Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stuck in Safe Mode even after system restore


  • This topic is locked This topic is locked
9 replies to this topic

#1 white sauce

white sauce

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 12 November 2012 - 01:40 PM

Hello, below are the requested scan logs. I tried multiple antivirus and anitspyware malware programs and they do find things but keep finding things with each safe reboot. I did system restore and had a long list to choose from but clicked the next to most recent system restore point since I knew it was working fine at that time (two months ago) now system restore will not show any dates before that one. normal boot up gives me all of 2 seconds before it will do a freeze with usually a monocolor screen, then an automatic reset. unable to get rkill running in time. (it has been this way before and after system restore) please help, you time and help is greatly appreciated.
--------------------
DDS (Ver_2012-11-07.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by DC at 9:41:00 on 2012-11-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1917.1091 [GMT -6:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Users\DC\Desktop\bleepingcomputer\jogfpqoe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare with antivirus 2013\ASCTray.exe" /AutoStart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [BC85A1E0-49B9-4449-8D4C-532348AC41ED] cmd.exe /C start /D "c:\users\dc\appdata\local\Temp" /B BC85A1E0-49B9-4449-8D4C-532348AC41ED.exe -activeimages -postboot
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvLsp.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{21B55E4D-F158-4A94-ABBD-BF61C2E381AD} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{21B55E4D-F158-4A94-ABBD-BF61C2E381AD}\0516E6562716 : DHCPNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{21B55E4D-F158-4A94-ABBD-BF61C2E381AD}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1 192.168.1.254
TCP: Interfaces\{21B55E4D-F158-4A94-ABBD-BF61C2E381AD}\7777D636D277966696 : DHCPNameServer = 199.4.9.98 199.44.2.10
TCP: Interfaces\{21B55E4D-F158-4A94-ABBD-BF61C2E381AD}\8445340214D616A756024374027333 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6DC9C780-8A21-4E31-84B2-BF72A3A8BF4E} : DHCPNameServer = 192.168.42.129
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
SSODL: WebCheck - <orphaned>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dc\appdata\roaming\mozilla\firefox\profiles\q7lnrdv5.default\
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-2 16184]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-15 243152]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-8-19 616960]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-15 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-15 29712]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare with antivirus 2013\ASCSvc.exe [2012-11-10 514432]
S2 ASCAntivirusSrv;AdvancedSystemCareAntivirus;c:\program files\iobit\advanced systemcare with antivirus 2013\ASCAvSvc.exe [2012-11-10 906112]
S2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-9 821080]
S2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2009-11-6 160768]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-11-6 17920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-8-11 9472]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-6 166912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-29 1343400]
S4 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S4 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S4 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2012-3-23 87040]
.
=============== Created Last 30 ================
.
2012-11-10 19:09:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-10 19:02:14 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-10 18:54:43 98816 ----a-w- c:\windows\sed.exe
2012-11-10 18:54:43 256000 ----a-w- c:\windows\PEV.exe
2012-11-10 18:54:43 208896 ----a-w- c:\windows\MBR.exe
2012-11-10 18:42:18 -------- d-----w- c:\users\dc\appdata\local\MFAData
2012-11-10 18:42:18 -------- d-----w- c:\users\dc\appdata\local\Avg2013
2012-11-10 18:42:18 -------- d-----w- c:\programdata\MFAData
2012-11-10 14:07:47 340624 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-11-10 14:07:46 353096 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-11-10 14:07:45 -------- d-----w- c:\programdata\{D76294E6-03B8-4971-AF2E-3F846161A690}
2012-11-10 14:07:42 -------- d-----w- c:\programdata\{6F2F3866-38AD-4f48-852C-2FF5DE7A7588}
2012-11-10 13:56:12 -------- d-----w- c:\program files\UniPDF
2012-11-10 13:03:56 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-10 01:26:56 -------- d-----w- c:\users\dc\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-11-09 21:17:46 -------- d-----w- c:\program files\ESET
2012-11-09 20:44:12 -------- d-----w- c:\users\dc\appdata\roaming\SUPERAntiSpyware.com
2012-11-09 20:43:50 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-11-09 20:43:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-09 20:32:19 -------- d-----w- c:\users\dc\appdata\roaming\Malwarebytes
2012-11-09 20:32:12 -------- d-----w- c:\programdata\Malwarebytes
2012-11-09 20:32:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-10-31 23:22:34 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-31 23:22:34 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 9:41:15.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 white sauce

white sauce
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 12 November 2012 - 07:25 PM

Rouge Killer in safe mode keeps finding things, like this: Software\Microsoft\Windows\CurrentVersion\RunOnce
cmd.exe/C start/D "C:\DC\appData\Local\Temp" /B BC85A1E0-49B9-4449-8D4C-532348AC41ED.exe -activeimages -postboot

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:31 AM

Posted 12 November 2012 - 08:16 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 white sauce

white sauce
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 12 November 2012 - 11:11 PM

Catbyte, thank you for your willingness to help.
I was unable to reboot normally, so went to safe mode again and here is what you asked for.
David

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2012
Ran by SYSTEM at 12-11-2012 19:56:27
Running from H:\
Windows 7 Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup [13797920 2009-07-18] (NVIDIA Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7547424 2009-06-16] (Realtek Semiconductor)
HKLM\...\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe [2072576 2009-08-05] (Micro-Star International Co., Ltd.)
HKLM\...\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKU\DC\...\Run: [Advanced SystemCare 5] "C:\Program Files\IObit\Advanced SystemCare with Antivirus 2013\ASCTray.exe" /AutoStart [299392 2012-07-26] (IObit)
HKU\DC\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4763008 2012-11-01] (SUPERAntiSpyware.com)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [766536 2012-09-29] (Malwarebytes Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2012-07-11] (SUPERAntiSpyware.com)
2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare with Antivirus 2013\ascsvc.exe [514432 2012-07-26] (IObit)
2 ASCAntivirusSrv; C:\Program Files\IObit\Advanced SystemCare with Antivirus 2013\ascavsvc.exe [906112 2012-08-23] (IOBit)
4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [387616 2009-08-10] ()
2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [821080 2011-05-12] (IObit)
2 Micro Star SCM; C:\Program Files\System Control Manager\MSIService.exe [160768 2009-07-09] (Micro-Star International Co., Ltd.)
4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [178720 2009-08-10] ()
4 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [87040 2012-03-23] ()
4 avg9emc; "C:\Program Files\AVG\AVG9\avgemc.exe" [x]
4 avg9wd; "C:\Program Files\AVG\AVG9\avgwdsvc.exe" [x]

==================== Drivers (Whitelisted) ====================

3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [17920 2008-04-25] (ArcSoft, Inc.)
1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [216400 2010-08-01] (AVG Technologies CZ, s.r.o.)
1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [29712 2011-09-16] (AVG Technologies CZ, s.r.o.)
1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [243152 2011-05-15] (AVG Technologies CZ, s.r.o.)
2 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [353096 2012-03-15] (BitDefender)
3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows ® Win 7 DDK provider)
3 pnetmdm; C:\Windows\System32\DRIVERS\pnetmdm.sys [9472 2006-09-28] (June Fabrics Technology)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [16184 2011-02-23] ()
3 Trufos; C:\Windows\System32\DRIVERS\TRUFOS.sys [340624 2011-11-21] (BitDefender S.R.L.)
3 catchme; \??\C:\Users\DC\AppData\Local\Temp\catchme.sys [x]
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-12 19:56 - 2012-11-12 19:56 - 00000000 ____D C:\FRST
2012-11-12 14:10 - 2012-11-12 14:10 - 00001894 ____A C:\Users\DC\Desktop\RKreport[13]_S_11122012_02d1610.txt
2012-11-12 14:02 - 2012-11-12 14:02 - 00002068 ____A C:\Users\DC\Desktop\RKreport[12]_D_11122012_02d1602.txt
2012-11-12 14:00 - 2012-11-12 14:00 - 00002026 ____A C:\Users\DC\Desktop\RKreport[11]_S_11122012_02d1600.txt
2012-11-12 07:41 - 2012-11-12 07:41 - 00013883 ____A C:\Users\DC\Desktop\attach.txt
2012-11-12 07:41 - 2012-11-12 07:41 - 00009513 ____A C:\Users\DC\Desktop\dds.txt
2012-11-12 07:38 - 2012-11-12 07:39 - 00000466 ____A C:\Users\DC\Desktop\defogger_disable.log
2012-11-12 07:38 - 2012-11-12 07:38 - 00000000 ____A C:\Users\DC\defogger_reenable
2012-11-10 11:09 - 2012-11-10 11:10 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-10 11:06 - 2012-11-10 11:06 - 00001174 ____A C:\AdwCleaner[R2].txt
2012-11-10 11:05 - 2012-11-10 11:05 - 00001745 ____A C:\Users\DC\Desktop\RKreport[10]_D_11102012_02d1305.txt
2012-11-10 11:05 - 2012-11-10 11:05 - 00001702 ____A C:\Users\DC\Desktop\RKreport[9]_S_11102012_02d1305.txt
2012-11-10 11:02 - 2012-11-10 11:02 - 00012576 ____A C:\ComboFix.txt
2012-11-10 10:54 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-11-10 10:54 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-11-10 10:54 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-11-10 10:54 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-11-10 10:54 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-11-10 10:54 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-11-10 10:54 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-11-10 10:54 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-11-10 10:42 - 2012-11-10 10:45 - 00000000 ____D C:\Users\All Users\MFAData
2012-11-10 10:42 - 2012-11-10 10:42 - 00000000 ____D C:\Users\DC\AppData\Local\MFAData
2012-11-10 10:42 - 2012-11-10 10:42 - 00000000 ____D C:\Users\DC\AppData\Local\Avg2013
2012-11-10 10:39 - 2012-11-10 11:02 - 00000000 ____D C:\Qoobox
2012-11-10 10:39 - 2012-11-10 11:01 - 00000000 ____D C:\Windows\erdnt
2012-11-10 10:38 - 2012-11-10 10:38 - 00001777 ____A C:\Users\DC\Desktop\RKreport[7]_D_11102012_02d1238.txt
2012-11-10 10:38 - 2012-11-10 10:38 - 00001602 ____A C:\Users\DC\Desktop\RKreport[8]_S_11102012_02d1238.txt
2012-11-10 10:37 - 2012-11-10 10:37 - 00001736 ____A C:\Users\DC\Desktop\RKreport[6]_S_11102012_02d1237.txt
2012-11-10 10:28 - 2012-11-10 10:28 - 00001489 ____A C:\Users\DC\Desktop\RKreport[5]_S_11102012_02d1228.txt
2012-11-10 10:19 - 2012-11-10 10:20 - 00001114 ____A C:\AdwCleaner[R1].txt
2012-11-10 10:12 - 2012-11-10 10:12 - 00001452 ____A C:\Users\DC\Desktop\RKreport[4]_S_11102012_02d1212.txt
2012-11-10 06:07 - 2012-11-10 06:07 - 00001315 ____A C:\Users\Public\Desktop\Advanced SystemCare with Antivirus 2013.lnk
2012-11-10 06:07 - 2012-11-10 06:07 - 00000000 ____D C:\Users\All Users\{D76294E6-03B8-4971-AF2E-3F846161A690}
2012-11-10 06:07 - 2012-11-10 06:07 - 00000000 ____D C:\Users\All Users\{6F2F3866-38AD-4f48-852C-2FF5DE7A7588}
2012-11-10 06:07 - 2012-03-15 12:16 - 00353096 ____A (BitDefender) C:\Windows\System32\Drivers\bdfsfltr.sys
2012-11-10 06:07 - 2011-11-21 16:58 - 00340624 ____A (BitDefender S.R.L.) C:\Windows\System32\Drivers\trufos.sys
2012-11-10 05:56 - 2012-11-10 05:56 - 00000947 ____A C:\Users\DC\Desktop\UniPDF.lnk
2012-11-10 05:56 - 2012-11-10 05:56 - 00000000 ____D C:\Program Files\UniPDF
2012-11-10 05:53 - 2012-11-10 05:53 - 00001780 ____A C:\Users\DC\Desktop\RKreport[2]_D_11102012_02d0753.txt
2012-11-10 05:53 - 2012-11-10 05:53 - 00001621 ____A C:\Users\DC\Desktop\RKreport[3]_S_11102012_02d0753.txt
2012-11-10 05:52 - 2012-11-10 05:52 - 00001727 ____A C:\Users\DC\Desktop\RKreport[1]_S_11102012_02d0752.txt
2012-11-10 05:47 - 2012-11-12 14:02 - 00000000 ____D C:\Users\DC\Desktop\RK_Quarantine
2012-11-10 05:28 - 2012-11-10 05:28 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\DC\Desktop\rkill.exe
2012-11-10 05:10 - 2012-11-10 05:10 - 00001971 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-10 05:03 - 2012-09-29 17:54 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-09 17:26 - 2012-11-09 17:26 - 00000000 ____D C:\Users\DC\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-11-09 17:12 - 2012-11-09 17:12 - 00000879 ____A C:\AdwCleaner[S2].txt
2012-11-09 16:57 - 2012-11-10 11:06 - 00002968 ____A C:\Users\DC\Desktop\Rkill.txt
2012-11-09 16:12 - 2012-11-09 16:12 - 00000000 ____D C:\Users\All Users\Google
2012-11-09 16:11 - 2012-11-09 19:30 - 00000000 ____D C:\Program Files\Google
2012-11-09 14:56 - 2012-11-09 15:52 - 00013324 ____A C:\Users\DC\Desktop\Nmc_2012-11-09_16-56-19.log
2012-11-09 14:42 - 2012-11-09 14:42 - 00000845 ____A C:\AdwCleaner[S1].txt
2012-11-09 13:26 - 2012-11-09 13:40 - 00001441 ____A C:\scu.dat
2012-11-09 13:17 - 2012-11-09 13:17 - 00000000 ____D C:\Program Files\ESET
2012-11-09 12:44 - 2012-11-09 12:44 - 00000000 ____D C:\Users\DC\AppData\Roaming\SUPERAntiSpyware.com
2012-11-09 12:43 - 2012-11-10 05:11 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-09 12:43 - 2012-11-09 12:43 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-11-09 12:32 - 2012-11-10 05:04 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-09 12:32 - 2012-11-09 12:32 - 00000000 ____D C:\Users\DC\AppData\Roaming\Malwarebytes
2012-11-09 12:32 - 2012-11-09 12:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-09 12:31 - 2012-11-12 17:46 - 00000000 ____D C:\Users\DC\Desktop\bleepingcomputer
2012-11-01 21:31 - 2012-11-06 13:31 - 00000321 ____A C:\Users\DC\Desktop\avgrep.txt

==================== One Month Modified Files and Folders ========

2012-11-12 19:56 - 2012-11-12 19:56 - 00000000 ____D C:\FRST
2012-11-12 17:48 - 2009-11-06 11:49 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-12 17:46 - 2012-11-09 12:31 - 00000000 ____D C:\Users\DC\Desktop\bleepingcomputer
2012-11-12 14:10 - 2012-11-12 14:10 - 00001894 ____A C:\Users\DC\Desktop\RKreport[13]_S_11122012_02d1610.txt
2012-11-12 14:02 - 2012-11-12 14:02 - 00002068 ____A C:\Users\DC\Desktop\RKreport[12]_D_11122012_02d1602.txt
2012-11-12 14:02 - 2012-11-10 05:47 - 00000000 ____D C:\Users\DC\Desktop\RK_Quarantine
2012-11-12 14:00 - 2012-11-12 14:00 - 00002026 ____A C:\Users\DC\Desktop\RKreport[11]_S_11122012_02d1600.txt
2012-11-12 13:08 - 2012-09-12 15:19 - 47869952 ____A C:\Windows\System32\config\software.iobit
2012-11-12 13:08 - 2012-09-12 15:19 - 16109568 ____A C:\Windows\System32\config\system.iobit
2012-11-12 13:08 - 2012-09-12 15:19 - 00229376 ____A C:\Windows\System32\config\default.iobit
2012-11-12 13:08 - 2012-09-12 15:19 - 00057344 ____A C:\Windows\System32\config\sam.iobit
2012-11-12 13:08 - 2012-09-12 15:19 - 00024576 ____A C:\Windows\System32\config\security.iobit
2012-11-12 13:08 - 2009-12-15 16:33 - 00000000 ____D C:\users\DC
2012-11-12 07:41 - 2012-11-12 07:41 - 00013883 ____A C:\Users\DC\Desktop\attach.txt
2012-11-12 07:41 - 2012-11-12 07:41 - 00009513 ____A C:\Users\DC\Desktop\dds.txt
2012-11-12 07:39 - 2012-11-12 07:38 - 00000466 ____A C:\Users\DC\Desktop\defogger_disable.log
2012-11-12 07:38 - 2012-11-12 07:38 - 00000000 ____A C:\Users\DC\defogger_reenable
2012-11-10 11:10 - 2012-11-10 11:09 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-10 11:06 - 2012-11-10 11:06 - 00001174 ____A C:\AdwCleaner[R2].txt
2012-11-10 11:06 - 2012-11-09 16:57 - 00002968 ____A C:\Users\DC\Desktop\Rkill.txt
2012-11-10 11:05 - 2012-11-10 11:05 - 00001745 ____A C:\Users\DC\Desktop\RKreport[10]_D_11102012_02d1305.txt
2012-11-10 11:05 - 2012-11-10 11:05 - 00001702 ____A C:\Users\DC\Desktop\RKreport[9]_S_11102012_02d1305.txt
2012-11-10 11:02 - 2012-11-10 11:02 - 00012576 ____A C:\ComboFix.txt
2012-11-10 11:02 - 2012-11-10 10:39 - 00000000 ____D C:\Qoobox
2012-11-10 11:02 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-11-10 11:01 - 2012-11-10 10:39 - 00000000 ____D C:\Windows\erdnt
2012-11-10 11:01 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
2012-11-10 10:45 - 2012-11-10 10:42 - 00000000 ____D C:\Users\All Users\MFAData
2012-11-10 10:44 - 2009-12-15 18:42 - 00000000 ____D C:\Program Files\AVG
2012-11-10 10:42 - 2012-11-10 10:42 - 00000000 ____D C:\Users\DC\AppData\Local\MFAData
2012-11-10 10:42 - 2012-11-10 10:42 - 00000000 ____D C:\Users\DC\AppData\Local\Avg2013
2012-11-10 10:38 - 2012-11-10 10:38 - 00001777 ____A C:\Users\DC\Desktop\RKreport[7]_D_11102012_02d1238.txt
2012-11-10 10:38 - 2012-11-10 10:38 - 00001602 ____A C:\Users\DC\Desktop\RKreport[8]_S_11102012_02d1238.txt
2012-11-10 10:37 - 2012-11-10 10:37 - 00001736 ____A C:\Users\DC\Desktop\RKreport[6]_S_11102012_02d1237.txt
2012-11-10 10:32 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-10 10:28 - 2012-11-10 10:28 - 00001489 ____A C:\Users\DC\Desktop\RKreport[5]_S_11102012_02d1228.txt
2012-11-10 10:20 - 2012-11-10 10:19 - 00001114 ____A C:\AdwCleaner[R1].txt
2012-11-10 10:17 - 2009-12-15 16:32 - 01217514 ____A C:\Windows\WindowsUpdate.log
2012-11-10 10:12 - 2012-11-10 10:12 - 00001452 ____A C:\Users\DC\Desktop\RKreport[4]_S_11102012_02d1212.txt
2012-11-10 08:28 - 2009-11-06 12:31 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-11-10 08:28 - 2009-11-06 12:31 - 00000000 ____D C:\Windows\ShellNew
2012-11-10 08:28 - 2009-11-06 12:31 - 00000000 ____D C:\Program Files\Windows Journal
2012-11-10 08:28 - 2009-11-06 12:10 - 00000000 ____D C:\Program Files\WinRAR 3.61 Multi
2012-11-10 08:28 - 2009-11-06 12:06 - 00000000 ____D C:\Program Files\System Control Manager
2012-11-10 08:28 - 2009-11-06 12:05 - 00000000 ____D C:\Program Files\Microsoft Works
2012-11-10 08:28 - 2009-11-06 12:05 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2012-11-10 08:28 - 2009-11-06 11:50 - 00000000 ____D C:\Windows\System32\sda
2012-11-10 08:28 - 2009-11-06 11:48 - 00000000 ____D C:\Windows\System32\RTCOM
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\twain_32
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Offline Web Pages
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\addins
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Sidebar
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Defender
2012-11-10 08:28 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\DVD Maker
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 __RSD C:\Windows\Media
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 __RHD C:\Users\Public\Libraries
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\TAPI
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\Recovery
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ras
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\Msdtc
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\icsxml
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ias
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\com
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\system
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\L2Schemas
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\IME
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Cursors
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\System
2012-11-10 08:28 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\Services
2012-11-10 08:27 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\WinBioPlugIns
2012-11-10 08:27 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Portable Devices
2012-11-10 08:27 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-TW
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-HK
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\zh-CN
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\uk-UA
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\tr-TR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\th-TH
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sv-SE
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sr-Latn-CS
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sl-SI
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\sk-SK
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ru-RU
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ro-RO
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-PT
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pt-BR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\pl-PL
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nl-NL
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\nb-NO
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\lv-LV
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\lt-LT
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ko-KR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ja-JP
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\it-IT
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hu-HU
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\hr-HR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\he-IL
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fr-FR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\fi-FI
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\et-EE
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\el-GR
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\bg-BG
2012-11-10 08:27 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ar-SA
2012-11-10 08:23 - 2011-03-26 09:02 - 00000000 ____D C:\Windows\System32\SPReview
2012-11-10 08:23 - 2011-03-26 08:32 - 00000000 ____D C:\Windows\System32\EventProviders
2012-11-10 08:23 - 2009-11-06 12:17 - 00000000 ____D C:\Windows\System32\Macromed
2012-11-10 08:23 - 2009-07-13 20:56 - 00000000 ____D C:\Windows\System32\winrm
2012-11-10 08:23 - 2009-07-13 20:56 - 00000000 ____D C:\Windows\System32\WCN
2012-11-10 08:23 - 2009-07-13 20:56 - 00000000 ____D C:\Windows\System32\slmgr
2012-11-10 08:23 - 2009-07-13 20:56 - 00000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2012-11-10 08:23 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\WindowsPowerShell
2012-11-10 08:23 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\restore
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\spp
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\spool
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\Speech
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\SMI
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NetworkList
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\MUI
2012-11-10 08:23 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\IME
2012-11-10 08:22 - 2009-12-15 18:42 - 00000000 ____D C:\Windows\System32\Drivers\Avg
2012-11-10 08:22 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Speech
2012-11-10 08:21 - 2012-08-09 18:51 - 00000000 ____D C:\Windows\pss
2012-11-10 08:21 - 2011-10-28 22:08 - 00000000 ____D C:\Users\DC\AppData\Roaming\AVG9
2012-11-10 08:21 - 2011-10-28 22:04 - 00000000 ____D C:\Users\DC\AppData\Local\Downloaded Installations
2012-11-10 08:21 - 2011-10-28 21:39 - 00000000 ____D C:\Users\DC\AppData\Roaming\MyPhoneExplorer
2012-11-10 08:21 - 2011-06-12 11:38 - 00000000 ____D C:\Users\DC\AppData\Local\Mozilla
2012-11-10 08:21 - 2011-05-08 08:12 - 00000000 ____D C:\Users\DC\AppData\Roaming\Mozilla
2012-11-10 08:21 - 2011-04-02 12:30 - 00000000 ____D C:\Users\All Users\IObit
2012-11-10 08:21 - 2011-01-01 11:54 - 00000000 ____D C:\Users\All Users\FreeApp
2012-11-10 08:21 - 2010-04-08 16:08 - 00000000 ____D C:\Users\All Users\Hewlett-Packard
2012-11-10 08:21 - 2010-04-06 13:44 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-11-10 08:21 - 2010-04-06 13:44 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-11-10 08:21 - 2010-04-06 13:42 - 00000000 ____D C:\Users\All Users\NOS
2012-11-10 08:21 - 2009-12-15 18:35 - 00000000 ____D C:\Users\DC\AppData\Roaming\IObit
2012-11-10 08:21 - 2009-12-15 16:43 - 00000000 ____D C:\Users\DC\AppData\Local\Toshiba
2012-11-10 08:21 - 2009-12-15 16:42 - 00000000 ____D C:\Users\DC\AppData\Roaming\ArcSoft
2012-11-10 08:21 - 2009-11-06 12:04 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-10 08:21 - 2009-07-28 16:43 - 00000000 ____D C:\Windows\RE_DRIVE
2012-11-10 08:21 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\Performance
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\security
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\schemas
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Resources
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\PLA
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Help
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Globalization
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Branding
2012-11-10 08:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2012-11-10 08:20 - 2012-02-20 21:28 - 00000000 ____D C:\0c061c5517d2af5ee1b3c67dbc
2012-11-10 08:20 - 2011-11-24 08:16 - 00000000 ____D C:\87f5f180e6c7c3dd12a1e6e3f469c2f1
2012-11-10 08:20 - 2011-10-28 22:04 - 00000000 ____D C:\Program Files\Spirent Communications
2012-11-10 08:20 - 2011-10-28 22:03 - 00000000 ____D C:\Program Files\HTC
2012-11-10 08:20 - 2011-10-28 21:39 - 00000000 ____D C:\Program Files\MyPhoneExplorer
2012-11-10 08:20 - 2011-10-28 21:38 - 00000000 ____D C:\Program Files\QuickTime
2012-11-10 08:20 - 2011-10-23 11:58 - 00000000 ____D C:\Program Files\Safari
2012-11-10 08:20 - 2011-10-23 11:56 - 00000000 ____D C:\Program Files\iTunes
2012-11-10 08:20 - 2011-10-23 11:56 - 00000000 ____D C:\Program Files\iPod
2012-11-10 08:20 - 2011-10-23 11:50 - 00000000 ____D C:\Program Files\Bonjour
2012-11-10 08:20 - 2011-10-23 11:46 - 00000000 ____D C:\Program Files\Apple Software Update
2012-11-10 08:20 - 2011-08-21 16:50 - 00000000 ____D C:\c9488f694ac7224d51e8
2012-11-10 08:20 - 2011-06-11 20:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-11-10 08:20 - 2011-03-26 08:12 - 00000000 ____D C:\13dc07e4d628cc5e2d13dc36
2012-11-10 08:20 - 2011-01-15 12:21 - 00000000 ____D C:\13cfbdcbf348fb09905c5539
2012-11-10 08:20 - 2010-12-15 18:36 - 00000000 ____D C:\Program Files\Common Files\Adobe
2012-11-10 08:20 - 2010-08-11 15:51 - 00000000 ____D C:\Program Files\PdaNet for iPhone
2012-11-10 08:20 - 2010-08-10 17:26 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-11-10 08:20 - 2010-08-10 17:25 - 00000000 ____D C:\Users\All Users\Apple
2012-11-10 08:20 - 2010-08-10 07:18 - 00000000 ____D C:\Program Files\Microsoft CAPICOM 2.1.0.2
2012-11-10 08:20 - 2010-08-01 15:25 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 8
2012-11-10 08:20 - 2010-02-14 10:15 - 00000000 ____D C:\88245b0eb0f85db74b
2012-11-10 08:20 - 2010-01-19 21:54 - 00000000 ____D C:\Program Files\Windows Live SkyDrive
2012-11-10 08:20 - 2010-01-19 21:53 - 00000000 ____D C:\Program Files\Windows Live
2012-11-10 08:20 - 2009-12-15 17:24 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-11-10 08:20 - 2009-11-06 12:14 - 00000000 ____D C:\Program Files\MSI
2012-11-10 08:20 - 2009-11-06 12:11 - 00000000 ____D C:\Program Files\Common Files\ArcSoft
2012-11-10 08:20 - 2009-11-06 12:05 - 00000000 ____D C:\Program Files\Microsoft.NET
2012-11-10 08:20 - 2009-11-06 12:04 - 00000000 ____D C:\Program Files\Microsoft Office
2012-11-10 08:20 - 2009-11-06 11:48 - 00000000 ____D C:\Program Files\Realtek
2012-11-10 08:20 - 2009-11-06 11:48 - 00000000 ____D C:\Program Files\Common Files\InstallShield
2012-11-10 08:20 - 2009-11-06 11:47 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2012-11-10 08:20 - 2009-11-06 11:45 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2012-11-10 08:20 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\MSBuild
2012-11-10 08:20 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Microsoft Games
2012-11-10 08:20 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Windows NT
2012-11-10 08:20 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2012-11-10 08:15 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-11-10 07:49 - 2009-12-15 22:17 - 00000000 ____D C:\Users\DC\AppData\Local\Google
2012-11-10 06:07 - 2012-11-10 06:07 - 00001315 ____A C:\Users\Public\Desktop\Advanced SystemCare with Antivirus 2013.lnk
2012-11-10 06:07 - 2012-11-10 06:07 - 00000000 ____D C:\Users\All Users\{D76294E6-03B8-4971-AF2E-3F846161A690}
2012-11-10 06:07 - 2012-11-10 06:07 - 00000000 ____D C:\Users\All Users\{6F2F3866-38AD-4f48-852C-2FF5DE7A7588}
2012-11-10 06:07 - 2009-12-15 18:35 - 00000000 ____D C:\Program Files\IObit
2012-11-10 05:56 - 2012-11-10 05:56 - 00000947 ____A C:\Users\DC\Desktop\UniPDF.lnk
2012-11-10 05:56 - 2012-11-10 05:56 - 00000000 ____D C:\Program Files\UniPDF
2012-11-10 05:53 - 2012-11-10 05:53 - 00001780 ____A C:\Users\DC\Desktop\RKreport[2]_D_11102012_02d0753.txt
2012-11-10 05:53 - 2012-11-10 05:53 - 00001621 ____A C:\Users\DC\Desktop\RKreport[3]_S_11102012_02d0753.txt
2012-11-10 05:52 - 2012-11-10 05:52 - 00001727 ____A C:\Users\DC\Desktop\RKreport[1]_S_11102012_02d0752.txt
2012-11-10 05:28 - 2012-11-10 05:28 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\DC\Desktop\rkill.exe
2012-11-10 05:11 - 2012-11-09 12:43 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-11-10 05:10 - 2012-11-10 05:10 - 00001971 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-11-10 05:04 - 2012-11-09 12:32 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-09 19:30 - 2012-11-09 16:11 - 00000000 ____D C:\Program Files\Google
2012-11-09 17:26 - 2012-11-09 17:26 - 00000000 ____D C:\Users\DC\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-11-09 17:12 - 2012-11-09 17:12 - 00000879 ____A C:\AdwCleaner[S2].txt
2012-11-09 16:12 - 2012-11-09 16:12 - 00000000 ____D C:\Users\All Users\Google
2012-11-09 15:52 - 2012-11-09 14:56 - 00013324 ____A C:\Users\DC\Desktop\Nmc_2012-11-09_16-56-19.log
2012-11-09 14:42 - 2012-11-09 14:42 - 00000845 ____A C:\AdwCleaner[S1].txt
2012-11-09 13:40 - 2012-11-09 13:26 - 00001441 ____A C:\scu.dat
2012-11-09 13:17 - 2012-11-09 13:17 - 00000000 ____D C:\Program Files\ESET
2012-11-09 12:44 - 2012-11-09 12:44 - 00000000 ____D C:\Users\DC\AppData\Roaming\SUPERAntiSpyware.com
2012-11-09 12:43 - 2012-11-09 12:43 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-11-09 12:32 - 2012-11-09 12:32 - 00000000 ____D C:\Users\DC\AppData\Roaming\Malwarebytes
2012-11-09 12:32 - 2012-11-09 12:32 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-06 13:31 - 2012-11-01 21:31 - 00000321 ____A C:\Users\DC\Desktop\avgrep.txt
2012-10-31 17:08 - 2009-12-15 22:18 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1189677674-551811349-2148136835-1000UA.job
2012-10-31 17:07 - 2012-04-08 12:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-31 15:28 - 2009-07-13 20:34 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-31 15:28 - 2009-07-13 20:34 - 00017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-31 15:22 - 2012-04-08 12:57 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-10-31 15:22 - 2011-09-27 18:28 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-12 17:51:15
Restore point made on: 2012-10-03 11:30:22
Restore point made on: 2012-10-31 17:37:51

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 1917.12 MB
Available physical RAM: 1536.65 MB
Total Pagefile: 1917.12 MB
Available Pagefile: 1537.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.3 MB

==================== Partitions =============================

1 Drive c: (OS_Install) (Fixed) (Total:133.67 GB) (Free:93.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Data) (Fixed) (Total:89.11 GB) (Free:88.46 GB) NTFS
3 Drive e: (BIOS_RVY) (Fixed) (Total:10 GB) (Free:5.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (System) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive h: () (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 124 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 10 GB 1024 KB
Partition 2 Recovery 100 MB 10 GB
Partition 3 Primary 133 GB 10 GB
Partition 4 Primary 89 GB 143 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E BIOS_RVY NTFS Partition 10 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F System NTFS Partition 100 MB Healthy Hidden

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS_Install NTFS Partition 133 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Data NTFS Partition 89 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 124 MB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT Removable 124 MB Healthy

=========================================================

Last Boot: 2012-10-31 17:30

==================== End Of Log ============================

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:31 AM

Posted 13 November 2012 - 07:19 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 white sauce

white sauce
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 13 November 2012 - 09:09 PM

Catbyte,
I ran combofix, it saw that AVG was running in background. asked me to close it but was unable to. I had AVG prior to this attack. I was unhappy that even though it was updated it let this infection happen so I uninstalled it. However when I did the system restore the programs files came back but were not functional. I tried to delete them and was able to except one file. I tried renaming it and changing the file pathway but that did not work either for deleting it.
Here is combofix log
thank you
David
----------------
ComboFix 12-11-13.02 - DC 11/13/2012 17:55:50.2.2 - x86 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1917.1424 [GMT -6:00]
Running from: c:\users\DC\Desktop\bleepingcomputer\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-14 to 2012-11-14 )))))))))))))))))))))))))))))))
.
.
2012-11-14 00:01 . 2012-11-14 00:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-13 23:53 . 2012-11-13 23:53 -------- d--h--w- c:\windows\PIF
2012-11-13 03:56 . 2012-11-13 03:56 -------- d-----w- C:\FRST
2012-11-10 19:09 . 2012-11-10 19:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-10 18:42 . 2012-11-10 18:45 -------- d-----w- c:\programdata\MFAData
2012-11-10 18:42 . 2012-11-10 18:42 -------- d-----w- c:\users\DC\AppData\Local\MFAData
2012-11-10 18:42 . 2012-11-10 18:42 -------- d-----w- c:\users\DC\AppData\Local\Avg2013
2012-11-10 14:07 . 2011-11-22 00:58 340624 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-11-10 14:07 . 2012-03-15 20:16 353096 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-11-10 14:07 . 2012-11-10 14:07 -------- d-----w- c:\programdata\{D76294E6-03B8-4971-AF2E-3F846161A690}
2012-11-10 14:07 . 2012-11-10 14:07 -------- d-----w- c:\programdata\{6F2F3866-38AD-4f48-852C-2FF5DE7A7588}
2012-11-10 13:56 . 2012-11-10 13:56 -------- d-----w- c:\program files\UniPDF
2012-11-10 13:03 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-10 01:26 . 2012-11-10 01:26 -------- d-----w- c:\users\DC\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-11-10 00:11 . 2012-11-10 03:30 -------- d-----w- c:\program files\Google
2012-11-09 21:17 . 2012-11-09 21:17 -------- d-----w- c:\program files\ESET
2012-11-09 20:44 . 2012-11-09 20:44 -------- d-----w- c:\users\DC\AppData\Roaming\SUPERAntiSpyware.com
2012-11-09 20:43 . 2012-11-10 13:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-11-09 20:43 . 2012-11-09 20:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-11-09 20:32 . 2012-11-09 20:32 -------- d-----w- c:\users\DC\AppData\Roaming\Malwarebytes
2012-11-09 20:32 . 2012-11-09 20:32 -------- d-----w- c:\programdata\Malwarebytes
2012-11-09 20:32 . 2012-11-10 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-31 23:22 . 2012-04-08 20:57 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-31 23:22 . 2011-09-28 02:28 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-14 16:26 . 2011-06-12 04:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare with Antivirus 2013\ASCTray.exe" [2012-07-27 299392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-18 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-16 7547424]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-05 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-30 766536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^DC^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\users\DC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-31 11:20 38872 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-16 06:17 135664 ----atw- c:\users\DC\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2012-04-17 20:05 651264 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 21:40 83336 ----a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 23:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterOn Printer Select 3.6]
2010-01-27 22:43 773632 ----a-w- c:\program files\PrinterOn Corporation\PrintWhere 3.6\pwcPrinterSelect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintWhere Router 3.6]
2010-01-27 22:43 654848 ----a-w- c:\program files\PrinterOn Corporation\PrintWhere 3.6\pwcRoute.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [x]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare with Antivirus 2013\ascsvc.exe [x]
R2 ASCAntivirusSrv;AdvancedSystemCareAntivirus;c:\program files\IObit\Advanced SystemCare with Antivirus 2013\ascavsvc.exe [x]
R2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [x]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [x]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [x]
R4 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 23:22]
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1189677674-551811349-2148136835-1000Core.job
- c:\users\DC\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 06:17]
.
2012-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1189677674-551811349-2148136835-1000UA.job
- c:\users\DC\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-16 06:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\DC\AppData\Roaming\Mozilla\Firefox\Profiles\q7lnrdv5.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-48163225.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{21FA44EF-376D-4D53-9B0F-8A89D3229068}"=hex:51,66,7a,6c,4c,1d,38,12,81,47,e9,
25,5f,79,3d,08,e4,19,c9,c9,d6,7c,d4,7c
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}"=hex:51,66,7a,6c,4c,1d,38,12,ae,8e,49,
e5,24,cb,cf,07,fe,fc,9f,d4,e9,44,8b,04
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:50,62,6a,4d,23,27,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,d2,7a,57,98,65,f0,4b,8b,d6,88,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,d2,7a,57,98,65,f0,4b,8b,d6,88,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-13 18:02:56
ComboFix-quarantined-files.txt 2012-11-14 00:02
ComboFix2.txt 2012-11-10 19:02
.
Pre-Run: 100,768,927,744 bytes free
Post-Run: 100,682,665,984 bytes free
.
- - End Of File - - D43592FA95F3C8904168E52751BB4A3A

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:31 AM

Posted 13 November 2012 - 09:19 PM

I'm not seeing any remaining malware in the logs that could account for your remaining issues, there must be a conflict somewhere

Please try using the AVG removal tool to delete all the remaining entries

http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe


then download and install Microsoft Security Essential,

http://www.microsoft.com/security_essentials/


then run the following:



Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 white sauce

white sauce
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 16 November 2012 - 12:36 PM

CatByte,
sorry for the delay,
I was unable to run the two programs while in safe mode. Also the AVG program did not take off the remaining files.

However I was reading another post and saw someone with similar isseus however he would see lines in his screen, I did not, his screen would turn blue but mine would not. however I decided to turn off my viedo card I did so and then I could not turn it back on, thus I thought it was maybe the source of the issue, so i uninstalled it. I then could start in regular mode, ran RKill but it did not show anything and ran the other antivirus and antimalware programs and they did not show anything. I tried to download the driver to reinstall the video card but could not naviagate around internet without video card. so I got it from my other computer and transfered it. However the next rebootstraping i did had the computer crash like it did before, it however bootstrapped fine the next time. When I installed the driver, the rebooting caused it to do what it did before.

So now I am back in safe mode. Do you think my card is just bad and computer is just old. Its only 3 years but in MSI Laptop world that could be like 10. found replacement cards for 20 dollars but video card is attached to motherboard, was unable to remove it with bare hands. doesnt have that nifty processor lever to unengage it. Not sure if all the problem was a video card issue and i should just go and get another portable computing device or if you think it could still be a malware issue, i know your last post stated you didnt see anything that look worrisome too you so that is why i am leaning toward video card failure. Questions? Thoughts? Suggestions? comments? critiques? criticism?
thanks catbyte
David

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:31 AM

Posted 16 November 2012 - 04:15 PM

I do believe at this point that it is a hardware issue, but whether or not it is the video card, I couldn't tell you as I only rip out malware.

I suggest starting a new topic in our hardware subforum, the expert techs there may be able to runs some diagnostics to further pinpoint the issue,

link back to this topic so they can see what we have accomplished so far,

in the mean time, clean up the tools we have used:


You can delete the DDS, Farbar and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT



If there are any logs/tools remaining on your desktop > right click and delete them.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:31 AM

Posted 21 November 2012 - 09:36 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users