Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus keeps restarting my computer


  • This topic is locked This topic is locked
41 replies to this topic

#1 mhedge

mhedge

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 10 November 2012 - 03:37 PM

I am typing this as fast as I can because the computer on stays running for only so long. A blue screen appears and the computer restarts. I cannot get through the GMER scan before it reboots. So I am attaching the DDS scan now. Please help. I will repost with GMER if it does not reboot. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 12 November 2012 - 08:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 12 November 2012 - 09:46 PM

Thanks. I cannot run the GMER because the computer does not stay operational long enough (it reboots). Look forward to your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 13 November 2012 - 08:08 PM

Can you boot into safe mode?
Posted Image
m0le is a proud member of UNITE

#5 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 13 November 2012 - 08:12 PM

Can you boot into safe mode?


yes. but it reboots in safe mode too.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 13 November 2012 - 08:18 PM

Which operating system are you running?
Posted Image
m0le is a proud member of UNITE

#7 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 13 November 2012 - 10:36 PM

Vista

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 14 November 2012 - 09:04 PM

Let's try another way

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#9 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 16 November 2012 - 12:40 AM

To enter System Recovery Options from the Advanced Boot Options:

•Restart the computer.

•As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

•Use the arrow keys to select the Repair your computer menu item.

•Choose your language settings, and then click Next.

•Select the operating system you want to repair, and then click Next.

•Select your user account an click Next.


put in flash drive and restarted computer.
selected repair your computer menu item.
did not ask for language settings...went to windows screen and asked to choose user.

rebooted and went into safe mode.
ran the farbar program from my flash drive.
it's been running for 3 hours. says listing partions please wait...for 3 hours. I'm stopping it now and posting the text file.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2012
Ran by hedge at 15-11-2012 21:17:47
Running from G:\
Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-11-15 21:17 - 2012-11-15 21:17 - 00000000 ____D C:\FRST
2012-11-10 15:42 - 2012-11-10 15:42 - 00138864 ____A C:\Windows\Minidump\Mini111012-03.dmp
2012-11-10 15:19 - 2012-11-10 15:20 - 00138864 ____A C:\Windows\Minidump\Mini111012-02.dmp
2012-11-10 15:14 - 2012-11-10 15:14 - 00138864 ____A C:\Windows\Minidump\Mini111012-01.dmp
2012-11-10 14:44 - 2012-11-10 15:22 - 00000000 ____D C:\Users\hedge\Desktop\gmer
2012-11-10 14:43 - 2012-11-06 15:24 - 00294216 ____A C:\Users\hedge\Desktop\gmer.zip
2012-11-06 18:33 - 2012-11-06 18:33 - 00006647 ____A C:\Users\hedge\Desktop\attach.txt
2012-11-06 18:33 - 2012-11-06 16:29 - 00014025 ____A C:\Users\hedge\Desktop\dds.txt
2012-11-06 15:27 - 2012-11-06 15:23 - 00688779 ____R (Swearware) C:\Users\hedge\Desktop\dds.com
2012-11-06 15:09 - 2012-11-06 15:09 - 00000000 ____D C:\Users\hedge\Torrents
2012-11-06 14:27 - 2012-11-06 14:28 - 00138864 ____A C:\Windows\Minidump\Mini110612-01.dmp
2012-11-06 09:52 - 2012-11-06 09:53 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-06 09:52 - 2012-11-06 09:52 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-05 22:41 - 2012-11-05 22:41 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-05 22:41 - 2012-11-05 22:41 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-05 22:41 - 2012-09-29 19:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-05 12:38 - 2012-11-05 12:38 - 00138864 ____A C:\Windows\Minidump\Mini110512-01.dmp
2012-10-26 12:15 - 2012-10-26 12:15 - 00000000 ____D C:\Program Files\Calibre2

==================== One Month Modified Files and Folders ========

2012-11-15 21:09 - 2011-12-11 19:16 - 00003507 ____A C:\Windows\setupact.log
2012-11-15 21:07 - 2009-12-27 23:44 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-15 21:07 - 2006-11-02 08:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-15 21:07 - 2006-11-02 07:46 - 00003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-15 21:07 - 2006-11-02 07:46 - 00003168 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-13 12:37 - 2006-11-02 08:00 - 00032616 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-13 12:36 - 2012-10-06 13:39 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-13 12:36 - 2007-02-16 23:08 - 01677124 ____A C:\Windows\WindowsUpdate.log
2012-11-13 09:16 - 2011-04-21 11:35 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-11-12 17:57 - 2009-12-27 23:44 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-12 11:18 - 2009-02-22 20:25 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-11-10 15:42 - 2012-11-10 15:42 - 00138864 ____A C:\Windows\Minidump\Mini111012-03.dmp
2012-11-10 15:42 - 2012-02-05 02:16 - 331598023 ____A C:\Windows\MEMORY.DMP
2012-11-10 15:42 - 2009-08-20 14:28 - 00000000 ____D C:\Windows\Minidump
2012-11-10 15:22 - 2012-11-10 14:44 - 00000000 ____D C:\Users\hedge\Desktop\gmer
2012-11-10 15:20 - 2012-11-10 15:19 - 00138864 ____A C:\Windows\Minidump\Mini111012-02.dmp
2012-11-10 15:14 - 2012-11-10 15:14 - 00138864 ____A C:\Windows\Minidump\Mini111012-01.dmp
2012-11-10 15:13 - 2011-12-11 19:11 - 00017126 ____A C:\Windows\PFRO.log
2012-11-08 04:31 - 2012-10-06 13:40 - 00001981 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-06 18:33 - 2012-11-06 18:33 - 00006647 ____A C:\Users\hedge\Desktop\attach.txt
2012-11-06 16:29 - 2012-11-06 18:33 - 00014025 ____A C:\Users\hedge\Desktop\dds.txt
2012-11-06 15:24 - 2012-11-10 14:43 - 00294216 ____A C:\Users\hedge\Desktop\gmer.zip
2012-11-06 15:23 - 2012-11-06 15:27 - 00688779 ____R (Swearware) C:\Users\hedge\Desktop\dds.com
2012-11-06 15:09 - 2012-11-06 15:09 - 00000000 ____D C:\Users\hedge\Torrents
2012-11-06 15:09 - 2007-02-19 19:32 - 00000000 ____D C:\users\hedge
2012-11-06 15:07 - 2007-03-10 13:32 - 00000000 ____D C:\Program Files\SlySoft
2012-11-06 15:06 - 2007-03-12 18:04 - 00000000 ____D C:\Program Files\Elaborate Bytes
2012-11-06 14:28 - 2012-11-06 14:27 - 00138864 ____A C:\Windows\Minidump\Mini110612-01.dmp
2012-11-06 14:19 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\SchCache
2012-11-06 09:53 - 2012-11-06 09:52 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-06 09:52 - 2012-11-06 09:52 - 00001810 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-05 22:41 - 2012-11-05 22:41 - 00000916 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-05 22:41 - 2012-11-05 22:41 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-05 13:31 - 2006-11-02 05:22 - 55836672 ____A C:\Windows\System32\config\software_previous
2012-11-05 13:31 - 2006-11-02 05:22 - 44302336 ____A C:\Windows\System32\config\components_previous
2012-11-05 13:31 - 2006-11-02 05:22 - 20971520 ____A C:\Windows\System32\config\system_previous
2012-11-05 13:31 - 2006-11-02 05:22 - 00524288 ____A C:\Windows\System32\config\default_previous
2012-11-05 13:31 - 2006-11-02 05:22 - 00065536 ____A C:\Windows\System32\config\sam_previous
2012-11-05 13:31 - 2006-11-02 05:22 - 00024576 ____A C:\Windows\System32\config\security_previous
2012-11-05 13:30 - 2012-06-04 20:45 - 00000000 ____D C:\Program Files\QuickTime
2012-11-05 13:30 - 2011-12-12 12:32 - 00000000 ____D C:\Program Files\iTunes
2012-11-05 13:30 - 2011-12-12 12:29 - 00000000 ____D C:\Program Files\Bonjour
2012-11-05 13:30 - 2007-02-16 23:40 - 00000000 ____D C:\users\IUSR_NMPR
2012-11-05 13:30 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\System32\spool
2012-11-05 13:30 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\System32\Msdtc
2012-11-05 13:30 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\registration
2012-11-05 13:29 - 2012-09-23 14:30 - 00000000 ____D C:\Program Files\iPod
2012-11-05 13:29 - 2011-12-11 18:37 - 00000000 ____D C:\Users\hedge\AppData\Roaming\IObit
2012-11-05 13:29 - 2011-12-11 18:03 - 00000000 ____D C:\Qoobox
2012-11-05 13:29 - 2011-12-11 11:03 - 00000000 ____D C:\Users\hedge\AppData\Roaming\SUPERAntiSpyware.com
2012-11-05 12:38 - 2012-11-05 12:38 - 00138864 ____A C:\Windows\Minidump\Mini110512-01.dmp
2012-11-04 19:46 - 2011-12-21 17:36 - 00000000 ____D C:\Users\hedge\AppData\Local\952644FE-9744-4C23-808A-870A219021A2.aplzod
2012-11-04 19:46 - 2010-09-04 11:07 - 00000000 ____D C:\Users\hedge\Documents\Outlook Files
2012-11-04 16:30 - 2010-01-19 19:24 - 00000000 ____D C:\Users\hedge\AppData\Roaming\LEGO Company
2012-10-26 12:25 - 2011-09-05 13:01 - 00000000 ____D C:\Users\hedge\Calibre Library
2012-10-26 12:15 - 2012-10-26 12:15 - 00000000 ____D C:\Program Files\Calibre2
2012-10-26 12:06 - 2009-01-20 20:19 - 00000000 ____D C:\Users\hedge\Documents\Books & Magazines
2012-10-23 17:06 - 2012-05-24 16:49 - 00000000 ____D C:\Users\hedge\Documents\Brendan


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 2044.93 MB
Available physical RAM: 1667.01 MB
Total Pagefile: 4326.87 MB
Available Pagefile: 4120.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.29 MB

==================== Partitions =============================

1 Drive c: (Local Disk) (Fixed) (Total:449.13 GB) (Free:295.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (STATICDATA) (Fixed) (Total:0.12 GB) (Free:0.12 GB) FAT32
3 Drive e: (ImageBackup) (Fixed) (Total:15 GB) (Free:14.9 GB) NTFS
5 Drive g: () (Removable) (Total:1.89 GB) (Free:1.89 GB) FAT

#10 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 16 November 2012 - 09:27 AM

12 hours later and it is still running :(

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 16 November 2012 - 09:47 PM

Try a quicker tool - this looks like a system problem though

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#12 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 17 November 2012 - 10:34 AM

This problem started happening right after numerous AVG windows poped up indicating threats were detected. That is what is leading me to beleive it is a virus. The "virus?", will not allow me to run any disks in my CD drive. I was going to try to restore the computer and it will not allow me to do that. I am open to restoring the computer back to the original state if you could help with that. I don't have a "recovery disk", I do have a windows vista disk.

#13 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 17 November 2012 - 10:46 AM

MBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-17 10:43:56
-----------------------------
10:43:56.220 OS Version: Windows 6.0.6002 Service Pack 2
10:43:56.220 Number of processors: 2 586 0xF06
10:43:56.220 ComputerName: HEDGE-PC UserName: hedge
10:44:45.989 Initialize success
10:44:46.021 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
10:44:51.433 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
10:44:51.433 Disk 0 Vendor: ST350064 3.AA Size: 476940MB BusType: 3
10:44:51.448 Disk 0 MBR read successfully
10:44:51.448 Disk 0 MBR scan
10:44:51.448 Disk 0 Windows VISTA default MBR code
10:44:51.448 Disk 0 MBR hidden
10:44:51.464 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1536 MB offset 2048
10:44:51.464 Disk 0 Partition - 00 0F Extended LBA 15488 MB offset 3147776
10:44:51.479 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 459914 MB offset 34867200
10:44:51.511 Disk 0 Partition 3 00 0B FAT32 MSDOS5.0 128 MB offset 3149824
10:44:51.511 Disk 0 Partition - 00 05 Extended 15359 MB offset 3411968
10:44:51.542 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 15358 MB offset 3414016
10:44:51.573 Disk 0 scanning sectors +976771072
10:44:51.793 Disk 0 scanning C:\Windows\system32\drivers
10:45:08.911 Service scanning
10:45:26.898 Modules scanning
10:45:35.415 Disk 0 trace - called modules:
10:45:35.415 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8731c4b1]<<
10:45:35.431 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86798878]
10:45:35.431 3 CLASSPNP.SYS[885c48b3] -> nt!IofCallDriver -> [0x878de6e0]
10:45:35.431 \Driver\iaStor[0x874af3d0] -> IRP_MJ_CREATE -> 0x8731c4b1
10:45:35.431 Scan finished successfully
10:45:46.744 Disk 0 MBR has been saved successfully to "C:\Users\hedge\Desktop\MBR.dat"
10:45:46.744 The log file has been saved successfully to "C:\Users\hedge\Desktop\aswMBR.txt"

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 17 November 2012 - 02:20 PM

Can you try and run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you receive the message "Illegal operation attempted on a registry key that has been marked for deletion." then please reboot the system.
Posted Image
m0le is a proud member of UNITE

#15 mhedge

mhedge
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 17 November 2012 - 03:35 PM

ComboFix 12-11-16.02 - hedge 11/17/2012 15:17:17.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.838 [GMT -5:00]
Running from: c:\users\hedge\Desktop\comfix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\34332408
c:\programdata\avaj.pad
.
.
((((((((((((((((((((((((( Files Created from 2012-10-17 to 2012-11-17 )))))))))))))))))))))))))))))))
.
.
2012-11-17 20:24 . 2012-11-17 20:25 -------- d-----w- c:\users\hedge\AppData\Local\temp
2012-11-17 20:24 . 2012-11-17 20:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-11-17 20:24 . 2012-11-17 20:24 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2012-11-17 20:24 . 2012-11-17 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-16 02:17 . 2012-11-17 15:47 -------- d-----w- C:\FRST
2012-11-06 20:09 . 2012-11-17 15:42 -------- d-----w- c:\users\hedge\Torrents
2012-11-06 14:52 . 2012-11-06 14:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-06 03:41 . 2012-11-06 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-06 03:41 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-02 04:04 . 2012-11-02 04:04 -------- d-----w- c:\programdata\ekznmorchrfcrhp
2012-10-26 17:15 . 2012-10-26 17:15 -------- d-----w- c:\program files\Calibre2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-08 21:36 . 2012-10-06 18:39 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 21:36 . 2011-08-26 01:21 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-13 13:28 . 2012-10-10 11:56 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-29 11:27 . 2012-10-10 11:56 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-29 11:27 . 2012-10-10 11:56 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 19:43 . 2012-08-24 19:43 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-08-24 15:53 . 2012-10-10 11:56 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59 . 2012-09-22 07:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:00 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:00 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:00 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-21 17:01 . 2012-09-23 19:31 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 17:01 . 2009-09-27 20:46 106928 ----a-w- c:\windows\system32\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-20 160592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2010-06-02 77656]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-21 719672]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2012-02-23 59240]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\hedge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-06 21:36]
.
2012-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-27 10:26]
.
2012-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 04:44]
.
2012-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-28 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: daimlerchrysler.com\sodddm05.extra
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
HKLM-Run-CloneCDTray - c:\program files\SlySoft\CloneCD\CloneCDTray.exe
AddRemove-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD-uninst.exe
AddRemove-CloneCD - c:\program files\SlySoft\CloneCD\ccd-uninst.exe
AddRemove-CloneDVD2 - c:\program files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-17 15:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-11-17 15:29:36
ComboFix-quarantined-files.txt 2012-11-17 20:29
ComboFix2.txt 2011-12-11 23:15
.
Pre-Run: 317,856,399,360 bytes free
Post-Run: 318,523,203,584 bytes free
.
- - End Of File - - AD788352864DE43014E3E371C3AFD5E9




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users