Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with ZeroAccess rootkit.


  • This topic is locked This topic is locked
25 replies to this topic

#1 VaMaster54 - Mike

VaMaster54 - Mike

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 01:23 PM

AVG Security. Vista Home. Dell 530 Inspiron. 64 bit operating system.


Invaded. Trojan PUM.UserWLoad detected by AVG and Malewarebytes.

Posted yesterday and run tests and it is determined that I have....ZeroAccess rootkit.

Tests run from instructions here....
Farber Service Scanner
Mini Toolbox
MBAM
aswMBR
MBAR


Sent here...ran step 6..DDS tool

BC AdBot (Login to Remove)

 


#2 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 01:28 PM

dds txt. log

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by MD Tavenner at 13:04:57 on 2012-12-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4084.1530 [GMT -5:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
FW: AVG Internet Security 2012 *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RAVCpl64.exe
C:\Windows\syswow64\svchost.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Users\MD Tavenner\AppData\Local\Autobahn\nexdef.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Windows\system32\svchost.exe" /Service
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.google.com
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
uWindows: Load = C:\Users\MDTAVE~1\LOCALS~1\Temp\msswuy.exe
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
uRun: [AdobeUpdater] C:\Users\MD Tavenner\AppData\Roaming\Adobe\AdobeUpdaterInstallMgr.exe /Service
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [WinPatrol] "C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
StartupFolder: C:\Users\MDTAVE~1\STARTM~1\Programs\Startup\NEXDEF~1.LNK - C:\Users\MD Tavenner\AppData\Local\Autobahn\nexdef.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.5.1.0.cab
TCP: NameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{1AAD6D77-8E78-4D13-B953-B7045E641A79} : DHCPNameServer = 192.168.1.1 71.250.0.12
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - C:\Windows\SysWow64\browseui.dll
x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-Explorer: NoDrives = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - LocalServer32 - <no file>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]
R0 PCTCore;PCTools KDS;C:\Windows\System32\drivers\PCTCore64.sys [2012-2-3 367912]
R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2012-2-3 453896]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2012-2-3 1096688]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-2-17 55856]
R0 TfFsMon;TfFsMon;C:\Windows\System32\drivers\TfFsMon.sys [2012-2-3 65664]
R0 TFSysMon;TfSysMon;C:\Windows\System32\drivers\TfSysMon.sys [2012-2-3 706776]
R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-7-12 48992]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-8-24 384352]
R1 pctgntdi;pctgntdi;C:\Windows\System32\drivers\pctgntdi64.sys [2012-2-3 339608]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\System32\drivers\PCTSD64.sys [2012-2-3 230952]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AERTFilters;Andrea RT Filters Service;C:\Windows\System32\AERTSr64.exe [2009-2-17 86016]
R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2012-6-13 2321560]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-22 399432]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2011-12-23 124496]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\avgidsfiltera.sys [2011-12-23 29776]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\System32\drivers\CAXHWBS2.sys [2009-2-17 411136]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-2-3 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-3 676936]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-5-6 167264]
S3 fssfltr;FssFltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-18 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 pctplsg;pctplsg;C:\Windows\System32\drivers\pctplsg64.sys [2012-2-3 92896]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2012-2-3 402336]
S3 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2012-2-3 1117624]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2012-9-16 15672]
S3 TfNetMon;TfNetMon;C:\Windows\System32\drivers\TfNetMon.sys [2012-2-3 41968]
S3 ThreatFire;ThreatFire;C:\Program Files (x86)\PC Tools Security\TFEngine\TFService.exe service --> C:\Program Files (x86)\PC Tools Security\TFEngine\TFService.exe service [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-18 89920]
.
=============== File Associations ===============
.
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-12-12 23:25:34 67413224 ----a-w- C:\Windows\System32\mrt.exe
2012-12-11 23:07:15 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-11 23:07:15 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-14 07:06:18 17811968 ----a-w- C:\Windows\System32\mshtml.dll
2012-11-14 06:32:33 10925568 ----a-w- C:\Windows\System32\ieframe.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:44 1346048 ----a-w- C:\Windows\System32\urlmon.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 06:02:04 237056 ----a-w- C:\Windows\System32\url.dll
2012-11-14 05:59:52 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2012-11-14 05:58:36 816640 ----a-w- C:\Windows\System32\jscript.dll
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:55:45 2144768 ----a-w- C:\Windows\System32\iertutil.dll
2012-11-14 05:55:26 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2012-11-14 05:53:22 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 05:46:25 248320 ----a-w- C:\Windows\System32\ieui.dll
2012-11-14 02:48:26 12320256 ----a-w- C:\Windows\SysWow64\mshtml.dll
2012-11-14 02:14:59 9738240 ----a-w- C:\Windows\SysWow64\ieframe.dll
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:44 1103872 ----a-w- C:\Windows\SysWow64\urlmon.dll
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:55:46 231936 ----a-w- C:\Windows\SysWow64\url.dll
2012-11-14 01:51:44 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:49:19 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:47:20 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2012-11-14 01:46:38 1793024 ----a-w- C:\Windows\SysWow64\iertutil.dll
2012-11-14 01:45:01 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-14 01:41:30 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2012-11-13 01:55:22 2770432 ----a-w- C:\Windows\System32\win32k.sys
2012-11-13 01:45:48 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-13 01:29:51 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-08 04:24:01 48128 ----a-w- C:\Windows\System32\atmlib.dll
2012-11-08 03:46:35 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-08 02:00:56 368128 ----a-w- C:\Windows\System32\atmfd.dll
2012-11-08 01:36:08 293376 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-11-02 10:45:52 477696 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 10:45:51 68096 ----a-w- C:\Windows\System32\dpnathlp.dll
2012-11-02 10:18:17 376320 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-11-02 08:59:56 26112 ----a-w- C:\Windows\System32\dpnsvr.exe
2012-11-02 08:26:06 23040 ----a-w- C:\Windows\SysWow64\dpnsvr.exe
2012-10-25 08:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-10-25 08:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-09-29 23:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-29 00:40:35 15672 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys
2012-09-28 16:34:50 1210368 ----a-w- C:\Windows\System32\kernel32.dll
2012-09-28 16:13:29 860160 ----a-w- C:\Windows\SysWow64\kernel32.dll
2012-09-25 16:31:19 91648 ----a-w- C:\Windows\System32\synceng.dll
2012-09-25 16:19:41 75776 ----a-w- C:\Windows\SysWow64\synceng.dll
.
============= FINISH: 13:06:08.35 ===============

Attached Files



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 16 December 2012 - 01:50 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 02:47 PM

Hi Gringo...good to see you again...well, sort of :)

Here are my logs..........

Security check.

Results of screen317's Security Check version 0.99.56
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Internet Security 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
PC Tools Spyware Doctor
SpywareBlaster 4.6
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 31
Java version out of Date!
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
AVG avgwdsvc.exe
AVG avgtray.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
BillP Studios WinPatrol WinPatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````


AdwCleaner

# AdwCleaner v2.101 - Logfile created 12/16/2012 at 14:24:12
# Updated 16/12/2012 by Xplode
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# User : MD Tavenner - MDTAVENNER-PC
# Boot Mode : Normal
# Running from : C:\Users\MD Tavenner\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\SpecialSavings
Deleted on reboot : C:\Users\MD Tavenner\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Deleted : HKLM\Software\Freeze.com

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\MD Tavenner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1609 octets] - [05/08/2012 22:15:18]
AdwCleaner[S2].txt - [925 octets] - [16/12/2012 14:24:12]

########## EOF - C:\AdwCleaner[S2].txt - [984 octets] ##########


Rogue Killer..

ogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : MD Tavenner [Admin rights]
Mode : Remove -- Date : 12/16/2012 14:38:31

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] RAVCpl64.exe -- C:\Windows\RAVCpl64.exe -> KILLED [TermProc]
[SUSP PATH] nexdef.exe -- C:\Users\MD Tavenner\AppData\Local\Autobahn\nexdef.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AdobeUpdater (C:\Users\MD Tavenner\AppData\Roaming\Adobe\AdobeUpdaterInstallMgr.exe /Service) -> DELETED
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\MDTAVE~1\LOCALS~1\Temp\msswuy.exe) -> DELETED
[TASK][SUSP PATH] winupd : C:\Users\MDTAVE~1\AppData\Local\Temp:winupd.exe -> DELETED
[STARTUP][SUSP PATH] NexDef Plug-in.lnk @MD Tavenner : C:\Users\MD Tavenner\AppData\Local\Autobahn\nexdef.exe -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\n.) -> REPLACED (C:\Windows\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-70958898-3549120117-1537960985-1000\$3056bfcb08c9467e9d3a6363f3d670ce\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\@ --> REMOVED
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-70958898-3549120117-1537960985-1000\$3056bfcb08c9467e9d3a6363f3d670ce\@ --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\U\00000004.@ --> REMOVED
[Del.Parent][FILE] 80000064.@ : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\U\80000064.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-70958898-3549120117-1537960985-1000\$3056bfcb08c9467e9d3a6363f3d670ce\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\L\00000004.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\MD Tavenner\AppData\Local\{3056bfcb-08c9-467e-9d3a-6363f3d670ce}\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-70958898-3549120117-1537960985-1000\$3056bfcb08c9467e9d3a6363f3d670ce\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725050GLA360 ATA Device +++++
--- User ---
[MBR] 53bdedb502792553b72ef5a9ccda4320
[BSP] 0003ab1dbd4214ffbd003b1220c61bce : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_12162012_02d1438.txt >>
RKreport[1]_S_12162012_02d1436.txt ; RKreport[2]_D_12162012_02d1438.txt

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 16 December 2012 - 03:03 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 04:11 PM

Gringo, No problems running ComboFix.

Will put computer thru its paces to see how it is responding.

Here is the log...........

ComboFix 12-12-14.01 - MD Tavenner 12/16/2012 15:44:23.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4084.2357 [GMT -5:00]
Running from: c:\users\MD Tavenner\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Internet Security 2012 *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: PC Tools Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Downloaded Installers
c:\program files (x86)\Downloaded Installers\{e5552ef3-e76e-4065-ad34-74fc6032d3d7}\setup.msi
c:\programdata\48660215c7f8
c:\programdata\786ad73xp30i88646307chaamo5g553eic8ob03001g
c:\programdata\Microsoft\Windows\DRM\DB71.tmp
c:\programdata\sqj.pad
c:\windows\SysWow64\Cache
c:\windows\SysWow64\Cache\19fb0544aebbff2b.fb
c:\windows\SysWow64\Cache\272512937d9e61a4.fb
c:\windows\SysWow64\Cache\287204568329e189.fb
c:\windows\SysWow64\Cache\28bc8f716fd76a47.fb
c:\windows\SysWow64\Cache\2c53092c95605355.fb
c:\windows\SysWow64\Cache\31a0997e9a5b5eb3.fb
c:\windows\SysWow64\Cache\32c84fe32bb74d60.fb
c:\windows\SysWow64\Cache\3917078cb68ec657.fb
c:\windows\SysWow64\Cache\3a688c49fecf4462.fb
c:\windows\SysWow64\Cache\590ba23ce359fd0c.fb
c:\windows\SysWow64\Cache\610289e025a3ee9a.fb
c:\windows\SysWow64\Cache\651c5d3cdbfb8bd1.fb
c:\windows\SysWow64\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\SysWow64\Cache\6d03dad1035885d3.fb
c:\windows\SysWow64\Cache\99b26ee76b8ac6ba.fb
c:\windows\SysWow64\Cache\a8556537add6dfc5.fb
c:\windows\SysWow64\Cache\ad10a52aff5e038d.fb
c:\windows\SysWow64\Cache\c1fa887b03019701.fb
c:\windows\SysWow64\Cache\c4d28dca2e7648be.fb
c:\windows\SysWow64\Cache\d201ef9910cd39de.fb
c:\windows\SysWow64\Cache\d2e94710a5708128.fb
c:\windows\SysWow64\Cache\d79b9dfe81484ec4.fb
c:\windows\SysWow64\Cache\e0de16f883bea794.fb
c:\windows\SysWow64\Cache\f998975c9cc711ee.fb
.
.
((((((((((((((((((((((((( Files Created from 2012-11-16 to 2012-12-16 )))))))))))))))))))))))))))))))
.
.
2012-12-16 20:57 . 2012-12-16 20:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-16 20:57 . 2012-12-16 20:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-12-16 20:57 . 2012-12-16 20:57 -------- d-----w- c:\users\MD Tavenner\AppData\Local\temp
2012-12-16 20:57 . 2012-12-16 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-14 13:48 . 2012-12-14 13:48 -------- d-----w- c:\users\MD Tavenner\AppData\Roaming\{38C7563A-F529-46AE-9298-86FD550C6F6D}
2012-12-12 23:09 . 2012-11-14 05:53 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-12-12 23:08 . 2012-11-14 06:32 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-12-12 02:43 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll
2012-12-12 02:43 . 2012-11-08 02:00 368128 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 02:43 . 2012-11-08 01:36 293376 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-12 02:43 . 2012-11-08 04:24 48128 ----a-w- c:\windows\system32\atmlib.dll
2012-12-12 02:43 . 2012-11-08 03:46 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-12 02:42 . 2012-11-13 01:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-12 02:42 . 2012-11-13 01:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-12 02:42 . 2012-11-13 01:55 2770432 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 02:42 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-12 02:42 . 2012-11-02 10:45 477696 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 02:42 . 2012-11-02 10:45 68096 ----a-w- c:\windows\system32\dpnathlp.dll
2012-12-12 02:42 . 2012-11-02 10:18 376320 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-12 02:42 . 2012-11-02 08:59 26112 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-12 02:42 . 2012-11-02 08:26 23040 ----a-w- c:\windows\SysWow64\dpnsvr.exe
2012-12-06 20:59 . 2012-12-06 21:01 -------- d-----w- c:\programdata\AVG
2012-12-06 20:59 . 2012-12-06 20:59 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 23:25 . 2006-11-02 12:35 67413224 ----a-w- c:\windows\system32\mrt.exe
2012-12-11 23:07 . 2012-04-01 00:20 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-11 23:07 . 2011-05-14 11:30 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-09-29 23:54 . 2012-02-03 22:55 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-29 00:40 . 2012-09-16 14:35 15672 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-09-25 16:31 . 2012-11-16 09:14 91648 ----a-w- c:\windows\system32\synceng.dll
2012-09-25 16:19 . 2012-11-16 09:14 75776 ----a-w- c:\windows\SysWow64\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-05-19 296056]
.
c:\users\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"HF_G_Jul"="c:\program files (x86)\AVG Secure Search\HF_G_Jul.exe" /DoAction
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-07-18 86016]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 23:07]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 10:46]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 10:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-07-18 6453760]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-05 165400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 243216]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-05 137240]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-05 202264]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: garmin.com
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.Completion time: 2012-12-16 16:01:28
ComboFix-quarantined-files.txt 2012-12-16 21:01
.
Pre-Run: 61,149,302,784 bytes free
Post-Run: 61,549,543,424 bytes free
.
- - End Of File - - CD49EFC6370052CBFCF59FF122197150

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 16 December 2012 - 05:13 PM

Greetings

I want you to run these next,

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 05:16 PM

Should I do these with my protection "on" or "off" ?

#9 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 05:33 PM

On the TDSS Killer, does check all boxes mean the 4objects to scan...or should we check the 2 additional options also.

#10 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 05:54 PM

TDSS Killer (without the additional options) .. was told by website it is too long.

Shall I send it as attachment ??

Will do aswMBR now.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 16 December 2012 - 05:54 PM

all of them
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 06:18 PM

TDSS Killer...file is too big to post.

Too large to send as attachment.

#13 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 16 December 2012 - 07:14 PM

aswMBR log....not sure if it finished but it had not produced anything for 15 minutes...running again just in case.

18:41:50.071 OS Version: Windows x64 6.0.6002 Service Pack 2
18:41:50.071 Number of processors: 2 586 0x1706
18:41:50.071 ComputerName: MDTAVENNER-PC UserName: MD Tavenner
18:41:51.646 Initialize success
18:42:05.062 AVAST engine defs: 12121601
18:43:00.927 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:43:00.927 Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA5BA Size: 476940MB BusType: 3
18:43:01.067 Disk 0 MBR read successfully
18:43:01.067 Disk 0 MBR scan
18:43:01.098 Disk 0 Windows VISTA default MBR code
18:43:01.114 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:43:01.145 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 81920
18:43:01.176 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461899 MB offset 30801920
18:43:01.301 Disk 0 scanning C:\Windows\system32\drivers
18:43:42.814 Service scanning
18:44:14.608 Modules scanning
18:44:14.621 Disk 0 trace - called modules:
18:44:14.667 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore64.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:44:15.028 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800628f060]
18:44:15.037 3 CLASSPNP.SYS[fffffa60013d5c33] -> nt!IofCallDriver -> [0xfffffa8004e37690]
18:44:15.047 5 PCTCore64.sys[fffffa6000af3f38] -> nt!IofCallDriver -> [0xfffffa8004c7c930]
18:44:15.056 7 acpi.sys[fffffa6000929fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004c89060]
18:44:18.139 AVAST engine scan C:\Windows
18:45:27.466 AVAST engine scan C:\Windows\system32
18:56:06.633 AVAST engine scan C:\Windows\system32\drivers
18:56:35.619 AVAST engine scan C:\Users\MD Tavenner
19:12:02.756 Disk 0 MBR has been saved successfully to "C:\Users\MD Tavenner\Desktop\MBR.dat"
19:12:02.764 The log file has been saved successfully to "C:\Users\MD Tavenner\Desktop\aswMBR.txt"

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:24 PM

Posted 16 December 2012 - 08:48 PM

just send me the last part of the TDSSkiller report - about the last 25 lines
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 VaMaster54 - Mike

VaMaster54 - Mike
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centreville, Winchester, VIRGINIA
  • Local time:09:24 PM

Posted 17 December 2012 - 03:06 AM

Apologies for the delay. Was up all night Saturday and fell asleep a while ago.

Finally got the aswMBR to do full complete scan...here is the log.

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-16 18:41:50
-----------------------------
18:41:50.071 OS Version: Windows x64 6.0.6002 Service Pack 2
18:41:50.071 Number of processors: 2 586 0x1706
18:41:50.071 ComputerName: MDTAVENNER-PC UserName: MD Tavenner
18:41:51.646 Initialize success
18:42:05.062 AVAST engine defs: 12121601
18:43:00.927 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:43:00.927 Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA5BA Size: 476940MB BusType: 3
18:43:01.067 Disk 0 MBR read successfully
18:43:01.067 Disk 0 MBR scan
18:43:01.098 Disk 0 Windows VISTA default MBR code
18:43:01.114 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:43:01.145 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 81920
18:43:01.176 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461899 MB offset 30801920
18:43:01.301 Disk 0 scanning C:\Windows\system32\drivers
18:43:42.814 Service scanning
18:44:14.608 Modules scanning
18:44:14.621 Disk 0 trace - called modules:
18:44:14.667 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore64.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:44:15.028 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800628f060]
18:44:15.037 3 CLASSPNP.SYS[fffffa60013d5c33] -> nt!IofCallDriver -> [0xfffffa8004e37690]
18:44:15.047 5 PCTCore64.sys[fffffa6000af3f38] -> nt!IofCallDriver -> [0xfffffa8004c7c930]
18:44:15.056 7 acpi.sys[fffffa6000929fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004c89060]
18:44:18.139 AVAST engine scan C:\Windows
18:45:27.466 AVAST engine scan C:\Windows\system32
18:56:06.633 AVAST engine scan C:\Windows\system32\drivers
18:56:35.619 AVAST engine scan C:\Users\MD Tavenner
19:12:02.756 Disk 0 MBR has been saved successfully to "C:\Users\MD Tavenner\Desktop\MBR.dat"
19:12:02.764 The log file has been saved successfully to "C:\Users\MD Tavenner\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-16 20:25:26
-----------------------------
20:25:26.893 OS Version: Windows x64 6.0.6002 Service Pack 2
20:25:26.893 Number of processors: 2 586 0x1706
20:25:26.893 ComputerName: MDTAVENNER-PC UserName: MD Tavenner
20:25:29.763 Initialize success
20:25:44.663 AVAST engine defs: 12121601
20:25:50.240 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:25:50.243 Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA5BA Size: 476940MB BusType: 3
20:25:50.256 Disk 0 MBR read successfully
20:25:50.259 Disk 0 MBR scan
20:25:50.297 Disk 0 Windows VISTA default MBR code
20:25:50.301 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
20:25:50.335 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 81920
20:25:50.354 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461899 MB offset 30801920
20:25:50.381 Disk 0 scanning C:\Windows\system32\drivers
20:26:03.179 Service scanning
20:26:30.798 Modules scanning
20:26:30.808 Disk 0 trace - called modules:
20:26:30.840 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore64.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
20:26:31.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004efa790]
20:26:31.210 3 CLASSPNP.SYS[fffffa600140ac33] -> nt!IofCallDriver -> [0xfffffa8004ef58b0]
20:26:31.217 5 PCTCore64.sys[fffffa6000a5bf38] -> nt!IofCallDriver -> [0xfffffa8004c7d930]
20:26:31.224 7 acpi.sys[fffffa6000923fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004c844b0]
20:26:32.829 AVAST engine scan C:\Windows
20:26:37.328 AVAST engine scan C:\Windows\system32
20:31:15.734 AVAST engine scan C:\Windows\system32\drivers
20:31:33.935 AVAST engine scan C:\Users\MD Tavenner
02:21:39.342 AVAST engine scan C:\ProgramData
02:34:30.530 Scan finished successfully
02:58:51.485 Disk 0 MBR has been saved successfully to "C:\Users\MD Tavenner\Desktop\MBR.dat"
02:58:51.532 The log file has been saved successfully to "C:\Users\MD Tavenner\Desktop\aswMBR.txt"


The end log of the the TDSS Killer........

8:07:47.0849 2764 C:\Windows\Installer\MSI64BC.tmp - ok
18:07:47.0849 2764 [ 960BAB23C347CD1012B7226B2571B438 ] C:\Windows\Installer\MSI652A.tmp
18:07:47.0849 2764 C:\Windows\Installer\MSI652A.tmp - ok
18:07:47.0864 2764 [ 6B5DC9711FD15A0E944A4F17366E2300 ] C:\Windows\System32\slwga.dll
18:07:47.0864 2764 C:\Windows\System32\slwga.dll - ok
18:07:47.0864 2764 [ D37D5BF4F0F202658F8FEC6D587D9F2E ] C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe
18:07:47.0864 2764 C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe - ok
18:07:47.0864 2764 [ 13DD23172C3E8A81FAA9F88C34131C61 ] C:\Program Files (x86)\AVG\AVG2012\HtmLayout.dll
18:07:47.0864 2764 C:\Program Files (x86)\AVG\AVG2012\HtmLayout.dll - ok
18:07:47.0880 2764 [ 839A6DE71E73A017228251C8591018C0 ] C:\Program Files (x86)\AVG\AVG2012\avgupdx.dll
18:07:47.0880 2764 C:\Program Files (x86)\AVG\AVG2012\avgupdx.dll - ok
18:07:47.0880 2764 [ 1AAB1CFA56DFC2F7C4170E319C491669 ] C:\Program Files (x86)\AVG\AVG2012\avgaspmx.dll
18:07:47.0880 2764 C:\Program Files (x86)\AVG\AVG2012\avgaspmx.dll - ok
18:07:47.0896 2764 [ 9A5F8F497F5698288007484FCF15E34D ] C:\Program Files (x86)\AVG\AVG2012\fixcfg.exe
18:07:47.0896 2764 C:\Program Files (x86)\AVG\AVG2012\fixcfg.exe - ok
18:07:47.0896 2764 [ EBC984F0CE40E0DAF0454D806EC2A7EC ] C:\Users\MD Tavenner\Desktop\tdsskiller.exe
18:07:47.0896 2764 C:\Users\MD Tavenner\Desktop\tdsskiller.exe - ok
18:07:47.0896 2764 [ A0BA0C7A27F8A9EA42C295DF693FA191 ] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\CbsCore.dll
18:07:47.0896 2764 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\CbsCore.dll - ok
18:07:47.0911 2764 [ A6BCDC241B6578C7DB57B5973B99FE7E ] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wdscore.dll
18:07:47.0911 2764 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wdscore.dll - ok
18:07:47.0911 2764 [ 2E1874F23940AD24A6D3840407F38691 ] C:\Windows\System32\dpx.dll
18:07:47.0911 2764 C:\Windows\System32\dpx.dll - ok
18:07:47.0911 2764 [ C1FF45BEE358DA5EE0ACC919E4B4CB73 ] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wcp.dll
18:07:47.0911 2764 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wcp.dll - ok
18:07:47.0927 2764 [ DEDBBECE90B40EE3126A09EAADCF184B ] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\DrUpdate.dll
18:07:47.0927 2764 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\DrUpdate.dll - ok
18:07:47.0927 2764 [ A1A7BABE18FC30D9EEE8E2D2712A20E3 ] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wrpint.dll
18:07:47.0927 2764 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wrpint.dll - ok
18:07:47.0942 2764 [ D6D0E3A93026682F73B094DCCF3F9AEB ] C:\Windows\System32\sxsstore.dll
18:07:47.0942 2764 C:\Windows\System32\sxsstore.dll - ok
18:07:47.0942 2764 [ 8337336020747453AE693CBD73A8FB34 ] C:\Windows\servicing\CbsApi.dll
18:07:47.0942 2764 C:\Windows\servicing\CbsApi.dll - ok
18:07:47.0942 2764 [ F146E2BA475893DD77B2370DC1211FC6 ] C:\Windows\System32\drivers\77746489.sys
18:07:47.0942 2764 C:\Windows\System32\drivers\77746489.sys - ok
18:07:47.0958 2764 [ 85155AC913CA65ADE0323DC751AF3391 ] C:\Windows\System32\bitsperf.dll
18:07:47.0958 2764 C:\Windows\System32\bitsperf.dll - ok
18:07:47.0958 2764 [ 980F1A36B970F5AE361C5C2A90C9E972 ] C:\Windows\System32\bitsigd.dll
18:07:47.0958 2764 C:\Windows\System32\bitsigd.dll - ok
18:07:47.0958 2764 [ 0C03B4C202B3C12C6E7D8BC9E0E02AF4 ] C:\Windows\System32\qmgrprxy.dll
18:07:47.0958 2764 C:\Windows\System32\qmgrprxy.dll - ok
18:07:47.0974 2764 [ FDFE2FB34497CF0166070DE685207839 ] C:\Windows\System32\bitsprx2.dll
18:07:47.0974 2764 C:\Windows\System32\bitsprx2.dll - ok
18:07:47.0974 2764 [ 96C373007C11347540F4F73BCBCE85AB ] C:\Windows\System32\bitsprx3.dll
18:07:47.0974 2764 C:\Windows\System32\bitsprx3.dll - ok
18:07:47.0974 2764 ============================================================
18:07:47.0974 2764 Scan finished
18:07:47.0974 2764 ============================================================
18:07:47.0989 3580 Detected object count: 7
18:07:47.0989 3580 Actual detected object count: 7
18:13:34.0252 3580 DockLoginService ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0252 3580 DockLoginService ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0252 3580 hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0252 3580 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0252 3580 hpqddsvc ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0252 3580 hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0252 3580 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0252 3580 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0267 3580 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0267 3580 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0267 3580 USBAAPL64 ( UnsignedFile.Multi.Generic ) - skipped by user
18:13:34.0267 3580 USBAAPL64 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:13:34.0267 3580 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
18:13:34.0267 3580 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
18:13:38.0947 4268 Deinitialize success




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users