Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Trojan Agent svchost.exe


  • This topic is locked This topic is locked
22 replies to this topic

#1 ricklive245

ricklive245

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 November 2012 - 10:36 PM

Hello, I can't seem to get rid of this virus. Trojan.Agent svchost.exe
What info do you need from me? please help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 17 November 2012 - 10:48 PM

Please follow this Preparation Guide and post the log here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 November 2012 - 10:50 PM

DDS (Ver_2012-11-07.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16455
Run by yolanda at 21:24:29 on 2012-11-18
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.3182 [GMT -8:00]
.
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearch Bar = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=3ae3d1f0-8593-465b-a688-f7787e7e301a&searchtype=ds&q={searchTerms}
uSearch Page = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=3ae3d1f0-8593-465b-a688-f7787e7e301a&searchtype=ds&q={searchTerms}
uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=3ae3d1f0-8593-465b-a688-f7787e7e301a&searchtype=ds&q={searchTerms}
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4BF3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coieplg.dll
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coieplg.dll
TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
uRun: [ElevatedDiagnostics] rundll32.exe "C:\Users\yolanda\AppData\Local\Google\ElevatedDiagnostics\hofatneli.dll",DllRegisterServerW
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [63400C33-1D19-4E52-BF5E-7D616A1317CF] cmd.exe /C start /D "C:\Users\yolanda\AppData\Local\Temp" /B 63400C33-1D19-4E52-BF5E-7D616A1317CF.exe -postboot
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{47F3F09E-0790-45AA-96EC-41EF1C11D99D} : DHCPNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-5-6 75904]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-5-6 38016]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NAVx64\1402000.013\symds64.sys [2012-10-31 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NAVx64\1402000.013\symefa64.sys [2012-10-31 1133216]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-6 412776]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-5-6 38456]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [2012-10-23 1384608]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\System32\drivers\NAVx64\1402000.013\ccsetx64.sys [2012-10-31 168096]
S1 ccSet_NST;Norton Identity Safe Settings Manager;C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccsetx64.sys [2012-10-30 168096]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\IPSDefs\20121116.001\IDSviA64.sys [2012-11-17 513184]
S1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NAVx64\1402000.013\ironx64.sys [2012-10-31 224416]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NAVx64\1402000.013\symnets.sys [2012-10-31 432800]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-5-6 203264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-17 399432]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-17 676936]
S2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccsvchst.exe [2012-10-31 143928]
S2 NCO;Norton Identity Safe;C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccsvchst.exe [2012-10-30 143928]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]
S3 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-17 25928]
S3 PAC207;SoC PC-Camera;C:\Windows\System32\drivers\PFC027.SYS [2006-12-5 572416]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-8-4 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-11-19 05:12:16 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-18 15:41:48 20480 ----a-w- C:\Windows\svchost.exe
2012-11-18 09:42:44 -------- d-----w- C:\Users\yolanda\DoctorWeb
2012-11-18 07:41:44 -------- d-----w- C:\Users\yolanda\AppData\Roaming\Malwarebytes
2012-11-18 07:41:36 -------- d-----w- C:\ProgramData\Malwarebytes
2012-11-18 07:41:35 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-18 07:41:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-18 06:36:49 -------- d-----w- C:\ProgramData\PDFC
2012-11-18 06:35:36 174008 ----a-w- C:\Program Files (x86)\39res.dll
2012-11-18 05:57:34 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-11-18 05:52:28 -------- d-----w- C:\Program Files\CCleaner
2012-11-16 06:09:50 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-16 06:09:50 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-16 06:09:50 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-16 06:09:50 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-16 05:44:59 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-11-12 06:51:44 998456 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\install_flashplayer.exe
2012-11-08 18:08:04 -------- d-----w- C:\ProgramData\Recovery
2012-11-08 03:21:43 -------- d-----w- C:\Users\yolanda\AppData\Local\HuluDesktop
2012-11-08 02:49:32 -------- d-----w- C:\Users\yolanda\AppData\Roaming\Roxio Log Files
2012-11-01 21:28:29 -------- d-----w- C:\Users\yolanda\AppData\Local\Vid-Saver
2012-11-01 21:28:26 -------- d-----w- C:\Program Files (x86)\Vid-Saver
2012-11-01 01:45:34 776864 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\srtsp64.sys
2012-11-01 01:45:34 493216 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\symds64.sys
2012-11-01 01:45:34 432800 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\symnets.sys
2012-11-01 01:45:34 37496 ----a-r- C:\Windows\System32\drivers\NAVx64\1402000.013\srtspx64.sys
2012-11-01 01:45:34 23448 ----a-r- C:\Windows\System32\drivers\NAVx64\1402000.013\symelam.sys
2012-11-01 01:45:34 224416 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\ironx64.sys
2012-11-01 01:45:34 168096 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\ccsetx64.sys
2012-11-01 01:45:34 1133216 ----a-w- C:\Windows\System32\drivers\NAVx64\1402000.013\symefa64.sys
2012-11-01 01:45:16 -------- d-----w- C:\Windows\System32\drivers\NAVx64\1402000.013
2012-10-31 04:16:00 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-31 03:30:17 168096 ----a-w- C:\Windows\System32\drivers\NSTx64\7DD02000.012\ccsetx64.sys
2012-10-31 03:30:12 -------- d-----w- C:\Windows\System32\drivers\NSTx64\7DD02000.012
2012-10-29 05:38:31 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-10-27 04:28:39 -------- d-----w- C:\Users\yolanda\AppData\Roaming\System
.
==================== Find3M ====================
.
2012-11-18 05:57:10 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-11-10 17:03:29 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-10-17 21:06:33 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
.
============= FINISH: 21:25:35.75 ===============

#4 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 November 2012 - 10:52 PM

and the attachment...

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:43 PM

Posted 17 November 2012 - 11:16 PM

We need to run two tools from the Recovery environment,

please run the following:


  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts64 will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]


NEXT


Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (64bit version)


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 November 2012 - 11:31 PM

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 18-11-2012 at 22:25:37
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3839.29 MB
Available physical RAM: 3158.64 MB
Total Pagefile: 3837.48 MB
Available Pagefile: 3120.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS) (Fixed) (Total:687.35 GB) (Free:647.51 GB) NTFS
3 Drive e: (HP_RECOVERY) (Fixed) (Total:11.18 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive g: (DRIVE245) (Removable) (Total:0.96 GB) (Free:0.82 GB) FAT
10 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 983 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 687 GB 101 MB
Partition 3 Primary 11 GB 687 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SYSTEM NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D OS NTFS Partition 687 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 11 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 982 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G DRIVE245 FAT Removable 982 MB Healthy

======================================================================================================

****** End Of Log ******

#7 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 November 2012 - 11:37 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
Ran by SYSTEM at 18-11-2012 22:32:31
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKU\yolanda\...\Run: [ElevatedDiagnostics] rundll32.exe "C:\Users\yolanda\AppData\Local\Google\ElevatedDiagnostics\hofatneli.dll",DllRegisterServerW [256512 2012-11-12] (Borland Software Corporation)
HKLM-x32\...\Runonce: [63400C33-1D19-4E52-BF5E-7D616A1317CF] cmd.exe /C start /D "C:\Users\yolanda\AppData\Local\Temp" /B 63400C33-1D19-4E52-BF5E-7D616A1317CF.exe -postboot [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) ===================

3 HPAuto; "C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe" [682040 2011-02-16] (Hewlett-Packard)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-29] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-29] (Malwarebytes Corporation)
2 NAV; "C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)
2 NCO; "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe" /s "NCO" /m "C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll" /prefetch:1 [535416 2012-10-11] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1402000.013\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-18] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\IPSDefs\20121116.001\IDSvia64.sys [513184 2012-10-16] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-29] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\VirusDefs\20121116.020\ENG64.SYS [126112 2012-10-15] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\VirusDefs\20121116.020\EX64.SYS [2084000 2012-10-15] (Symantec Corporation)
3 PAC207; C:\Windows\System32\DRIVERS\PFC027.SYS [572416 2006-12-05] (PixArt Imaging Inc.)
1 SRTSP; C:\Windows\System32\Drivers\NAVx64\1402000.013\SRTSP64.SYS [776864 2012-10-08] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1402000.013\SRTSPX64.SYS [37496 2012-05-24] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NAVx64\1402000.013\SYMDS64.SYS [493216 2012-10-03] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NAVx64\1402000.013\SYMEFA64.SYS [1133216 2012-10-03] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2012-10-17] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NAVx64\1402000.013\Ironx64.SYS [224416 2012-09-06] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1402000.013\SYMNETS.SYS [432800 2012-09-06] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-18 21:25 - 2012-11-18 21:47 - 00015480 ____A C:\Users\yolanda\Desktop\dds.txt
2012-11-18 21:25 - 2012-11-18 21:25 - 00021950 ____A C:\Users\yolanda\Desktop\attach.txt
2012-11-18 21:23 - 2012-11-18 21:23 - 00688901 ____R (Swearware) C:\Users\yolanda\Desktop\dds.com
2012-11-18 21:12 - 2012-11-18 21:12 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-18 21:10 - 2012-11-18 21:10 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\yolanda\Desktop\tdsskiller.exe
2012-11-18 08:08 - 2012-11-18 21:14 - 00000224 ____A C:\Windows\setupact.log
2012-11-18 08:08 - 2012-11-18 08:08 - 00001312 ____A C:\Windows\PFRO.log
2012-11-18 08:08 - 2012-11-18 08:08 - 00000000 ____A C:\Windows\setuperr.log
2012-11-18 08:07 - 2012-11-18 08:07 - 00003600 ____A C:\Users\yolanda\Documents\cc_20121118_080728.reg
2012-11-18 08:05 - 2012-11-18 08:05 - 00018220 ____A C:\Users\yolanda\Documents\cc_20121118_080546.reg
2012-11-18 07:41 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-18 01:42 - 2012-11-18 01:42 - 00000000 ____D C:\Users\yolanda\DoctorWeb
2012-11-18 00:16 - 2012-11-18 00:16 - 00007666 ____A C:\Users\yolanda\AppData\Local\Resmon.ResmonCfg
2012-11-17 23:41 - 2012-11-17 23:41 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\Malwarebytes
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-17 23:41 - 2012-09-29 19:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-17 22:57 - 2012-11-18 08:05 - 00000000 ____D C:\Windows\Minidump
2012-11-17 22:46 - 2012-11-17 22:46 - 00104534 ____A C:\Users\yolanda\Documents\cc_20121117_224631.reg
2012-11-17 22:37 - 2012-11-17 22:37 - 00000000 ____A C:\install.rdf
2012-11-17 22:36 - 2012-11-17 22:36 - 00000000 ____D C:\Users\All Users\PDFC
2012-11-17 22:35 - 2012-03-05 20:09 - 00174008 ____A () C:\Program Files (x86)\39res.dll
2012-11-17 21:57 - 2012-11-17 21:57 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-11-17 21:57 - 2012-11-17 21:57 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00000000 ____D C:\Program Files (x86)\Java
2012-11-17 21:55 - 2012-11-17 21:55 - 00000000 ____D C:\Users\All Users\McAfee
2012-11-17 21:52 - 2012-11-17 21:52 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-11-17 21:52 - 2012-11-17 21:52 - 00000000 ____D C:\Program Files\CCleaner
2012-11-15 22:09 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-15 22:09 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-15 22:09 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-15 22:09 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-15 21:57 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-15 21:57 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-15 21:57 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-15 21:57 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-15 21:57 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-15 21:57 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-15 21:57 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-15 21:57 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-15 21:57 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-15 21:57 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-15 21:57 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-15 21:57 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-15 21:57 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-15 21:57 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-15 21:57 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-15 21:57 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-15 21:57 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-15 21:57 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-15 21:57 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-15 21:57 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-15 21:57 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-15 21:57 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-15 21:57 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-15 21:57 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-15 21:57 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-15 21:57 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-15 21:57 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-15 21:57 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-15 21:57 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-15 21:57 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-15 21:57 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-15 21:57 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-15 21:57 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-15 21:57 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-15 21:57 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-15 21:57 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-15 21:57 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-15 21:57 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-15 21:57 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-15 21:57 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-15 21:44 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-15 21:44 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2012-11-15 21:44 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2012-11-15 21:44 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2012-11-15 21:44 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2012-11-15 21:44 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-11-15 21:44 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2012-11-15 21:44 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2012-11-15 21:44 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2012-11-15 21:44 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2012-11-15 21:44 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2012-11-15 21:44 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2012-11-15 21:44 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2012-11-15 21:44 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2012-11-15 21:44 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2012-11-15 21:44 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-11-15 21:44 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-15 21:44 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-15 21:44 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2012-11-08 10:08 - 2012-11-08 10:08 - 00000000 ____D C:\Users\All Users\Recovery
2012-11-07 18:49 - 2012-11-07 18:49 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\Roxio Log Files
2012-11-06 17:14 - 2012-11-06 17:14 - 00000000 ____D C:\Users\All Users\Real
2012-11-01 13:28 - 2012-11-01 13:30 - 00000000 ____D C:\Program Files (x86)\Vid-Saver
2012-11-01 13:28 - 2012-11-01 13:28 - 00000000 ____D C:\Users\yolanda\AppData\Local\Vid-Saver
2012-10-30 20:16 - 2012-11-18 08:11 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-10-30 20:16 - 2012-11-10 09:03 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-10-30 20:15 - 2012-10-30 20:15 - 00000000 ____D C:\Windows\System32\Macromed
2012-10-29 12:16 - 2012-10-29 12:16 - 00000000 ____D C:\Windows\Sun
2012-10-28 21:38 - 2012-10-28 21:38 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-10-26 20:28 - 2012-10-27 09:59 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\System


==================== One Month Modified Files and Folders =======

2012-11-18 21:47 - 2012-11-18 21:25 - 00015480 ____A C:\Users\yolanda\Desktop\dds.txt
2012-11-18 21:25 - 2012-11-18 21:25 - 00021950 ____A C:\Users\yolanda\Desktop\attach.txt
2012-11-18 21:23 - 2012-11-18 21:23 - 00688901 ____R (Swearware) C:\Users\yolanda\Desktop\dds.com
2012-11-18 21:19 - 2009-07-13 21:13 - 00778834 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-18 21:14 - 2012-11-18 08:08 - 00000224 ____A C:\Windows\setupact.log
2012-11-18 21:14 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-18 21:12 - 2012-11-18 21:12 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-11-18 21:10 - 2012-11-18 21:10 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\yolanda\Desktop\tdsskiller.exe
2012-11-18 20:54 - 2011-08-03 22:58 - 01707936 ____A C:\Windows\WindowsUpdate.log
2012-11-18 20:54 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-18 20:54 - 2009-07-13 20:45 - 00024608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-18 20:51 - 2011-08-21 06:45 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-18 08:11 - 2012-10-30 20:16 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-18 08:08 - 2012-11-18 08:08 - 00001312 ____A C:\Windows\PFRO.log
2012-11-18 08:08 - 2012-11-18 08:08 - 00000000 ____A C:\Windows\setuperr.log
2012-11-18 08:07 - 2012-11-18 08:07 - 00003600 ____A C:\Users\yolanda\Documents\cc_20121118_080728.reg
2012-11-18 08:07 - 2012-10-05 18:08 - 00000000 ____D C:\Users\All Users\Yahoo!
2012-11-18 08:07 - 2012-10-05 18:08 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2012-11-18 08:05 - 2012-11-18 08:05 - 00018220 ____A C:\Users\yolanda\Documents\cc_20121118_080546.reg
2012-11-18 08:05 - 2012-11-17 22:57 - 00000000 ____D C:\Windows\Minidump
2012-11-18 07:46 - 2011-08-21 06:45 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-18 01:42 - 2012-11-18 01:42 - 00000000 ____D C:\Users\yolanda\DoctorWeb
2012-11-18 01:42 - 2011-08-03 22:58 - 00000000 ____D C:\users\yolanda
2012-11-18 00:16 - 2012-11-18 00:16 - 00007666 ____A C:\Users\yolanda\AppData\Local\Resmon.ResmonCfg
2012-11-17 23:41 - 2012-11-17 23:41 - 00001071 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\Malwarebytes
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-17 23:41 - 2012-11-17 23:41 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-17 22:46 - 2012-11-17 22:46 - 00104534 ____A C:\Users\yolanda\Documents\cc_20121117_224631.reg
2012-11-17 22:37 - 2012-11-17 22:37 - 00000000 ____A C:\install.rdf
2012-11-17 22:37 - 2012-10-05 18:09 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2012-11-17 22:36 - 2012-11-17 22:36 - 00000000 ____D C:\Users\All Users\PDFC
2012-11-17 22:33 - 2012-10-05 18:08 - 00000000 ____D C:\Users\All Users\WeCareReminder
2012-11-17 22:32 - 2011-08-23 02:58 - 00000000 ____D C:\Users\yolanda\AppData\Local\CrashDumps
2012-11-17 22:32 - 2011-02-11 09:00 - 00000000 ____D C:\Windows\Panther
2012-11-17 21:57 - 2012-11-17 21:57 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-11-17 21:57 - 2012-11-17 21:57 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-11-17 21:57 - 2012-11-17 21:57 - 00000000 ____D C:\Program Files (x86)\Java
2012-11-17 21:57 - 2011-10-29 12:00 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-11-17 21:55 - 2012-11-17 21:55 - 00000000 ____D C:\Users\All Users\McAfee
2012-11-17 21:52 - 2012-11-17 21:52 - 00000824 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-11-17 21:52 - 2012-11-17 21:52 - 00000000 ____D C:\Program Files\CCleaner
2012-11-15 22:24 - 2011-08-03 23:08 - 00058016 ____A C:\Users\yolanda\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-15 22:23 - 2009-07-13 20:45 - 00277464 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-12 10:12 - 2011-08-21 06:44 - 00000000 ____D C:\Users\yolanda\AppData\Local\Google
2012-11-10 09:03 - 2012-10-30 20:16 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-11-10 09:03 - 2011-08-21 06:44 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-11-09 09:29 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-08 20:56 - 2011-10-20 20:36 - 00000000 ____D C:\Users\yolanda\AppData\Local\Facebook
2012-11-08 20:49 - 2012-03-22 11:57 - 00002376 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-11-08 10:08 - 2012-11-08 10:08 - 00000000 ____D C:\Users\All Users\Recovery
2012-11-07 19:39 - 2011-08-21 06:45 - 00000000 ____D C:\Program Files\Google
2012-11-07 19:39 - 2011-08-21 06:44 - 00000000 ____D C:\Program Files (x86)\Google
2012-11-07 19:28 - 2011-05-06 17:48 - 00000000 ____D C:\Program Files (x86)\HP Games
2012-11-07 19:27 - 2011-05-06 17:48 - 00000000 ____D C:\Users\All Users\WildTangent
2012-11-07 19:23 - 2011-08-21 06:44 - 00000000 ____D C:\Users\All Users\Google
2012-11-07 19:08 - 2011-05-06 17:34 - 00000000 ____D C:\Users\All Users\Hewlett-Packard
2012-11-07 19:08 - 2011-05-06 17:33 - 00000000 ____D C:\Program Files\Hewlett-Packard
2012-11-07 19:06 - 2011-05-06 17:33 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2012-11-07 19:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Help
2012-11-07 18:57 - 2011-05-06 17:39 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-11-07 18:49 - 2012-11-07 18:49 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\Roxio Log Files
2012-11-06 17:14 - 2012-11-06 17:14 - 00000000 ____D C:\Users\All Users\Real
2012-11-04 12:09 - 2011-08-07 09:35 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-03 17:54 - 2012-08-01 08:52 - 00000346 ____A C:\Windows\Tasks\HPCeeScheduleForYOLANDA-HP$.job
2012-11-03 13:27 - 2012-10-13 11:38 - 00000340 ____A C:\Windows\Tasks\HPCeeScheduleForyolanda.job
2012-11-03 12:35 - 2011-08-07 00:01 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\HP Support Assistant
2012-11-03 12:35 - 2011-08-05 00:41 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\HpUpdate
2012-11-02 11:16 - 2009-07-13 21:08 - 00032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-01 13:30 - 2012-11-01 13:28 - 00000000 ____D C:\Program Files (x86)\Vid-Saver
2012-11-01 13:28 - 2012-11-01 13:28 - 00000000 ____D C:\Users\yolanda\AppData\Local\Vid-Saver
2012-10-31 21:36 - 2011-10-03 21:29 - 00000000 ____D C:\Windows\System32\Drivers\NAVx64
2012-10-30 20:15 - 2012-10-30 20:15 - 00000000 ____D C:\Windows\System32\Macromed
2012-10-30 19:34 - 2012-10-17 13:08 - 00000000 ____D C:\Windows\System32\Drivers\NSTx64
2012-10-29 12:16 - 2012-10-29 12:16 - 00000000 ____D C:\Windows\Sun
2012-10-28 21:38 - 2012-10-28 21:38 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-10-27 09:59 - 2012-10-26 20:28 - 00000000 ____D C:\Users\yolanda\AppData\Roaming\System


ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-07 19:14:52
Restore point made on: 2012-11-07 19:15:47
Restore point made on: 2012-11-15 21:55:18
Restore point made on: 2012-11-17 21:56:21
Restore point made on: 2012-11-17 22:33:32

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3839.29 MB
Available physical RAM: 3058.38 MB
Total Pagefile: 3837.48 MB
Available Pagefile: 3027.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:687.35 GB) (Free:647.45 GB) NTFS
2 Drive e: (HP_RECOVERY) (Fixed) (Total:11.18 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: (DRIVE245) (Removable) (Total:0.96 GB) (Free:0.82 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
10 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Disk 1 Online 983 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 687 GB 101 MB
Partition 3 Primary 11 GB 687 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 687 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E HP_RECOVERY NTFS Partition 11 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 982 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G DRIVE245 FAT Removable 982 MB Healthy

=========================================================

Last Boot: 2012-09-29 17:10

==================== End Of Log =============================

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:43 PM

Posted 17 November 2012 - 11:53 PM

Please note that the following fix (step 1) should be done from recovery environment otherwise it will not work.

We will be using List Parts for this first fix:

  • Download

    Save it to your flash drive. The fix.txt should be saved in the same directory as ListParts.

    Enter System Recovery Options and select Command Prompt.

    Run ListParts64 > click Fix.

    When it is finished click Scan and post the log (Result.txt) it makes.

  • Restart the computer and let it boot normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 November 2012 - 12:15 AM

well, it seems better. I didn't get a message saying that Norton was blocking Trojan.Agent svchost.exe - but it didn't want to load this topic from my favorites . I also started google chrome - which restarted my computer everytime I opened it - and right now I'm actually on google chrome.


any other steps?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:43 PM

Posted 18 November 2012 - 12:17 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\yolanda\...\Run: [ElevatedDiagnostics] rundll32.exe "C:\Users\yolanda\AppData\Local\Google\ElevatedDiagnostics\hofatneli.dll",DllRegisterServerW [256512 2012-11-12] (Borland Software Corporation)
HKLM-x32\...\Runonce: [63400C33-1D19-4E52-BF5E-7D616A1317CF] cmd.exe /C start /D "C:\Users\yolanda\AppData\Local\Temp" /B 63400C33-1D19-4E52-BF5E-7D616A1317CF.exe -postboot [x]
C:\Users\yolanda\AppData\Local\Google\ElevatedDiagnostics\hofatneli.dll
C:\Windows\svchost.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 November 2012 - 01:11 AM

ComboFix 12-11-16.02 - yolanda 11/18/2012 23:32:05.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2495 [GMT -8:00]
Running from: c:\users\yolanda\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Vid-Saver
c:\program files (x86)\Vid-Saver\ButtonUtil.dll
c:\program files (x86)\Vid-Saver\Vid-Saver-bg.exe
c:\program files (x86)\Vid-Saver\Vid-Saver.exe
c:\users\yolanda\AppData\Local\Vid-Saver
c:\users\yolanda\AppData\Local\Vid-Saver\Chrome\Vid-Saver.crx
c:\windows\Downloaded Program Files\f3initialsetup1.2.5.17.inf
c:\windows\SysWow64\DEBUG.log
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 07:47 . 2012-11-19 07:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-19 06:32 . 2012-11-19 06:32 -------- d-----w- C:\FRST
2012-11-19 05:12 . 2012-11-19 05:12 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-18 09:42 . 2012-11-18 09:42 -------- d-----w- c:\users\yolanda\DoctorWeb
2012-11-18 07:41 . 2012-11-18 07:41 -------- d-----w- c:\users\yolanda\AppData\Roaming\Malwarebytes
2012-11-18 07:41 . 2012-11-18 07:41 -------- d-----w- c:\programdata\Malwarebytes
2012-11-18 07:41 . 2012-11-18 07:41 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-18 07:41 . 2012-09-30 03:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-18 06:36 . 2012-11-18 06:36 -------- d-----w- c:\programdata\PDFC
2012-11-18 06:35 . 2012-03-06 04:09 174008 ----a-w- c:\program files (x86)\39res.dll
2012-11-18 05:57 . 2012-11-18 05:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-11-18 05:57 . 2012-11-18 05:57 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-11-18 05:57 . 2012-11-18 05:57 -------- d-----w- c:\program files (x86)\Java
2012-11-18 05:55 . 2012-11-18 05:55 -------- d-----w- c:\programdata\McAfee
2012-11-18 05:52 . 2012-11-18 05:52 -------- d-----w- c:\program files\CCleaner
2012-11-16 06:09 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-16 06:09 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-16 06:09 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-16 06:09 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-16 05:44 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-11-12 06:51 . 2012-11-17 19:28 998456 ----a-w- c:\programdata\Microsoft\Windows\DRM\install_flashplayer.exe
2012-11-08 18:08 . 2012-11-08 18:08 -------- d-----w- c:\programdata\Recovery
2012-11-08 03:21 . 2012-11-08 03:21 -------- d-----w- c:\users\yolanda\AppData\Local\HuluDesktop
2012-11-08 02:49 . 2012-11-08 02:49 -------- d-----w- c:\users\yolanda\AppData\Roaming\Roxio Log Files
2012-11-01 01:45 . 2012-11-17 05:38 -------- d-----w- c:\windows\system32\drivers\NAVx64\1402000.013
2012-10-31 04:16 . 2012-11-10 17:03 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-31 04:15 . 2012-10-31 04:15 -------- d-----w- c:\windows\system32\Macromed
2012-10-31 03:30 . 2012-10-31 03:30 -------- d-----w- c:\windows\system32\drivers\NSTx64\7DD02000.012
2012-10-29 20:16 . 2012-10-29 20:16 -------- d-----w- c:\windows\Sun
2012-10-29 05:38 . 2012-10-29 05:38 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-10-27 04:28 . 2012-10-27 17:59 -------- d-----w- c:\users\yolanda\AppData\Roaming\System
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 05:57 . 2011-10-29 20:00 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-11-10 17:03 . 2011-08-21 14:44 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-17 21:06 . 2011-10-04 05:30 177312 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-09-14 19:19 . 2012-10-10 23:19 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-10 23:19 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-31 18:19 . 2012-10-10 23:20 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 18:03 . 2012-10-10 23:20 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-30 17:12 . 2012-10-10 23:20 3968880 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12 . 2012-10-10 23:20 3914096 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05 . 2012-10-10 23:19 220160 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 16:57 . 2012-10-10 23:19 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-22 18:12 . 2012-09-13 16:57 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 18:12 . 2012-09-13 16:57 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 18:12 . 2012-09-13 16:57 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 21:01 . 2012-09-26 21:11 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{AB4C7833-A6EC-433f-B9FE-6B14B1A2F836}]
2012-10-24 20:24 498584 ----a-r- c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coieplg.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{A13C2648-91D4-4bf3-BC6D-0079707C4389}"= "c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\coIEPlg.dll" [2012-10-24 498584]
.
[HKEY_CLASSES_ROOT\clsid\{a13c2648-91d4-4bf3-bc6d-0079707c4389}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-12 102400]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 572416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-05 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2010-11-04 75904]
S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2010-11-04 38016]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1402000.013\SYMDS64.SYS [2012-10-04 493216]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1402000.013\SYMEFA64.SYS [2012-10-04 1133216]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [2012-10-23 1384608]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1402000.013\ccSetx64.sys [2012-10-04 168096]
S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DD02000.012\ccSetx64.sys [2012-10-04 168096]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.1.5\Definitions\IPSDefs\20121116.001\IDSvia64.sys [2012-10-16 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1402000.013\Ironx64.SYS [2012-09-07 224416]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1402000.013\SYMNETS.SYS [2012-09-07 432800]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-11 203264]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccSvcHst.exe [2012-10-11 143928]
S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe [2012-10-11 143928]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-10 138912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-12-28 412776]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-12-22 38456]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-31 17:03]
.
2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-21 14:44]
.
2012-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-21 14:44]
.
2012-11-04 c:\windows\Tasks\HPCeeScheduleForYOLANDA-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2012-11-03 c:\windows\Tasks\HPCeeScheduleForyolanda.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://feed.snap.do/?publisher=VertiTechnology&dpid=VertiTechnology&co=US&userid=3ae3d1f0-8593-465b-a688-f7787e7e301a&searchtype=ds&q={searchTerms}
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
SafeBoot-85693039.sys
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{A13C2648-91D4-4BF3-BC6D-0079707C4389} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NCO]
"ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2013.2.0.18\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}"=hex:51,66,7a,6c,4c,1d,38,12,56,9f,34,
9c,79,90,a1,0e,ec,df,cd,82,65,37,92,e0
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{364EA597-E728-4CE4-BB4A-ED846EF47970}"=hex:51,66,7a,6c,4c,1d,38,12,f9,a6,5d,
32,1a,a9,8a,09,c4,5c,ae,c4,6b,aa,3d,64
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{A13C2648-91D4-4BF3-BC6D-0079707C4389}"=hex:51,66,7a,6c,4c,1d,38,12,26,25,2f,
a5,e6,df,9d,0e,c3,7b,43,39,75,22,07,9d
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{1E91A655-BB4B-4693-A05E-2EDEBC4C9D89}"=hex:51,66,7a,6c,4c,1d,38,12,3b,a5,82,
1a,79,f5,fd,03,df,48,6d,9e,b9,12,d9,9d
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{71C1D63A-C944-428A-A5BD-BA513190E5D2}"=hex:51,66,7a,6c,4c,1d,38,12,54,d5,d2,
75,76,87,e4,07,da,ab,f9,11,34,ce,a1,c6
"{7F6AFBF1-E065-4627-A2FD-810366367D01}"=hex:51,66,7a,6c,4c,1d,38,12,9f,f8,79,
7b,57,ae,49,03,dd,eb,c2,43,63,68,39,15
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{AB4C7833-A6EC-433F-B9FE-6B14B1A2F836}"=hex:51,66,7a,6c,4c,1d,38,12,5d,7b,5f,
af,de,e8,51,06,c6,e8,28,54,b4,fc,bc,22
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"=hex:51,66,7a,6c,4c,1d,38,12,b0,f3,37,
dc,52,73,39,0a,e1,a7,25,43,3b,93,ce,af
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E8DAAA30-6CAA-4B58-9603-8E54238219E2}"=hex:51,66,7a,6c,4c,1d,38,12,5e,a9,c9,
ec,98,22,36,0e,e9,15,cd,14,26,dc,5d,f6
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:a7,1f,e4,ab,d6,b7,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-19 00:06:47
ComboFix-quarantined-files.txt 2012-11-19 08:06
.
Pre-Run: 694,911,016,960 bytes free
Post-Run: 695,200,645,120 bytes free
.
- - End Of File - - 2957FC40E0D41D1E8F2034F9511E28C3

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:43 PM

Posted 18 November 2012 - 01:14 AM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 November 2012 - 01:22 AM

here's the attachment...

Attached Files



#14 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 November 2012 - 01:26 AM

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.17.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
yolanda :: YOLANDA-HP [administrator]

Protection: Enabled

11/19/2012 12:20:37 AM
mbam-log-2012-11-19 (00-20-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203080
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#15 ricklive245

ricklive245
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 18 November 2012 - 02:32 AM

C:\FRST\Quarantine\hofatneli.dll a variant of Win32/Kryptik.AOWX trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AN trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\18.11.2012_21.10.51\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users