [ON_D:]HKLM\Software[...]\Winlogon : Shell (cmd.exe /k start cmd.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x820A65C3 -> HOOKED (Unknown @ 0x87CFBB70)
SSDT[14] : NtAlertThread @ 0x8201F255 -> HOOKED (Unknown @ 0x87CFBC50)
SSDT[18] : NtAllocateVirtualMemory @ 0x8205B4FB -> HOOKED (Unknown @ 0x87D04FC0)
SSDT[21] : NtAlpcConnectPort @ 0x81FFD887 -> HOOKED (Unknown @ 0x86D58448)
SSDT[42] : NtAssignProcessToJobObject @ 0x81FD0B43 -> HOOKED (Unknown @ 0x87CDEB88)
SSDT[67] : NtCreateMutant @ 0x82033812 -> HOOKED (Unknown @ 0x87CFB8C0)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x81FD335A -> HOOKED (Unknown @ 0x87CDE8A8)
SSDT[78] : NtCreateThread @ 0x820A4BE0 -> HOOKED (Unknown @ 0x87CFB6F0)
SSDT[116] : NtDebugActiveProcess @ 0x82077D22 -> HOOKED (Unknown @ 0x87CDEC68)
SSDT[129] : NtDuplicateObject @ 0x8200B551 -> HOOKED (Unknown @ 0x87CDE200)
SSDT[147] : NtFreeVirtualMemory @ 0x81E97F1D -> HOOKED (Unknown @ 0x87D04D98)
SSDT[156] : NtImpersonateAnonymousToken @ 0x81FCDF12 -> HOOKED (Unknown @ 0x87CFB9B0)
SSDT[158] : NtImpersonateThread @ 0x81FE354F -> HOOKED (Unknown @ 0x87CFBA90)
SSDT[165] : NtLoadDriver @ 0x81F7EDEE -> HOOKED (Unknown @ 0x86D3FFD0)
SSDT[177] : NtMapViewOfSection @ 0x8202389A -> HOOKED (Unknown @ 0x87D04C98)
SSDT[184] : NtOpenEvent @ 0x8200CDCF -> HOOKED (Unknown @ 0x87CFB7E0)
SSDT[194] : NtOpenProcess @ 0x82033FAE -> HOOKED (Unknown @ 0x87CDE3E0)
SSDT[195] : NtOpenProcessToken @ 0x82014A2E -> HOOKED (Unknown @ 0x87CDE120)
SSDT[197] : NtOpenSection @ 0x8202466D -> HOOKED (Unknown @ 0x87CDEE90)
SSDT[201] : NtOpenThread @ 0x8202F4FF -> HOOKED (Unknown @ 0x87CDE2F0)
SSDT[210] : NtProtectVirtualMemory @ 0x8202D2E2 -> HOOKED (Unknown @ 0x87CDEA98)
SSDT[282] : NtResumeThread @ 0x8202EB4A -> HOOKED (Unknown @ 0x87CFBD30)
SSDT[289] : NtSetContextThread @ 0x820A606F -> HOOKED (Unknown @ 0x87CFF268)
SSDT[305] : NtSetInformationProcess @ 0x820278C8 -> HOOKED (Unknown @ 0x87CFF348)
SSDT[317] : NtSetSystemInformation @ 0x81FF9EEB -> HOOKED (Unknown @ 0x87CDED48)
SSDT[330] : NtSuspendProcess @ 0x820A64FF -> HOOKED (Unknown @ 0x87CDEF70)
SSDT[331] : NtSuspendThread @ 0x81FAD92B -> HOOKED (Unknown @ 0x87CFF0A8)
SSDT[334] : NtTerminateProcess @ 0x82004143 -> HOOKED (Unknown @ 0x87D0D9D0)
SSDT[335] : NtTerminateThread @ 0x8202F534 -> HOOKED (Unknown @ 0x87CFF188)
SSDT[348] : NtUnmapViewOfSection @ 0x82023B5D -> HOOKED (Unknown @ 0x87CFF008)
SSDT[358] : NtWriteVirtualMemory @ 0x8202092D -> HOOKED (Unknown @ 0x87D04E88)
SSDT[382] : NtCreateThreadEx @ 0x8202EFE9 -> HOOKED (Unknown @ 0x87CDE998)
S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x88482348)
S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x860A4150)
S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x884A0140)
S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x88104580)
S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x88484C88)
S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x88484008)
S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x884846D8)
S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x88484608)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x860A5100)
S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x88484908)

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] cefa3eb26434b6a0ddf31b93aae33b6d
[BSP] 9d213ab8140230392040227705f760e4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 12252 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25093530 | Size: 226219 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 05 October 2012 - 11:52 AM

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

DDS::
uInternet Settings,ProxyOverride = *.local

File::
c:\windows\system32\drivers\71985064.sys

Driver::
59922409

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
  • Re-Run RogueKiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Delete
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Things to include in your next reply::
Combofix.txt
Roguekiller log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 05 October 2012 - 02:34 PM

PC boots up more quickly. Still getting "Host Process for Windows Services stopped working and was closed" when trying to start programs. Is it possible that is not related to infection and is just a Windows problem?

ComboFix.txt posted.
RKReport.txt posted.




ComboFix 12-10-04.01 - Suzanne 10/05/2012 14:33:38.2.2 - x86
Running from: c:\users\Suzanne\Desktop\ComboFix.exe
Command switches used :: c:\users\Suzanne\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\71985064.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_59922409
.
.
((((((((((((((((((((((((( Files Created from 2012-09-05 to 2012-10-05 )))))))))))))))))))))))))))))))
.
.
2012-10-05 18:45 . 2012-10-05 18:49 -------- d-----w- c:\users\Suzanne\AppData\Local\temp
2012-10-04 13:44 . 2012-10-05 02:52 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-03 23:49 . 2012-10-03 23:49 -------- d-----w- c:\windows\Microsoft Antimalware
2012-10-03 14:23 . 2012-10-03 14:30 -------- d-----w- c:\users\Suzanne\AppData\Roaming\GlarySoft
2012-10-03 14:18 . 2012-10-03 14:24 -------- d-----w- c:\program files\Glary Utilities
2012-10-02 22:37 . 2012-10-02 22:37 -------- d-----w- c:\program files\Task Killer
2012-10-02 19:23 . 2012-10-02 19:23 -------- d-----w- c:\programdata\ATI
2012-10-02 19:16 . 2012-10-02 19:16 0 ----a-w- c:\windows\ativpsrm.bin
2012-10-02 19:11 . 2012-10-02 19:11 -------- d-----w- C:\ATI
2012-10-02 14:53 . 2012-08-21 09:13 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-10-02 14:52 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-10-02 14:52 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-02 14:52 . 2012-10-02 14:52 -------- d-----w- c:\programdata\AVAST Software
2012-10-02 14:52 . 2012-10-02 14:52 -------- d-----w- c:\program files\AVAST Software
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\users\Suzanne\AppData\Roaming\Malwarebytes
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\programdata\Malwarebytes
2012-10-01 23:58 . 2012-10-01 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-01 23:58 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-13 01:37 . 2012-09-13 01:37 -------- d-----w- c:\program files\Common Files\Skype
2012-09-08 14:54 . 2012-09-08 14:54 -------- d-----w- c:\program files\CouponXplorer_5zEI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 21:46 . 2012-07-15 10:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-08 21:46 . 2011-10-01 16:58 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.4.5.lnk]
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.4.5.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Suzanne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-06-29 23:12 638976 ----a-w- c:\program files\Camera Assistant Software for Gateway\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-18 16:53 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 17:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-11-17 21:58 815104 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-765033735-2753565194-454966272-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 21:47]
.
2012-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-10-03 01:59]
.
2012-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 23:08]
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 23:08]
.
2012-08-28 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Suzanne.job
- c:\program files\Norton 360\Engine\5.2.2.3\navw32.exe [2012-07-11 00:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=17
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-1631
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.89.70.2
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-15980285.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-05 14:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2208)
c:\windows\system32\timedate.cpl
c:\windows\system32\thumbcache.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
c:\windows\system32\DllHost.exe
c:\windows\sttray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wermgr.exe
.
**************************************************************************
.
Completion time: 2012-10-05 14:56:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-05 18:55
ComboFix2.txt 2012-10-04 14:23
.
Pre-Run: 152,935,948,288 bytes free
Post-Run: 152,790,757,376 bytes free
.
- - End Of File - - 31FFC949F23606BF28DF7980AA0CDE29





--------------------------------------------
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Suzanne [Admin rights]
Mode : Remove -- Date : 10/05/2012 15:19:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SHELL][PREVRUN] [ON_D:]HKLM\Software[...]\Winlogon : Shell (cmd.exe /k start cmd.exe) -> REPLACED (Explorer.exe)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x820D25C3 -> HOOKED (Unknown @ 0x86D60520)
SSDT[14] : NtAlertThread @ 0x8204B255 -> HOOKED (Unknown @ 0x86D60600)
SSDT[18] : NtAllocateVirtualMemory @ 0x820874FB -> HOOKED (Unknown @ 0x86E05640)
SSDT[21] : NtAlpcConnectPort @ 0x82029887 -> HOOKED (Unknown @ 0x86CC09C0)
SSDT[42] : NtAssignProcessToJobObject @ 0x81FFCB43 -> HOOKED (Unknown @ 0x86DCC328)
SSDT[67] : NtCreateMutant @ 0x8205F812 -> HOOKED (Unknown @ 0x8717A3A8)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x81FFF35A -> HOOKED (Unknown @ 0x86DCC048)
SSDT[78] : NtCreateThread @ 0x820D0BE0 -> HOOKED (Unknown @ 0x86CF9F70)
SSDT[116] : NtDebugActiveProcess @ 0x820A3D22 -> HOOKED (Unknown @ 0x86DCC408)
SSDT[129] : NtDuplicateObject @ 0x82037551 -> HOOKED (Unknown @ 0x874D6AE0)
SSDT[147] : NtFreeVirtualMemory @ 0x81EC3F1D -> HOOKED (Unknown @ 0x86E053F8)
SSDT[156] : NtImpersonateAnonymousToken @ 0x81FF9F12 -> HOOKED (Unknown @ 0x8717A498)
SSDT[158] : NtImpersonateThread @ 0x8200F54F -> HOOKED (Unknown @ 0x8717A578)
SSDT[165] : NtLoadDriver @ 0x81FAADEE -> HOOKED (Unknown @ 0x86C7C2B8)
SSDT[177] : NtMapViewOfSection @ 0x8204F89A -> HOOKED (Unknown @ 0x86D6AB28)
SSDT[184] : NtOpenEvent @ 0x82038DCF -> HOOKED (Unknown @ 0x8717A2C8)
SSDT[194] : NtOpenProcess @ 0x8205FFAE -> HOOKED (Unknown @ 0x87462258)
SSDT[195] : NtOpenProcessToken @ 0x82040A2E -> HOOKED (Unknown @ 0x874D6A00)
SSDT[197] : NtOpenSection @ 0x8205066D -> HOOKED (Unknown @ 0x86DCC630)
SSDT[201] : NtOpenThread @ 0x8205B4FF -> HOOKED (Unknown @ 0x87462188)
SSDT[210] : NtProtectVirtualMemory @ 0x820592E2 -> HOOKED (Unknown @ 0x86DCC238)
SSDT[282] : NtResumeThread @ 0x8205AB4A -> HOOKED (Unknown @ 0x86D606E0)
SSDT[289] : NtSetContextThread @ 0x820D206F -> HOOKED (Unknown @ 0x86D60980)
SSDT[305] : NtSetInformationProcess @ 0x820538C8 -> HOOKED (Unknown @ 0x86D6A958)
SSDT[317] : NtSetSystemInformation @ 0x82025EEB -> HOOKED (Unknown @ 0x86DCC4E8)
SSDT[330] : NtSuspendProcess @ 0x820D24FF -> HOOKED (Unknown @ 0x8717A1E8)
SSDT[331] : NtSuspendThread @ 0x81FD992B -> HOOKED (Unknown @ 0x86D607C0)
SSDT[334] : NtTerminateProcess @ 0x82030143 -> HOOKED (Unknown @ 0x86CF9E90)
SSDT[335] : NtTerminateThread @ 0x8205B534 -> HOOKED (Unknown @ 0x86D608A0)
SSDT[348] : NtUnmapViewOfSection @ 0x8204FB5D -> HOOKED (Unknown @ 0x86D6AA48)
SSDT[358] : NtWriteVirtualMemory @ 0x8204C92D -> HOOKED (Unknown @ 0x86E054E8)
SSDT[382] : NtCreateThreadEx @ 0x8205AFE9 -> HOOKED (Unknown @ 0x86DCC138)
S_SSDT[317] : Unknown -> HOOKED (Unknown @ 0x8606B6C8)
S_SSDT[397] : Unknown -> HOOKED (Unknown @ 0x8606B418)
S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x886D5FD0)
S_SSDT[430] : Unknown -> HOOKED (Unknown @ 0x8606B4F8)
S_SSDT[442] : Unknown -> HOOKED (Unknown @ 0x8606B5D8)
S_SSDT[479] : Unknown -> HOOKED (Unknown @ 0x886D5D00)
S_SSDT[497] : Unknown -> HOOKED (Unknown @ 0x886D5EE0)
S_SSDT[498] : Unknown -> HOOKED (Unknown @ 0x886D5DF0)
S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x8606B788)
S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x85D6FB58)

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] cefa3eb26434b6a0ddf31b93aae33b6d
[BSP] 9d213ab8140230392040227705f760e4 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 12252 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25093530 | Size: 226219 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 05 October 2012 - 05:15 PM

Do you have a USb Flash Drive you can use?


Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Posted Image



Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Posted Image


Go to Step 4 and under "System Restore" click on Create button:

Posted Image


Go to Start Repairs tab and click Start button.

Posted Image


Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Posted Image

Click on box next to the Restart System when Finished. Then click on Start.


How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 06 October 2012 - 01:32 PM

The Windows Repair utility is a handy little piece of software. I ran it as instructed. No longer getting "Host Process" error message but Explorer.exe has been crashing and Windows is still flaky. Sometimes Start Menu will freeze, or will open but cannot click anything in it. Also getting "The service cannot accept control messages at this time" when trying to start programs. Will work for a few minutes after reboot. Sorry I can't point to something more specific.

I have a blank USB flash drive if needed.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 06 October 2012 - 03:01 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 06 October 2012 - 03:31 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-10-2012 01
Ran by SYSTEM at 06-10-2012 16:25:42
Running from E:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SigmatelSysTrayApp] sttray.exe [x]
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4282728 2012-08-21] (AVAST Software)
HKU\Suzanne\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKLM\...\Runonce: [Launcher] %WINDIR%\SMINST\launcher.exe [x]
Tcpip\Parameters: [DhcpNameServer] 10.36.50.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

==================== Services (Whitelisted) ===================

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-08-21] (AVAST Software)
3 GameConsoleService; "C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe" [238328 2009-10-15] (WildTangent, Inc.)
4 GoogleDesktopManager-051210-111108; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [30192 2010-07-18] (Google)
4 lxct_device; C:\Windows\system32\lxctcoms.exe -service [537520 2007-03-19] ( )
4 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
4 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [114144 2012-10-05] (Mozilla Foundation)
2 N360; "C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\5.2.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [58680 2012-08-21] (AVAST Software)
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120928.001\BHDrvx86.sys [995488 2012-08-31] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-10-05] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-10-05] (Symantec Corporation)
3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302492 2006-11-01] (Intel Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20121005.002\IDSvix86.sys [386720 2012-08-31] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [22856 2012-09-07] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20121005.025\NAVENG.SYS [92704 2012-10-05] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20121005.025\NAVEX15.SYS [1601184 2012-10-05] (Symantec Corporation)
3 NETw2v32; C:\Windows\System32\DRIVERS\NETw2v32.sys [2589184 2006-11-01] (Intel® Corporation)
3 RTL8187Se; C:\Windows\System32\DRIVERS\RTL8187Se.sys [280576 2008-01-16] (Realtek Semiconductor Corporation )
3 SRTSP; C:\Windows\System32\Drivers\N360\0502020.003\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0502020.003\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0502020.003\SYMDS.SYS [340088 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0502020.003\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [126584 2011-06-07] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0502020.003\Ironx86.SYS [136312 2011-01-26] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\0502020.003\SYMTDIV.SYS [331384 2011-04-20] (Symantec Corporation)
3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [11776 2007-05-23] (Chicony Electronics Co., Ltd.)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
0 cqhmofm; C:\Windows\System32\drivers\jqhlcr.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 SYMFW; C:\Windows\System32\Drivers\N360\0308000.029\SYMFW.SYS [x]
3 SYMNDISV; C:\Windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-10-05 18:20 - 2012-10-05 18:20 - 00000422 ____A C:\Windows\BitsRepairTool.log
2012-10-05 18:10 - 2012-10-05 18:11 - 00031744 ____A (Microsoft Corporation) C:\Users\Suzanne\Downloads\Windows6.0-KB940520-x86-ENU (1).exe
2012-10-05 17:49 - 2012-10-05 18:05 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-10-05 17:49 - 2012-10-05 17:49 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-10-05 17:49 - 2012-10-05 17:49 - 00000857 ____A C:\Users\All Users\Desktop\Mozilla Firefox.lnk
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\Suzanne\Local Settings\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\Suzanne\Local Settings\Application Data\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\Suzanne\Application Data\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\Suzanne\AppData\Roaming\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\Suzanne\AppData\Local\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\All Users\Mozilla
2012-10-05 17:49 - 2012-10-05 17:49 - 00000000 ____D C:\Users\All Users\Application Data\Mozilla
2012-10-05 17:48 - 2012-10-05 17:54 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-10-05 17:41 - 2012-07-26 09:45 - 16801656 ____A (Mozilla) C:\Users\Suzanne\Downloads\Firefox Setup 14.0.1.exe
2012-10-05 15:58 - 2008-05-07 21:03 - 00303616 ____A ( ) C:\SetACL.exe
2012-10-05 15:30 - 2004-06-11 15:33 - 00290304 ____A (Microsoft Corporation) C:\subinacl.exe
2012-10-05 14:54 - 2012-10-05 16:03 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-10-05 14:50 - 2012-10-05 14:50 - 00002079 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-10-05 14:50 - 2012-10-05 14:50 - 00002079 ____A C:\Users\All Users\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-10-05 14:50 - 2012-10-05 14:50 - 00000000 ____D C:\Program Files\Tweaking.com
2012-10-05 14:45 - 2012-10-05 14:45 - 05345461 ____A C:\Users\Suzanne\Downloads\tweaking.com_windows_repair_aio_setup.exe
2012-10-05 11:19 - 2012-10-05 11:19 - 00004678 ____A C:\Users\Suzanne\Desktop\RKreport[3].txt
2012-10-05 11:07 - 2012-10-05 11:07 - 00004656 ____A C:\Users\Suzanne\Desktop\RKreport[2].txt
2012-10-05 10:56 - 2012-10-05 10:56 - 00013228 ____A C:\ComboFix.txt
2012-10-05 10:30 - 2012-10-05 10:56 - 00000000 ____D C:\ComboFix
2012-10-04 19:14 - 2012-10-04 19:14 - 00004817 ____A C:\Users\Suzanne\Desktop\RKreport[1].txt
2012-10-04 19:09 - 2012-10-05 11:17 - 00000000 ____D C:\Users\Suzanne\Desktop\RK_Quarantine
2012-10-04 18:58 - 2012-10-04 18:58 - 01422336 ____A C:\Users\Suzanne\Desktop\RogueKiller.exe
2012-10-04 05:57 - 2012-10-05 10:56 - 00000000 ___AD C:\Qoobox
2012-10-04 05:57 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-10-04 05:57 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-10-04 05:57 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-10-04 05:57 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-10-04 05:57 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-10-04 05:57 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-10-04 05:57 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-10-04 05:57 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-10-04 05:56 - 2012-10-05 10:45 - 00000000 ____D C:\Windows\erdnt
2012-10-04 05:44 - 2012-10-04 18:52 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-10-04 05:34 - 2012-10-04 05:35 - 00138224 ____A C:\Windows\Minidump\Mini100412-02.dmp
2012-10-04 05:31 - 2012-10-04 05:31 - 00146448 ____A C:\Windows\Minidump\Mini100412-01.dmp
2012-10-04 05:20 - 2012-10-04 05:21 - 04762646 ____R (Swearware) C:\Users\Suzanne\Desktop\ComboFix.exe
2012-10-04 05:19 - 2012-10-04 05:20 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Suzanne\Desktop\tdsskiller.exe
2012-10-03 15:49 - 2012-10-03 15:49 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-10-03 10:33 - 2012-10-03 10:33 - 00000476 ____A C:\Users\Suzanne\Desktop\defogger_disable.log
2012-10-03 10:33 - 2012-10-03 10:33 - 00000000 ____A C:\Users\Suzanne\defogger_reenable
2012-10-03 10:04 - 2012-10-03 09:59 - 00607260 ____R (Swearware) C:\Users\Suzanne\Desktop\dds.com
2012-10-03 10:04 - 2012-10-03 09:59 - 00302592 ____A C:\Users\Suzanne\Desktop\0qicfgr6.exe
2012-10-03 10:04 - 2012-10-03 09:56 - 00050477 ____A C:\Users\Suzanne\Desktop\Defogger.exe
2012-10-03 08:53 - 2012-10-03 09:17 - 132003830 ____A C:\Users\Suzanne\Downloads\Windows6.0-KB947821-v24-x86.msu
2012-10-03 08:04 - 2012-10-03 08:04 - 00031744 ____A (Microsoft Corporation) C:\Users\Suzanne\Downloads\Windows6.0-KB940520-x86-ENU.exe
2012-10-03 07:36 - 2012-10-03 07:36 - 00138224 ____A C:\Windows\Minidump\Mini100312-02.dmp
2012-10-03 07:32 - 2012-10-03 07:32 - 00134152 ____A C:\Windows\Minidump\Mini100312-01.dmp
2012-10-03 06:23 - 2012-10-03 06:30 - 00000000 ____D C:\Users\Suzanne\Application Data\GlarySoft
2012-10-03 06:23 - 2012-10-03 06:30 - 00000000 ____D C:\Users\Suzanne\AppData\Roaming\GlarySoft
2012-10-03 06:20 - 2012-10-03 06:22 - 08993576 ____A (Glarysoft Ltd ) C:\Users\Suzanne\Downloads\gusetup.exe
2012-10-03 06:18 - 2012-10-03 06:24 - 00000000 ____D C:\Program Files\Glary Utilities
2012-10-03 06:18 - 2012-10-03 06:23 - 00000874 ____A C:\Users\Suzanne\Desktop\Glary Utilities.lnk
2012-10-03 06:18 - 2012-10-03 06:23 - 00000316 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-10-03 05:43 - 2012-10-03 05:43 - 00003618 ____A C:\Users\Suzanne\My Documents\Event Log1003a.xml
2012-10-03 05:43 - 2012-10-03 05:43 - 00003618 ____A C:\Users\Suzanne\Documents\Event Log1003a.xml
2012-10-02 14:37 - 2012-10-02 14:37 - 00000000 ____D C:\Program Files\Task Killer
2012-10-02 12:40 - 2012-10-02 12:40 - 00300832 ____A (Sysinternals - www.sysinternals.com) C:\Users\Suzanne\Downloads\tcpview.exe
2012-10-02 11:23 - 2012-10-02 11:23 - 00000000 ____D C:\Users\All Users\ATI
2012-10-02 11:23 - 2012-10-02 11:23 - 00000000 ____D C:\Users\All Users\Application Data\ATI
2012-10-02 11:16 - 2012-10-02 11:16 - 00000000 ____A C:\Windows\ativpsrm.bin
2012-10-02 11:11 - 2012-10-02 11:11 - 00000000 ____D C:\ATI
2012-10-02 10:42 - 2012-10-02 10:42 - 00000744 ____A C:\Users\Suzanne\Desktop\Install ATI Radeon X1270.lnk
2012-10-02 10:41 - 2012-10-02 10:41 - 00609880 ____A C:\Users\Suzanne\Downloads\cbsidlm-tr1_7-ATI_Radeon_X1270-152257.exe
2012-10-02 09:16 - 2012-10-02 09:16 - 00138224 ____A C:\Windows\Minidump\Mini100212-03.dmp
2012-10-02 06:53 - 2012-10-02 06:53 - 00001840 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-10-02 06:53 - 2012-10-02 06:53 - 00001840 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-10-02 06:53 - 2012-08-21 01:13 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-10-02 06:52 - 2012-10-02 06:52 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-10-02 06:52 - 2012-10-02 06:52 - 00000000 ____D C:\Users\All Users\Application Data\AVAST Software
2012-10-02 06:52 - 2012-10-02 06:52 - 00000000 ____D C:\Program Files\AVAST Software
2012-10-02 06:52 - 2012-08-21 01:12 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-10-02 06:52 - 2012-08-21 01:12 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-10-02 06:46 - 2012-10-02 06:46 - 00138224 ____A C:\Windows\Minidump\Mini100212-02.dmp
2012-10-02 03:27 - 2012-10-02 03:28 - 00138224 ____A C:\Windows\Minidump\Mini100212-01.dmp
2012-10-01 18:24 - 2012-10-01 18:24 - 00138224 ____A C:\Windows\Minidump\Mini100112-16.dmp
2012-10-01 17:30 - 2012-10-01 17:30 - 00138224 ____A C:\Windows\Minidump\Mini100112-15.dmp
2012-10-01 15:58 - 2012-10-01 15:58 - 00000000 ____D C:\Users\Suzanne\Application Data\Malwarebytes
2012-10-01 15:58 - 2012-10-01 15:58 - 00000000 ____D C:\Users\Suzanne\AppData\Roaming\Malwarebytes
2012-10-01 15:58 - 2012-10-01 15:58 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-10-01 15:58 - 2012-10-01 15:58 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-10-01 15:58 - 2012-10-01 15:58 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-10-01 15:58 - 2012-09-07 13:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-10-01 15:57 - 2012-10-03 08:06 - 00000000 ____D C:\Users\Suzanne\Downloads\Security
2012-10-01 15:55 - 2012-10-01 15:55 - 00000000 ____D C:\Windows\pss
2012-10-01 15:51 - 2012-10-01 15:51 - 00138224 ____A C:\Windows\Minidump\Mini100112-14.dmp
2012-10-01 15:47 - 2012-10-01 15:47 - 00138224 ____A C:\Windows\Minidump\Mini100112-13.dmp
2012-10-01 15:44 - 2012-10-01 15:44 - 00138224 ____A C:\Windows\Minidump\Mini100112-12.dmp
2012-10-01 15:41 - 2012-10-01 15:41 - 00138224 ____A C:\Windows\Minidump\Mini100112-11.dmp
2012-10-01 15:39 - 2012-10-01 15:39 - 00138224 ____A C:\Windows\Minidump\Mini100112-10.dmp
2012-10-01 15:35 - 2012-10-01 15:35 - 00138224 ____A C:\Windows\Minidump\Mini100112-09.dmp
2012-10-01 15:33 - 2012-10-01 15:33 - 00138224 ____A C:\Windows\Minidump\Mini100112-08.dmp
2012-10-01 15:28 - 2012-10-01 15:28 - 00138224 ____A C:\Windows\Minidump\Mini100112-07.dmp
2012-10-01 15:20 - 2012-10-01 15:21 - 01232560 ____A (LogMeIn, Inc.) C:\Users\Suzanne\Downloads\Support-LogMeInRescue.exe
2012-10-01 12:07 - 2012-10-01 12:07 - 00138224 ____A C:\Windows\Minidump\Mini100112-06.dmp
2012-10-01 11:56 - 2012-10-01 11:56 - 00138224 ____A C:\Windows\Minidump\Mini100112-05.dmp
2012-10-01 11:53 - 2012-10-01 11:53 - 00138224 ____A C:\Windows\Minidump\Mini100112-04.dmp
2012-10-01 11:49 - 2012-10-01 11:49 - 00138224 ____A C:\Windows\Minidump\Mini100112-03.dmp
2012-10-01 10:30 - 2012-10-01 10:30 - 00138224 ____A C:\Windows\Minidump\Mini100112-02.dmp
2012-10-01 09:31 - 2012-10-01 09:31 - 00138224 ____A C:\Windows\Minidump\Mini100112-01.dmp
2012-09-30 17:24 - 2012-09-30 17:24 - 00138224 ____A C:\Windows\Minidump\Mini093012-01.dmp
2012-09-25 15:01 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-25 15:01 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-25 15:01 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-25 15:01 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-25 15:01 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-25 15:01 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-25 15:01 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-25 15:01 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-25 15:01 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-25 15:01 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-25 15:01 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-25 15:01 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-25 15:01 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-25 15:01 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-25 15:01 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-25 15:01 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-12 17:37 - 2012-09-12 17:37 - 00001878 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-12 17:37 - 2012-09-12 17:37 - 00001878 ____A C:\Users\All Users\Desktop\Skype.lnk
2012-09-12 17:37 - 2012-09-12 17:37 - 00000000 ____D C:\Program Files\Common Files\Skype
2012-09-08 06:54 - 2012-09-08 06:54 - 00000000 ____D C:\Program Files\CouponXplorer_5zEI


==================== 3 Months Modified Files ==================

2012-10-06 12:21 - 2006-11-02 05:01 - 00032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-06 12:21 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-06 12:16 - 2010-02-01 15:08 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-06 12:16 - 2006-11-02 04:47 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-06 12:16 - 2006-11-02 04:47 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-06 11:53 - 2012-07-15 02:36 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-06 11:52 - 2008-05-12 18:41 - 01112525 ____A C:\Windows\WindowsUpdate.log
2012-10-05 18:20 - 2012-10-05 18:20 - 00000422 ____A C:\Windows\BitsRepairTool.log
2012-10-05 18:11 - 2012-10-05 18:10 - 00031744 ____A (Microsoft Corporation) C:\Users\Suzanne\Downloads\Windows6.0-KB940520-x86-ENU (1).exe
2012-10-05 17:49 - 2012-10-05 17:49 - 00000857 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-10-05 17:49 - 2012-10-05 17:49 - 00000857 ____A C:\Users\All Users\Desktop\Mozilla Firefox.lnk
2012-10-05 16:56 - 2008-08-14 11:31 - 00071520 ____A C:\Users\Suzanne\Local Settings\GDIPFONTCACHEV1.DAT
2012-10-05 16:56 - 2008-08-14 11:31 - 00071520 ____A C:\Users\Suzanne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-10-05 16:56 - 2008-08-14 11:31 - 00071520 ____A C:\Users\Suzanne\AppData\Local\GDIPFONTCACHEV1.DAT
2012-10-05 16:17 - 2006-11-02 02:33 - 00709582 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-05 16:11 - 2006-11-02 04:47 - 00302288 ____A C:\Windows\System32\FNTCACHE.DAT
2012-10-05 16:03 - 2012-10-05 14:54 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-10-05 14:50 - 2012-10-05 14:50 - 00002079 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-10-05 14:50 - 2012-10-05 14:50 - 00002079 ____A C:\Users\All Users\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2012-10-05 14:45 - 2012-10-05 14:45 - 05345461 ____A C:\Users\Suzanne\Downloads\tweaking.com_windows_repair_aio_setup.exe
2012-10-05 14:35 - 2010-02-01 15:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-05 11:19 - 2012-10-05 11:19 - 00004678 ____A C:\Users\Suzanne\Desktop\RKreport[3].txt
2012-10-05 11:07 - 2012-10-05 11:07 - 00004656 ____A C:\Users\Suzanne\Desktop\RKreport[2].txt
2012-10-05 10:56 - 2012-10-05 10:56 - 00013228 ____A C:\ComboFix.txt
2012-10-05 10:49 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
2012-10-05 10:47 - 2008-01-20 18:47 - 00539040 ____A C:\Windows\PFRO.log
2012-10-05 10:47 - 2006-11-02 02:22 - 44396544 ____A C:\Windows\System32\config\software.bak
2012-10-05 10:47 - 2006-11-02 02:22 - 35913728 ____A C:\Windows\System32\config\COMPON~3.bak
2012-10-05 10:47 - 2006-11-02 02:22 - 18350080 ____A C:\Windows\System32\config\system.bak
2012-10-05 10:47 - 2006-11-02 02:22 - 00430080 ____A C:\Windows\System32\config\default.bak
2012-10-05 10:47 - 2006-11-02 02:22 - 00057344 ____A C:\Windows\System32\config\sam.bak
2012-10-05 10:47 - 2006-11-02 02:22 - 00024576 ____A C:\Windows\System32\config\security.bak
2012-10-04 19:14 - 2012-10-04 19:14 - 00004817 ____A C:\Users\Suzanne\Desktop\RKreport[1].txt
2012-10-04 18:58 - 2012-10-04 18:58 - 01422336 ____A C:\Users\Suzanne\Desktop\RogueKiller.exe
2012-10-04 05:35 - 2012-10-04 05:34 - 00138224 ____A C:\Windows\Minidump\Mini100412-02.dmp
2012-10-04 05:34 - 2012-07-20 11:02 - 307079397 ____A C:\Windows\MEMORY.DMP
2012-10-04 05:31 - 2012-10-04 05:31 - 00146448 ____A C:\Windows\Minidump\Mini100412-01.dmp
2012-10-04 05:21 - 2012-10-04 05:20 - 04762646 ____R (Swearware) C:\Users\Suzanne\Desktop\ComboFix.exe
2012-10-04 05:20 - 2012-10-04 05:19 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Suzanne\Desktop\tdsskiller.exe
2012-10-03 10:33 - 2012-10-03 10:33 - 00000476 ____A C:\Users\Suzanne\Desktop\defogger_disable.log
2012-10-03 10:33 - 2012-10-03 10:33 - 00000000 ____A C:\Users\Suzanne\defogger_reenable
2012-10-03 10:04 - 2006-11-02 04:52 - 00072049 ____A C:\Windows\setupact.log
2012-10-03 09:59 - 2012-10-03 10:04 - 00607260 ____R (Swearware) C:\Users\Suzanne\Desktop\dds.com
2012-10-03 09:59 - 2012-10-03 10:04 - 00302592 ____A C:\Users\Suzanne\Desktop\0qicfgr6.exe
2012-10-03 09:56 - 2012-10-03 10:04 - 00050477 ____A C:\Users\Suzanne\Desktop\Defogger.exe
2012-10-03 09:17 - 2012-10-03 08:53 - 132003830 ____A C:\Users\Suzanne\Downloads\Windows6.0-KB947821-v24-x86.msu
2012-10-03 08:04 - 2012-10-03 08:04 - 00031744 ____A (Microsoft Corporation) C:\Users\Suzanne\Downloads\Windows6.0-KB940520-x86-ENU.exe
2012-10-03 07:36 - 2012-10-03 07:36 - 00138224 ____A C:\Windows\Minidump\Mini100312-02.dmp
2012-10-03 07:32 - 2012-10-03 07:32 - 00134152 ____A C:\Windows\Minidump\Mini100312-01.dmp
2012-10-03 06:23 - 2012-10-03 06:18 - 00000874 ____A C:\Users\Suzanne\Desktop\Glary Utilities.lnk
2012-10-03 06:23 - 2012-10-03 06:18 - 00000316 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-10-03 06:22 - 2012-10-03 06:20 - 08993576 ____A (Glarysoft Ltd ) C:\Users\Suzanne\Downloads\gusetup.exe
2012-10-03 05:43 - 2012-10-03 05:43 - 00003618 ____A C:\Users\Suzanne\My Documents\Event Log1003a.xml
2012-10-03 05:43 - 2012-10-03 05:43 - 00003618 ____A C:\Users\Suzanne\Documents\Event Log1003a.xml
2012-10-02 12:40 - 2012-10-02 12:40 - 00300832 ____A (Sysinternals - www.sysinternals.com) C:\Users\Suzanne\Downloads\tcpview.exe
2012-10-02 11:16 - 2012-10-02 11:16 - 00000000 ____A C:\Windows\ativpsrm.bin
2012-10-02 10:42 - 2012-10-02 10:42 - 00000744 ____A C:\Users\Suzanne\Desktop\Install ATI Radeon X1270.lnk
2012-10-02 10:41 - 2012-10-02 10:41 - 00609880 ____A C:\Users\Suzanne\Downloads\cbsidlm-tr1_7-ATI_Radeon_X1270-152257.exe
2012-10-02 09:16 - 2012-10-02 09:16 - 00138224 ____A C:\Windows\Minidump\Mini100212-03.dmp
2012-10-02 06:53 - 2012-10-02 06:53 - 00001840 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-10-02 06:53 - 2012-10-02 06:53 - 00001840 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-10-02 06:53 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-10-02 06:46 - 2012-10-02 06:46 - 00138224 ____A C:\Windows\Minidump\Mini100212-02.dmp
2012-10-02 03:28 - 2012-10-02 03:27 - 00138224 ____A C:\Windows\Minidump\Mini100212-01.dmp
2012-10-01 18:24 - 2012-10-01 18:24 - 00138224 ____A C:\Windows\Minidump\Mini100112-16.dmp
2012-10-01 17:30 - 2012-10-01 17:30 - 00138224 ____A C:\Windows\Minidump\Mini100112-15.dmp
2012-10-01 15:57 - 2011-09-02 10:39 - 00001356 ____A C:\Users\Suzanne\Local Settings\d3d9caps.dat
2012-10-01 15:57 - 2011-09-02 10:39 - 00001356 ____A C:\Users\Suzanne\Local Settings\Application Data\d3d9caps.dat
2012-10-01 15:57 - 2011-09-02 10:39 - 00001356 ____A C:\Users\Suzanne\AppData\Local\d3d9caps.dat
2012-10-01 15:51 - 2012-10-01 15:51 - 00138224 ____A C:\Windows\Minidump\Mini100112-14.dmp
2012-10-01 15:47 - 2012-10-01 15:47 - 00138224 ____A C:\Windows\Minidump\Mini100112-13.dmp
2012-10-01 15:44 - 2012-10-01 15:44 - 00138224 ____A C:\Windows\Minidump\Mini100112-12.dmp
2012-10-01 15:41 - 2012-10-01 15:41 - 00138224 ____A C:\Windows\Minidump\Mini100112-11.dmp
2012-10-01 15:39 - 2012-10-01 15:39 - 00138224 ____A C:\Windows\Minidump\Mini100112-10.dmp
2012-10-01 15:35 - 2012-10-01 15:35 - 00138224 ____A C:\Windows\Minidump\Mini100112-09.dmp
2012-10-01 15:33 - 2012-10-01 15:33 - 00138224 ____A C:\Windows\Minidump\Mini100112-08.dmp
2012-10-01 15:28 - 2012-10-01 15:28 - 00138224 ____A C:\Windows\Minidump\Mini100112-07.dmp
2012-10-01 15:21 - 2012-10-01 15:20 - 01232560 ____A (LogMeIn, Inc.) C:\Users\Suzanne\Downloads\Support-LogMeInRescue.exe
2012-10-01 12:07 - 2012-10-01 12:07 - 00138224 ____A C:\Windows\Minidump\Mini100112-06.dmp
2012-10-01 11:56 - 2012-10-01 11:56 - 00138224 ____A C:\Windows\Minidump\Mini100112-05.dmp
2012-10-01 11:53 - 2012-10-01 11:53 - 00138224 ____A C:\Windows\Minidump\Mini100112-04.dmp
2012-10-01 11:49 - 2012-10-01 11:49 - 00138224 ____A C:\Windows\Minidump\Mini100112-03.dmp
2012-10-01 10:30 - 2012-10-01 10:30 - 00138224 ____A C:\Windows\Minidump\Mini100112-02.dmp
2012-10-01 09:31 - 2012-10-01 09:31 - 00138224 ____A C:\Windows\Minidump\Mini100112-01.dmp
2012-09-30 17:24 - 2012-09-30 17:24 - 00138224 ____A C:\Windows\Minidump\Mini093012-01.dmp
2012-09-28 16:17 - 2011-01-10 20:30 - 00001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-09-28 16:17 - 2011-01-10 20:30 - 00001982 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2012-09-12 17:37 - 2012-09-12 17:37 - 00001878 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-12 17:37 - 2012-09-12 17:37 - 00001878 ____A C:\Users\All Users\Desktop\Skype.lnk
2012-09-11 17:53 - 2006-11-02 02:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-09-08 13:46 - 2012-07-15 02:36 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-09-08 13:46 - 2011-10-01 08:58 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-09-07 13:04 - 2012-10-01 15:58 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-27 16:00 - 2008-10-27 07:04 - 00000478 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Suzanne.job
2012-08-24 16:27 - 2012-08-24 16:27 - 00012021 ____A C:\Users\Suzanne\My Documents\LargeView.htm
2012-08-24 16:27 - 2012-08-24 16:27 - 00012021 ____A C:\Users\Suzanne\Documents\LargeView.htm
2012-08-23 23:27 - 2012-09-25 15:01 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-23 23:03 - 2012-09-25 15:01 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-23 22:59 - 2012-09-25 15:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-23 22:51 - 2012-09-25 15:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-23 22:51 - 2012-09-25 15:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-23 22:51 - 2012-09-25 15:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-23 22:49 - 2012-09-25 15:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-23 22:48 - 2012-09-25 15:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-23 22:47 - 2012-09-25 15:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-23 22:47 - 2012-09-25 15:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-23 22:47 - 2012-09-25 15:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-23 22:45 - 2012-09-25 15:01 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-23 22:44 - 2012-09-25 15:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-23 22:44 - 2012-09-25 15:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-23 22:43 - 2012-09-25 15:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-23 22:40 - 2012-09-25 15:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-21 01:13 - 2012-10-02 06:53 - 00058680 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-08-21 01:12 - 2012-10-02 06:52 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-08-21 01:12 - 2012-10-02 06:52 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-26 09:45 - 2012-10-05 17:41 - 16801656 ____A (Mozilla) C:\Users\Suzanne\Downloads\Firefox Setup 14.0.1.exe
2012-07-20 11:02 - 2012-07-20 11:02 - 00138224 ____A C:\Windows\Minidump\Mini072012-01.dmp
2012-07-17 08:52 - 2012-07-17 08:52 - 02339311 ____A C:\Users\Suzanne\Downloads\20101023204954.3gp
2012-07-17 08:52 - 2012-07-17 08:52 - 02339311 ____A C:\Users\Suzanne\Downloads\20101023204954 (1).3gp
2012-07-14 02:28 - 2010-10-18 10:47 - 00002140 ____A C:\Users\Public\Desktop\Norton 360.lnk
2012-07-14 02:28 - 2010-10-18 10:47 - 00002140 ____A C:\Users\All Users\Desktop\Norton 360.lnk


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-12 17:13:48
Restore point made on: 2012-08-21 17:18:20
Restore point made on: 2012-08-24 19:46:45
Restore point made on: 2012-08-25 20:00:21
Restore point made on: 2012-08-26 21:31:24
Restore point made on: 2012-08-27 23:20:21
Restore point made on: 2012-08-28 22:30:23
Restore point made on: 2012-08-29 21:29:48
Restore point made on: 2012-08-30 20:00:23
Restore point made on: 2012-09-08 15:37:15
Restore point made on: 2012-09-11 17:50:31
Restore point made on: 2012-09-12 17:31:48
Restore point made on: 2012-09-16 17:16:30
Restore point made on: 2012-09-25 15:00:45
Restore point made on: 2012-10-05 10:13:59
Restore point made on: 2012-10-05 15:26:14

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 2685.31 MB
Available physical RAM: 2375.28 MB
Total Pagefile: 2596.3 MB
Available Pagefile: 2450.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

==================== Partitions =============================

1 Drive c: (Partition_1) (Fixed) (Total:220.92 GB) (Free:143.37 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (NANO PRO) (Removable) (Total:3.6 GB) (Free:3.6 GB) FAT32
5 Drive x: (Recovery) (Fixed) (Total:11.97 GB) (Free:5.16 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1528 KB
Disk 1 Online 3697 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 12 GB 32 KB
Partition 2 Primary 221 GB 12 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 X Recovery NTFS Partition 12 GB Healthy Boot

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C Partition_1 NTFS Partition 221 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3693 MB 4032 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 E NANO PRO FAT32 Removable 3693 MB Healthy

=========================================================

Last Boot: 2012-10-06 11:57

==================== End Of Log ============================

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 06 October 2012 - 05:41 PM

Lets uninstall NOrton and see if that helps. If you already have please use this uninstaller anyway.

Uninstall Norton


The following removal utility can be used to uninstall the program:

  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039




Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Download the yorkyt.exe disinfection tool (1,31 MB).

Save the file to your hard disk; to the Windows Desktop, for example.
Double click the yorkyt.exe file.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 07 October 2012 - 09:39 AM

Okay,everything seems to be working correctly now. I had run the avast! free scanner before getting your last post. It found several remnants and removed. I ran it again after running the aswMBR scan and the yorkyt.exe tool and it didn't find any threats. Also removed Norton before running those.


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-07 01:06:18
-----------------------------
01:06:18.287 OS Version: Windows 6.0.6002 Service Pack 2
01:06:18.287 Number of processors: 2 586 0x6802
01:06:18.287 ComputerName: SUZANNE-PC UserName: Suzanne
01:06:20.289 Initialize success
01:06:20.430 AVAST engine defs: 12100601
01:06:59.207 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
01:06:59.207 Disk 0 Vendor: WDC_WD2500BEVS-22UST0 01.01A01 Size: 238475MB BusType: 3
01:06:59.255 Disk 0 MBR read successfully
01:06:59.270 Disk 0 MBR scan
01:06:59.817 Disk 0 Windows VISTA default MBR code
01:06:59.864 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 12252 MB offset 63
01:07:00.067 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 226219 MB offset 25093530
01:07:00.099 Disk 0 scanning sectors +488392065
01:07:00.834 Disk 0 scanning C:\Windows\system32\drivers
01:07:27.432 Service scanning
01:08:09.994 Modules scanning
01:08:39.833 Disk 0 trace - called modules:
01:08:39.911 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
01:08:39.911 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8525a7c0]
01:08:39.927 3 CLASSPNP.SYS[88b9d8b3] -> nt!IofCallDriver -> [0x84b843f0]
01:08:39.927 5 acpi.sys[806176bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84b70b98]
01:08:41.100 AVAST engine scan C:\Windows
01:08:50.000 AVAST engine scan C:\Windows\system32
01:13:42.603 AVAST engine scan C:\Windows\system32\drivers
01:13:58.255 AVAST engine scan C:\Users\Suzanne
01:17:19.692 AVAST engine scan C:\ProgramData
01:20:06.058 Scan finished successfully
07:28:49.525 Disk 0 MBR has been saved successfully to "C:\Users\Suzanne\Desktop\MBR.dat"
07:28:49.525 The log file has been saved successfully to "C:\Users\Suzanne\Desktop\aswMBR.txt"

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:47 PM

Posted 07 October 2012 - 03:26 PM

Hello,


Let's run a couple other scanners for any further leftovers.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 NSSHelp

NSSHelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 07 October 2012 - 10:26 PM

Machine seems to be running great now. I haven't had any error messages or abnormalities. Bootup and shutdown are normal and quick. All programs and system utilities start with no problems.

I had installed Malwarebyte's when my friend first asked me to look at PC. I updated before scanning.

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.07.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Suzanne :: SUZANNE-PC [administrator]

Protection: Disabled

10/7/2012 8:46:37 PM
mbam-log-2012-10-07 (20-46-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193165
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
---------------------------------
(ESET log)

C:\Program Files\CouponXplorer_5zEI\Installr\1.bin\5zEIPlug.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.10.2012_09.43.10\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.10.2012_09.43.10\mbr0000\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.10.2012_22.48.30\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.10.2012_22.48.30\tdlfs0000\tsk0012.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users