Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Infected with Trojan:DOS/Alureon.A


  • This topic is locked This topic is locked
10 replies to this topic

#1 Santaclaw

Santaclaw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 17 December 2012 - 10:43 PM

Hopefully this can be fixed w/o a reinstall..

Whats been done so far -

Tried various Live CD's to remove the virus, says its gone until i reboot the machine
After a few reboots, the machine will not boot into windows anymore.

Tried Bootrec / all switches and didnt solve the issue.

Have since run FRST64 and have the log from it, hope its an obvious fix for someone..

thanks for your time looking.
Edit - Guess im too new to post files, so here's a c/p

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 17-12-2012 22:14:58
Running from E:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe [3998064 2012-06-06] (O&O Software GmbH)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [20992 2012-03-19] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 OODefragAgent; "C:\Program Files\OO Software\Defrag\oodag.exe" [3293552 2012-06-06] (O&O Software GmbH)
2 STacSV; C:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV64.exe [239104 2009-06-11] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-17 20:30 - 2012-12-17 20:30 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-12-17 15:41 - 2012-12-17 15:41 - 00000000 ____D C:\Windows\System32\appmgmt
2012-12-10 15:47 - 2012-12-10 15:47 - 00274920 ____A C:\Windows\Minidump\121012-24351-01.dmp
2012-12-08 19:30 - 2012-12-17 15:41 - 00000000 ____D C:\Firefox
2012-12-08 19:19 - 2012-12-08 19:19 - 00000000 ____D C:\Users\All Users\Ask
2012-12-08 19:19 - 2012-09-24 20:16 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-12-08 19:19 - 2012-09-24 20:08 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-12-08 19:19 - 2012-09-24 20:07 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-12-08 19:18 - 2012-12-08 19:19 - 00004090 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log
2012-12-08 19:17 - 2012-12-08 19:17 - 00000000 ____D C:\Users\All Users\McAfee
2012-12-02 15:41 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe
2012-11-25 09:02 - 2012-11-25 09:02 - 00000000 ____D C:\Users\Admin\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2012-11-25 09:01 - 2012-11-25 09:01 - 00001145 ____A C:\Users\Public\Desktop\Bloons TD 5 Deluxe.lnk
2012-11-25 09:01 - 2012-11-25 09:01 - 00000000 ____D C:\Program Files (x86)\Bloons TD 5 Deluxe
2012-11-25 09:00 - 2012-11-25 09:00 - 00000093 ____A C:\Users\Admin\Desktop\serial.txt


==================== One Month Modified Files and Folders =======

2012-12-17 22:14 - 2012-12-17 22:14 - 00000000 ____D C:\FRST
2012-12-17 20:30 - 2012-12-17 20:30 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-12-17 17:52 - 2012-08-31 18:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-17 17:51 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-17 17:51 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-17 17:48 - 2009-07-13 21:13 - 00729688 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-17 17:43 - 2012-09-02 12:05 - 00060655 ____A C:\Windows\System32\oodbs.lor
2012-12-17 17:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-17 17:43 - 2009-07-13 20:51 - 00018350 ____A C:\Windows\setupact.log
2012-12-17 16:13 - 2012-09-10 16:51 - 00000000 ____D C:\Program Files (x86)\Google
2012-12-17 16:02 - 2012-08-31 21:00 - 01554717 ____A C:\Windows\WindowsUpdate.log
2012-12-17 15:48 - 2012-09-10 16:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Real
2012-12-17 15:47 - 2012-09-10 16:53 - 00000000 ____D C:\Program Files\Google
2012-12-17 15:47 - 2012-08-31 20:46 - 00011484 ____A C:\Windows\PFRO.log
2012-12-17 15:46 - 2012-11-07 18:52 - 00000000 ____D C:\Users\Admin\AppData\Local\Conduit
2012-12-17 15:43 - 2012-09-10 16:52 - 00000000 ____D C:\Program Files (x86)\Real
2012-12-17 15:43 - 2012-09-10 16:50 - 00000000 ____D C:\Users\All Users\Real
2012-12-17 15:41 - 2012-12-17 15:41 - 00000000 ____D C:\Windows\System32\appmgmt
2012-12-17 15:41 - 2012-12-08 19:30 - 00000000 ____D C:\Firefox
2012-12-17 15:41 - 2012-09-10 16:51 - 00000000 ____D C:\Users\Admin\AppData\Local\Google
2012-12-17 15:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-12-17 15:26 - 2012-08-31 18:39 - 00000000 ____D C:\Users\Admin\AppData\Roaming\.minecraft
2012-12-17 12:46 - 2012-08-31 18:08 - 00000000 ____D C:\users\Admin
2012-12-12 07:53 - 2012-08-31 18:55 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-12-12 07:53 - 2012-08-31 18:55 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-12-10 15:47 - 2012-12-10 15:47 - 00274920 ____A C:\Windows\Minidump\121012-24351-01.dmp
2012-12-10 15:47 - 2012-10-30 14:31 - 00000000 ____D C:\Windows\Minidump
2012-12-09 17:00 - 2012-10-28 09:49 - 00000000 ____D C:\Users\Admin\AppData\Roaming\.spoutshaftersquared
2012-12-08 19:19 - 2012-12-08 19:19 - 00000000 ____D C:\Users\All Users\Ask
2012-12-08 19:19 - 2012-12-08 19:18 - 00004090 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log
2012-12-08 19:19 - 2012-08-31 18:39 - 00000000 ____D C:\Program Files (x86)\Java
2012-12-08 19:17 - 2012-12-08 19:17 - 00000000 ____D C:\Users\All Users\McAfee
2012-12-08 19:09 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2012-11-25 09:02 - 2012-11-25 09:02 - 00000000 ____D C:\Users\Admin\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2012-11-25 09:01 - 2012-11-25 09:01 - 00001145 ____A C:\Users\Public\Desktop\Bloons TD 5 Deluxe.lnk
2012-11-25 09:01 - 2012-11-25 09:01 - 00000000 ____D C:\Program Files (x86)\Bloons TD 5 Deluxe
2012-11-25 09:00 - 2012-11-25 09:00 - 00000093 ____A C:\Users\Admin\Desktop\serial.txt

ATTENTION: ========> Check for possible partition/boot infection:
C:\Windows\svchost.exe

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-16 18:03:59

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.24 MB
Available physical RAM: 3517 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3516.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:465.75 GB) (Free:12.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
4 Drive e: (BOOTABLE) (Removable) (Total:0.48 GB) (Free:0.05 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 9 MB
Disk 1 Online 493 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 493 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E BOOTABLE FAT Removable 493 MB Healthy

=========================================================

Last Boot: 2012-12-15 14:01

==================== End Of Log =============================

Edited by Santaclaw, 17 December 2012 - 10:45 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 17 December 2012 - 11:08 PM

Please make sure you do all the steps in the order they are written.

  • Please download Listparts64 and save it to your flash drive.
  • Download [attachment=133325:fix.txt]
    Save it to your flash drive.
  • Please download [attachment=133326:FixList.txt]
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the tool.
  • While still in the recovery environment run ListParts by typing e:\listparts64 in the command prompt and pressing Enter.
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and post the fixlog.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:07 PM

Posted 17 December 2012 - 11:14 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:07 PM

Posted 17 December 2012 - 11:14 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Santaclaw

Santaclaw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 18 December 2012 - 12:06 AM

Sorry for posting in the wrong area..

Thanks for the prompt reply!

Here an update. I've done everything per your instructions, and the PC boots now.. Until it get to about the point where the welcome screen/password appears, then the PC shuts down. Tried a few times and get the same result. I did another scan and here is the log -

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012 (ATTENTION: FRST version is 6 days old)
Ran by SYSTEM at 17-12-2012 23:57:22
Running from E:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe [3998064 2012-06-06] (O&O Software GmbH)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-07-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [20992 2012-03-19] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 OODefragAgent; "C:\Program Files\OO Software\Defrag\oodag.exe" [3293552 2012-06-06] (O&O Software GmbH)
2 STacSV; C:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV64.exe [239104 2009-06-11] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [203888 2012-03-20] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-17 20:30 - 2012-12-17 20:30 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-12-17 15:41 - 2012-12-17 15:41 - 00000000 ____D C:\Windows\System32\appmgmt
2012-12-10 15:47 - 2012-12-10 15:47 - 00274920 ____A C:\Windows\Minidump\121012-24351-01.dmp
2012-12-08 19:30 - 2012-12-17 15:41 - 00000000 ____D C:\Firefox
2012-12-08 19:19 - 2012-12-08 19:19 - 00000000 ____D C:\Users\All Users\Ask
2012-12-08 19:19 - 2012-09-24 20:16 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-12-08 19:19 - 2012-09-24 20:08 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-12-08 19:19 - 2012-09-24 20:07 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-12-08 19:18 - 2012-12-08 19:19 - 00004090 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log
2012-12-08 19:17 - 2012-12-08 19:17 - 00000000 ____D C:\Users\All Users\McAfee
2012-11-25 09:02 - 2012-11-25 09:02 - 00000000 ____D C:\Users\Admin\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2012-11-25 09:01 - 2012-11-25 09:01 - 00001145 ____A C:\Users\Public\Desktop\Bloons TD 5 Deluxe.lnk
2012-11-25 09:01 - 2012-11-25 09:01 - 00000000 ____D C:\Program Files (x86)\Bloons TD 5 Deluxe
2012-11-25 09:00 - 2012-11-25 09:00 - 00000093 ____A C:\Users\Admin\Desktop\serial.txt


==================== One Month Modified Files and Folders =======

2012-12-17 22:14 - 2012-12-17 22:14 - 00000000 ____D C:\FRST
2012-12-17 20:30 - 2012-12-17 20:30 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-12-17 17:52 - 2012-08-31 18:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-17 17:51 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-17 17:51 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-17 17:48 - 2009-07-13 21:13 - 00729688 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-17 17:43 - 2012-09-02 12:05 - 00060655 ____A C:\Windows\System32\oodbs.lor
2012-12-17 17:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-17 17:43 - 2009-07-13 20:51 - 00018350 ____A C:\Windows\setupact.log
2012-12-17 16:13 - 2012-09-10 16:51 - 00000000 ____D C:\Program Files (x86)\Google
2012-12-17 16:02 - 2012-08-31 21:00 - 01554717 ____A C:\Windows\WindowsUpdate.log
2012-12-17 15:48 - 2012-09-10 16:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Real
2012-12-17 15:47 - 2012-09-10 16:53 - 00000000 ____D C:\Program Files\Google
2012-12-17 15:47 - 2012-08-31 20:46 - 00011484 ____A C:\Windows\PFRO.log
2012-12-17 15:46 - 2012-11-07 18:52 - 00000000 ____D C:\Users\Admin\AppData\Local\Conduit
2012-12-17 15:43 - 2012-09-10 16:52 - 00000000 ____D C:\Program Files (x86)\Real
2012-12-17 15:43 - 2012-09-10 16:50 - 00000000 ____D C:\Users\All Users\Real
2012-12-17 15:41 - 2012-12-17 15:41 - 00000000 ____D C:\Windows\System32\appmgmt
2012-12-17 15:41 - 2012-12-08 19:30 - 00000000 ____D C:\Firefox
2012-12-17 15:41 - 2012-09-10 16:51 - 00000000 ____D C:\Users\Admin\AppData\Local\Google
2012-12-17 15:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-12-17 15:26 - 2012-08-31 18:39 - 00000000 ____D C:\Users\Admin\AppData\Roaming\.minecraft
2012-12-17 12:46 - 2012-08-31 18:08 - 00000000 ____D C:\users\Admin
2012-12-12 07:53 - 2012-08-31 18:55 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-12-12 07:53 - 2012-08-31 18:55 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-12-10 15:47 - 2012-12-10 15:47 - 00274920 ____A C:\Windows\Minidump\121012-24351-01.dmp
2012-12-10 15:47 - 2012-10-30 14:31 - 00000000 ____D C:\Windows\Minidump
2012-12-09 17:00 - 2012-10-28 09:49 - 00000000 ____D C:\Users\Admin\AppData\Roaming\.spoutshaftersquared
2012-12-08 19:19 - 2012-12-08 19:19 - 00000000 ____D C:\Users\All Users\Ask
2012-12-08 19:19 - 2012-12-08 19:18 - 00004090 ____A C:\Windows\SysWOW64\jupdate-1.7.0_09-b05.log
2012-12-08 19:19 - 2012-08-31 18:39 - 00000000 ____D C:\Program Files (x86)\Java
2012-12-08 19:17 - 2012-12-08 19:17 - 00000000 ____D C:\Users\All Users\McAfee
2012-12-08 19:09 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2012-11-25 09:02 - 2012-11-25 09:02 - 00000000 ____D C:\Users\Admin\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2012-11-25 09:01 - 2012-11-25 09:01 - 00001145 ____A C:\Users\Public\Desktop\Bloons TD 5 Deluxe.lnk
2012-11-25 09:01 - 2012-11-25 09:01 - 00000000 ____D C:\Program Files (x86)\Bloons TD 5 Deluxe
2012-11-25 09:00 - 2012-11-25 09:00 - 00000093 ____A C:\Users\Admin\Desktop\serial.txt

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-16 18:03:59

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4095.24 MB
Available physical RAM: 3507.64 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3511.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:465.75 GB) (Free:12.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive d: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
4 Drive e: (BOOTABLE) (Removable) (Total:0.48 GB) (Free:0.05 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 9 MB
Disk 1 Online 493 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 493 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E BOOTABLE FAT Removable 493 MB Healthy

=========================================================

Last Boot: 2012-12-15 14:01

==================== End Of Log =============================

#6 Santaclaw

Santaclaw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 18 December 2012 - 12:06 AM

Seems to be double posting.. anyway, i'll use this one to post the fix result -

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-17 23:56:18 Run:1
Running from E:\

==============================================

C:\Windows\svchost.exe moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

Edited by Santaclaw, 18 December 2012 - 12:10 AM.


#7 Santaclaw

Santaclaw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 18 December 2012 - 07:06 AM

Morning Update

After some sleep, I decided to try booting into safe mode, which it did.. Removed the current display driver and used the default MS one instead. Also did a sfc /scannow with no problems to report. Rebooted the PC and it did not crash. I am now running a antivirus and will report the outcome..

Thanks again for your help.. I still have a few strands of hair left on my head thanks to CatByte, this forum, and FRST.

Another Update -

Scan did not show a virus this time, one hurdle down.. I am however experiencing an issue with IE and it does not want to load any pages, just a white screen that hangs. i've tried the IE reset to defaults and that did not help. The HOSTS file is there and appears intact.

Hopefully Final Update-

I decided to run IE in safe mode/no addons and it loaded pages just fine. So i uninstalled a few addons like Flash, Java, Silverlight, etc and it loaded fine normally.

Once again, thanks for the help!

Edited by Santaclaw, 18 December 2012 - 08:10 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 18 December 2012 - 10:44 AM

I'd like to run a couple more scans, just to make sure there are no leftovers,

please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Santaclaw

Santaclaw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 18 December 2012 - 11:28 AM

Is there another anti-Virus program you would suggest over MSE?

Here's what combofix had to say-

ComboFix 12-12-17.02 - Admin 12/18/2012 11:10:51.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.3213 [GMT -5:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Admin\Documents\ShopToWin
.
.
((((((((((((((((((((((((( Files Created from 2012-11-18 to 2012-12-18 )))))))))))))))))))))))))))))))
.
.
2012-12-18 16:14 . 2012-12-18 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-18 13:03 . 2012-12-18 13:03 -------- d-----w- c:\programdata\ATI
2012-12-18 13:03 . 2012-12-18 13:03 -------- d-----w- c:\program files (x86)\AMD AVT
2012-12-18 13:03 . 2012-12-18 13:03 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-12-18 13:03 . 2012-12-18 13:03 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-12-18 13:02 . 2012-12-18 13:02 -------- d-----w- c:\windows\LastGood
2012-12-18 13:01 . 2012-12-18 13:01 -------- d-----w- c:\program files\ATI
2012-12-18 13:01 . 2012-12-18 13:03 -------- d-----w- c:\program files\ATI Technologies
2012-12-18 13:00 . 2012-12-18 13:00 -------- d-----w- C:\AMD
2012-12-18 12:59 . 2012-12-18 12:59 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-18 12:59 . 2012-12-18 12:59 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-18 12:57 . 2012-12-18 12:57 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11BA8749-D2D5-44EC-9008-3190FD3DE27B}\offreg.dll
2012-12-18 06:14 . 2012-12-18 06:14 -------- d-----w- C:\FRST
2012-12-18 04:30 . 2012-12-18 04:30 -------- d-----w- c:\windows\Microsoft Antimalware
2012-12-18 02:07 . 2012-12-18 02:12 -------- d-----w- C:\bd_logs
2012-12-17 23:41 . 2012-12-17 23:41 -------- d-----w- c:\windows\system32\appmgmt
2012-12-17 20:57 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11BA8749-D2D5-44EC-9008-3190FD3DE27B}\mpengine.dll
2012-12-16 09:06 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-09 03:30 . 2012-12-17 23:41 -------- d-----w- C:\Firefox
2012-12-09 03:19 . 2012-12-09 03:19 -------- d-----w- c:\programdata\Ask
2012-12-09 03:17 . 2012-12-09 03:17 -------- d-----w- c:\programdata\McAfee
2012-11-28 04:56 . 2012-11-28 04:56 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BED7F6FF-B2C0-4FFA-8C47-B85878A5131D}\gapaengine.dll
2012-11-28 04:56 . 2012-09-02 15:18 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-11-25 17:02 . 2012-11-25 17:02 -------- d-----w- c:\users\Admin\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2012-11-25 17:01 . 2012-11-25 17:01 -------- d-----w- c:\program files (x86)\Bloons TD 5 Deluxe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-25 04:16 . 2012-09-01 02:39 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-25 04:16 . 2012-09-01 02:39 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 238080]
S2 OODefragAgent;O&O Defrag;c:\program files\OO Software\Defrag\oodag.exe [2012-06-06 3293552]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-18 12:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2012-06-06 3998064]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{3BBD3C14-4C16-4989-8366-95BC9179779D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{3BBD3C14-4C16-4989-8366-95BC9179779D}"=hex:51,66,7a,6c,4c,1d,38,12,7a,3f,ae,
3f,24,02,e7,0c,fc,70,d6,fc,94,27,33,89
"{1631550F-191D-4826-B069-D9439253D926}"=hex:51,66,7a,6c,4c,1d,38,12,61,56,22,
12,2f,57,48,0d,cf,7f,9a,03,97,0d,9d,32
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{3E7C8B5A-96AB-438F-BF9B-782400655440}"=hex:51,66,7a,6c,4c,1d,38,12,34,88,6f,
3a,99,d8,e1,06,c0,8d,3b,64,05,3b,10,54
"{5ABD6C72-FFD7-B634-A92B-D77D5960E009}"=hex:51,66,7a,6c,4c,1d,38,12,1c,6f,ae,
5e,e5,b1,5a,f3,d6,3d,94,3d,5c,3e,a4,1d
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E5C66DD8-308B-4A4F-AF0A-3D04F25B5343}"=hex:51,66,7a,6c,4c,1d,38,12,b6,6e,d5,
e1,b9,7e,21,0f,d0,1c,7e,44,f7,05,17,57
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:74,e4,d7,fa,1f,d1,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG15.00.00.01PROFESSIONAL"="877607508E1A9EDCAE1C59BE6DE92F6EF11C62CD6E579E439F524188B42C117D9E99A39E8983BAE1039DDA2398A5DC5FEA37C061F8EF8DAB32596CBD83455D70EF92B5A8F719B90047990A24FE06B0240CED0FD069717876AD839E13CDC6CFCC7A808048EFB6A83131110583F816A5EE5E436B667DBC632D117111FD5B019A94D4C5F9B7DDBD87910A48A1E638672996027BA4D0CB30CB7EED8A31D3C4C5E7F0250B4C1AFE11CCE02E46E557BE0E9E93A69F40A23CB4203E6D782052F7ECD2AEA839D5F16618E00610580D43E6A3DA0594FB75D28CB142634BA9B41737506ABC2F81AA287BBE2089348D88FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808C038D530D6EB3452A6171C11EC38DE3DA6171C11EC38DE3D2538A8B1C1A545ABEFB9DFD33B9122D27320C127915C01DCA542AD7A1DC176BF8FC75731BE6C1A7283178874DE045805588AFB2D728F4E04C47BC5501FA737AAB918C3F9D8F3706CDA10A65EA800FEC37D070E03EED5375BBCE325CA42F165801CE25FD456050EE33703BE26F9823DB70BBBA9A9A07FE40A3F054FF9FAE8498010B5A1FD237B0057BD2258D5D71C023B8E9D0A984575C568E23CD1DFDFE5F0A156F10624CF461479F4F5FDE76BF17A5DF7796A38BEAF8A80A03AB773ABDBAF8E924E8A6C8F6BDDB0C9D6C0CF003F1D631F700B67133DA715D80314213ECA1BA24BD431EEBA8234970EF4B27287CEA042BC75B1F7EB41D699CC6FFA46984B8D70EC6102374EB8347DF353EC27180301A86D4F2730197115B7A4AC06366488253E45A78645E74D396216C70B3CE7517FF2341B37C98917A34A68BBD53969424383892DCD0ECC94E97F6F7E2B73D6422037F3C7B2F35492086307F0090919CA8F6F50CAEA7865F6ABBD6074F27FE3F42ABB771AEDCDB4D38AC75375C554058A726314AE73E1BBF02ABC2EFD088BB3182AFB6C28C27006E2386E0446B640647B1BF436DA8218021354CE014118B3117270A8E4DF8C65CC59630534B208E191AD7CECF825386189815E79E439D089675D91A3D37FACA8ADE4A0EADFE06E448CC44B4983B634744D73BDF74AB36791C7466405151B872E714949366C491BE677F682BBE10FA0FDE6372E39855592C4672D8699641B075B885BF9AE1D394BBD99905FA8837DA41E162B2F5FCF938E109E29D65F64B9150B038615501FCF3BAEDD70652BBA29F1E7C0C404C144391B556BE17B0A9A89240A97483ECB7F84AD95D3895911410C39646D8BB3E965657BE86D955A02ED6BA99A9F325E86311D66C0ACE3465AAFF3B18F489B0916940A77146B9420622F189DF2196D24998838AF73BF9A79BC86811758212714B81CEF5A13CBC53E790E9C7ABD263180CE43C6D7E3095B8622AA2BA5A3EB"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-18 11:15:36
ComboFix-quarantined-files.txt 2012-12-18 16:15
.
Pre-Run: 14,872,555,520 bytes free
Post-Run: 14,493,511,680 bytes free
.
- - End Of File - - 94CD4BAF3D3E7E99985BA8C2DDF4AF10

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 18 December 2012 - 11:39 AM

looks better,

MSE is an excellent antivirus, it's what I use myself, unfortunately, no AV can catch everything. I use the pro version of Malwarebytes to complement MSE

Avira and Avast are both really good free antivurus products as well, if I was going to pay for an AV, then I'd look at ESET or Kaspersky

but what ever you choose, only use one at a time

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Edited by CatByte, 18 December 2012 - 11:40 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 30 December 2012 - 07:57 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users