Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI MoneyPak


  • This topic is locked This topic is locked
4 replies to this topic

#1 kittyvikings

kittyvikings

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 24 November 2012 - 05:30 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012
Ran by SYSTEM at 24-11-2012 16:01:01
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)
HKLM-x32\...\Run: [CTHelper] CTHELPER.EXE [x]
HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [3460784 2011-04-18] (AVAST Software)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-07] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-03] (Advanced Micro Devices, Inc.)
HKU\Beast\...\Run: [AdobeBridge] [x]
HKU\Beast\...\Run: [Apple Computer] rundll32.exe "C:\Users\Beast\AppData\Local\ATI\Apple Computer\yajutazqt.dll",Agent_OnLoadW [249344 2012-10-05] ()
HKU\Beast\...\Run: [q] "xidpwooedd.exe" [x]
HKU\Beast\...\Run: [Viygyvivfo] C:\Users\Beast\AppData\Roaming\Mato\oswu.exe [190464 2012-01-25] ()
HKU\Beast\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] explorer.exe, C:\Users\Beast\AppData\Roaming\yf_wsuzvswe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$bf46358e7358a64d44af1a5bebd61fe6\n. ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [42184 2011-04-18] (AVAST Software)
3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [151296 2007-04-12] (Creative Technology Ltd)
3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [252712 2007-04-10] (Creative Technology Ltd.)
3 CTAUDFX.DLL; C:\Windows\System32\CTAUDFX.DLL [700200 2007-04-10] (Creative Technology Ltd)
3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [219432 2007-04-10] (Creative Technology Ltd)
3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [321832 2007-04-10] (Creative Technology Ltd)
3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [190248 2007-04-10] (Creative Technology Ltd)
3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [363304 2007-04-10] (Creative Technology Ltd)
3 CTERFXFX.DLL; C:\Windows\System32\CTERFXFX.DLL [142120 2007-04-10] (Creative Technology Ltd)
3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1571112 2007-04-10] (Creative Technology Ltd.)
3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [123688 2007-04-10] (Creative Technology Ltd.)
3 CTSBLFX.DLL; C:\Windows\System32\CTSBLFX.DLL [681256 2007-04-10] (Creative Technology Ltd)
3 TuneUp.Defrag; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe [607040 2010-09-23] (TuneUp Software)
4 TuneUp.UtilitiesSvc; "C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe" [1403200 2010-08-27] (TuneUp Software)

==================== Drivers (Whitelisted) =====================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [22360 2011-04-18] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [64344 2011-04-18] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [31064 2011-04-18] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [600920 2011-04-18] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [287064 2011-04-18] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [53592 2011-04-18] (AVAST Software)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
3 TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [11856 2010-02-25] (TuneUp Software)
3 PTQHBUS; C:\Windows\System32\DRIVERS\PTQHBUS.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-24 07:10 - 2012-11-24 12:22 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
2012-11-24 07:06 - 2012-11-24 12:22 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 07:06 - 2012-11-24 12:21 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-11-23 08:45 - 2012-11-24 12:21 - 00000392 ____A C:\Windows\setupact.log
2012-11-23 08:45 - 2012-11-23 08:45 - 00000000 ____A C:\Windows\setuperr.log
2012-11-22 23:00 - 2012-11-24 12:20 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.BAK
2012-10-29 13:15 - 2012-11-23 13:12 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Touhq
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Mato
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Elov
2012-10-29 13:08 - 2012-10-29 13:08 - 00000000 ____D C:\Windows\SysWOW64\xlive
2012-10-29 13:08 - 2012-10-29 13:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2012-10-29 12:55 - 2012-10-29 12:55 - 00002083 ____A C:\Users\Public\Desktop\Fable III.lnk
2012-10-29 12:48 - 2012-10-29 12:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Games


==================== One Month Modified Files and Folders =======

2012-11-24 16:00 - 2012-11-24 16:00 - 00000000 ____D C:\FRST
2012-11-24 12:22 - 2012-11-24 07:10 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
2012-11-24 12:22 - 2012-11-24 07:06 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 12:21 - 2012-11-24 07:06 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-11-24 12:21 - 2012-11-23 08:45 - 00000392 ____A C:\Windows\setupact.log
2012-11-24 12:21 - 2012-01-15 18:07 - 00000324 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-11-24 12:21 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-24 12:20 - 2012-11-22 23:00 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.BAK
2012-11-24 12:20 - 2012-01-15 19:03 - 01080549 ____A C:\Windows\WindowsUpdate.log
2012-11-24 12:20 - 2010-09-23 20:53 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.CDF
2012-11-24 12:20 - 2009-07-13 20:45 - 00020352 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-24 12:20 - 2009-07-13 20:45 - 00020352 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-24 07:12 - 2010-09-23 18:23 - 00000000 ____D C:\users\Beast
2012-11-24 06:26 - 2012-10-05 09:13 - 00000000 ____D C:\Windows\pss
2012-11-23 13:12 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Touhq
2012-11-23 08:45 - 2012-11-23 08:45 - 00000000 ____A C:\Windows\setuperr.log
2012-11-22 20:34 - 2012-08-20 16:52 - 00000000 ____D C:\Windows\Minidump
2012-11-21 20:56 - 2012-03-03 15:55 - 00000000 ____D C:\Users\Beast\AppData\Roaming\uTorrent
2012-11-19 12:33 - 2009-07-13 21:08 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-14 12:40 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Mato
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Elov
2012-10-29 13:08 - 2012-10-29 13:08 - 00000000 ____D C:\Windows\SysWOW64\xlive
2012-10-29 13:08 - 2012-10-29 13:08 - 00000000 ____D C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2012-10-29 12:55 - 2012-10-29 12:55 - 00002083 ____A C:\Users\Public\Desktop\Fable III.lnk
2012-10-29 12:48 - 2012-10-29 12:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Games


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1009308433-3224749790-3350231861-1000\$bf46358e7358a64d44af1a5bebd61fe6

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$bf46358e7358a64d44af1a5bebd61fe6

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.05 MB
Available physical RAM: 3501.11 MB
Total Pagefile: 4093.2 MB
Available Pagefile: 3489.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:211.09 GB) NTFS
2 Drive d: () (Fixed) (Total:232.88 GB) (Free:83.2 GB) NTFS
3 Drive f: () (Removable) (Total:0.93 GB) (Free:0.92 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 232 GB 9 MB
Disk 2 Online 954 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 232 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 954 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-11-16 14:06

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-24 16:04:42
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

Edited by kittyvikings, 24 November 2012 - 07:20 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 24 November 2012 - 07:21 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Beast\...\Run: [Viygyvivfo] C:\Users\Beast\AppData\Roaming\Mato\oswu.exe [190464 2012-01-25] ()
HKU\Beast\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] explorer.exe, C:\Users\Beast\AppData\Roaming\yf_wsuzvswe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$bf46358e7358a64d44af1a5bebd61fe6\n. ATTENTION! ====> ZeroAccess
012-11-24 07:10 - 2012-11-24 12:22 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
2012-11-24 07:06 - 2012-11-24 12:22 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 07:06 - 2012-11-24 12:21 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-10-29 13:15 - 2012-11-23 13:12 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Touhq
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Mato
2012-10-29 13:15 - 2012-10-29 13:15 - 00000000 ____D C:\Users\Beast\AppData\Roaming\Elov
C:\$Recycle.Bin\S-1-5-21-1009308433-3224749790-3350231861-1000\$bf46358e7358a64d44af1a5bebd61fe6
C:\$Recycle.Bin\S-1-5-18\$bf46358e7358a64d44af1a5bebd61fe6
C:\Windows\svchost.exe
C:\Users\Beast\AppData\Local\ATI\Apple Computer\yajutazqt.dll
C:\Users\Beast\AppData\Roaming\Mato\oswu.exe
C:\Users\Beast\AppData\Roaming\yf_wsuzvswe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT



Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.



NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 kittyvikings

kittyvikings
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 24 November 2012 - 08:09 PM

Thanks a lot! Here is the fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-24 18:27:35 Run:1
Running from F:\

==============================================

HKEY_USERS\Beast\Software\Microsoft\Windows\CurrentVersion\Run\\Viygyvivfo Value deleted successfully.
HKEY_USERS\Beast\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe moved successfully.
C:\Users\All Users\yf_wsuzvswe.exe moved successfully.
C:\Users\Beast\AppData\Roaming\Touhq not found.
C:\Users\Beast\AppData\Roaming\Mato not found.
C:\Users\Beast\AppData\Roaming\Elov not found.
C:\$Recycle.Bin\S-1-5-21-1009308433-3224749790-3350231861-1000\$bf46358e7358a64d44af1a5bebd61fe6 moved successfully.
C:\$Recycle.Bin\S-1-5-18\$bf46358e7358a64d44af1a5bebd61fe6 moved successfully.
C:\Windows\svchost.exe moved successfully.
C:\Users\Beast\AppData\Local\ATI\Apple Computer\yajutazqt.dll moved successfully.
C:\Users\Beast\AppData\Roaming\Mato\oswu.exe not found.
C:\Users\Beast\AppData\Roaming\yf_wsuzvswe not found.

==== End of Fixlog ====

It happened again actually, here is the new one:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012
Ran by SYSTEM at 24-11-2012 18:58:03
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [163552 2011-08-05] (Microsoft Corporation)
HKLM-x32\...\Run: [CTHelper] CTHELPER.EXE [x]
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-07] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Beast\...\Run: [AdobeBridge] [x]
HKU\Beast\...\Run: [Apple Computer] rundll32.exe "C:\Users\Beast\AppData\Local\ATI\Apple Computer\yajutazqt.dll",Agent_OnLoadW [x]
HKU\Beast\...\Run: [q] "xidpwooedd.exe" [x]
HKU\Beast\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] Explorer.exe, C:\ProgramData\yf_wsuzvswe [x ] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [151296 2007-04-12] (Creative Technology Ltd)
3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [252712 2007-04-10] (Creative Technology Ltd.)
3 CTAUDFX.DLL; C:\Windows\System32\CTAUDFX.DLL [700200 2007-04-10] (Creative Technology Ltd)
3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [219432 2007-04-10] (Creative Technology Ltd)
3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [321832 2007-04-10] (Creative Technology Ltd)
3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [190248 2007-04-10] (Creative Technology Ltd)
3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [363304 2007-04-10] (Creative Technology Ltd)
3 CTERFXFX.DLL; C:\Windows\System32\CTERFXFX.DLL [142120 2007-04-10] (Creative Technology Ltd)
3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1571112 2007-04-10] (Creative Technology Ltd.)
3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [123688 2007-04-10] (Creative Technology Ltd.)
3 CTSBLFX.DLL; C:\Windows\System32\CTSBLFX.DLL [681256 2007-04-10] (Creative Technology Ltd)
3 TuneUp.Defrag; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe [607040 2010-09-23] (TuneUp Software)
4 TuneUp.UtilitiesSvc; "C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe" [1403200 2010-08-27] (TuneUp Software)

==================== Drivers (Whitelisted) =====================

3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
3 TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [11856 2010-02-25] (TuneUp Software)
3 PTQHBUS; C:\Windows\System32\DRIVERS\PTQHBUS.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-24 15:52 - 2012-11-24 15:52 - 00000810 ____A C:\Windows\PFRO.log
2012-11-24 15:50 - 2012-11-24 15:50 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-11-24 15:50 - 2012-11-24 14:39 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 15:49 - 2012-11-24 15:48 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-11-24 15:29 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-24 14:39 - 2012-11-24 14:39 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
2012-11-23 08:45 - 2012-11-24 15:28 - 00000560 ____A C:\Windows\setupact.log
2012-11-23 08:45 - 2012-11-23 08:45 - 00000000 ____A C:\Windows\setuperr.log
2012-11-22 23:00 - 2012-11-24 15:51 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.BAK
2012-10-29 12:55 - 2012-10-29 12:55 - 00002083 ____A C:\Users\Public\Desktop\Fable III.lnk
2012-10-29 12:48 - 2012-10-29 12:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Games


==================== One Month Modified Files and Folders =======

2012-11-24 16:00 - 2012-11-24 16:00 - 00000000 ____D C:\FRST
2012-11-24 15:52 - 2012-11-24 15:52 - 00000810 ____A C:\Windows\PFRO.log
2012-11-24 15:52 - 2009-07-13 20:45 - 02875784 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-24 15:51 - 2012-11-22 23:00 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.BAK
2012-11-24 15:51 - 2012-01-15 19:03 - 01240647 ____A C:\Windows\WindowsUpdate.log
2012-11-24 15:51 - 2010-09-23 20:53 - 04958588 ____A C:\Windows\{00000002-00000000-00000000-00001102-00000008-10211102}.CDF
2012-11-24 15:50 - 2012-11-24 15:50 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-11-24 15:48 - 2012-11-24 15:49 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-11-24 15:48 - 2012-11-24 15:48 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-11-24 15:48 - 2012-08-14 11:44 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-11-24 15:48 - 2012-08-14 11:44 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-11-24 15:44 - 2012-03-03 15:56 - 00000000 ____D C:\Program Files (x86)\uTorrent
2012-11-24 15:44 - 2012-03-03 15:55 - 00000000 ____D C:\Users\Beast\AppData\Roaming\uTorrent
2012-11-24 15:42 - 2012-01-18 19:43 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-11-24 15:36 - 2009-07-13 20:45 - 00020352 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-24 15:36 - 2009-07-13 20:45 - 00020352 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-24 15:29 - 2012-01-15 18:07 - 00000324 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-11-24 15:29 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-24 15:28 - 2012-11-23 08:45 - 00000560 ____A C:\Windows\setupact.log
2012-11-24 14:39 - 2012-11-24 15:50 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 14:39 - 2012-11-24 14:39 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
2012-11-24 07:12 - 2010-09-23 18:23 - 00000000 ____D C:\users\Beast
2012-11-24 06:26 - 2012-10-05 09:13 - 00000000 ____D C:\Windows\pss
2012-11-23 08:45 - 2012-11-23 08:45 - 00000000 ____A C:\Windows\setuperr.log
2012-11-22 20:34 - 2012-08-20 16:52 - 00000000 ____D C:\Windows\Minidump
2012-11-19 12:33 - 2009-07-13 21:08 - 00032610 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-14 12:40 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-29 12:55 - 2012-10-29 12:55 - 00002083 ____A C:\Users\Public\Desktop\Fable III.lnk
2012-10-29 12:48 - 2012-10-29 12:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Games

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-24 15:39:36
Restore point made on: 2012-11-24 15:40:23
Restore point made on: 2012-11-24 15:42:03
Restore point made on: 2012-11-24 15:46:18
Restore point made on: 2012-11-24 15:50:48

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.05 MB
Available physical RAM: 3501.79 MB
Total Pagefile: 4093.2 MB
Available Pagefile: 3495.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:209.78 GB) NTFS
2 Drive d: () (Fixed) (Total:232.88 GB) (Free:83.15 GB) NTFS
3 Drive f: () (Removable) (Total:0.93 GB) (Free:0.92 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 232 GB 9 MB
Disk 2 Online 954 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 232 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 954 MB 0 B

==================================================================================

Disk: 2
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-11-16 14:06

==================== End Of Log =============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 24 November 2012 - 08:20 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Beast\...\Run: [Apple Computer] rundll32.exe "C:\Users\Beast\AppData\Local\ATI\Apple Computer\yajutazqt.dll",Agent_OnLoadW [x]
HKU\Beast\...\Run: [q] "xidpwooedd.exe" [x]
HKU\Beast\...\Policies\system: [DisableTaskMgr] 1
HKLM\...\Winlogon: [Shell] Explorer.exe, C:\ProgramData\yf_wsuzvswe [x ] ()
2012-11-24 15:50 - 2012-11-24 15:50 - 00107520 ____A C:\Users\All Users\yf_wsuzvswe.exe
2012-11-24 15:50 - 2012-11-24 14:39 - 00107520 ____A C:\Users\Beast\AppData\Local\yf_wsuzvswe.exe
2012-11-24 15:29 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-24 14:39 - 2012-11-24 14:39 - 00107520 ____A C:\Users\Beast\AppData\Roaming\yf_wsuzvswe.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT



Please see if you are now able to move on to the MBAR and ComboFix tools

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:08 AM

Posted 30 November 2012 - 07:46 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users