Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Moneypak


  • This topic is locked This topic is locked
36 replies to this topic

#1 Maleficus04

Maleficus04

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 05:15 PM

Hey, I'm new here (in the sense that I just now made an account), but I've used this site's solutions to fix problems before and, hopefully, this time won't be any different.

I just acquired this virus, today, and I've followed your (bloopie) instructions up to the point of using command prompt to run FRST64. I see you said the next step would be to comprise a text file while would be used to help resolve the issue. I believe that after I used "scan" it told me that it create a text file in the same location as the FRST application, which would be on my flash drive. I'm just not sure what to do at this point. How would I go about using said text file to unlock my screen and get into windows where I could run my cleaners?

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 05:47 PM

Hello Maleficus04! and welcome to Bleeping Computer! :thumbsup:

I will take your topic, but the logfile you have can't be posted in this forum, so I'm going to split your post into your own topic in the MRL forum. Give me a few minutes...I get off of work in a few and will PM you when the new topic is ready.

bloopie

#3 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 05:53 PM

No problem. Just happy to get such a fast response. :P

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 06:00 PM

Okay, please now copy and paste the FRST.txt that is on your flashdrive into your next reply. :)

bloopie

#5 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 06:09 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013
Ran by SYSTEM at 14-01-2013 17:01:54
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry [x]
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-09-07] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)
HKU\Jason\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
HKU\Jason\...\Run: [Dxtory Update Checker 2.0] C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe [93696 2010-10-17] (Dxtory Software)
HKU\Jason\...\Policies\system: [DisableTaskMgr] 1
HKU\Justin\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKU\Justin\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
HKU\Justin\...\Run: [Dxtory Update Checker 2.0] C:\Program Files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe [93696 2010-10-17] (Dxtory Software)
HKU\Justin\...\Run: [rlqvaknd] C:\Users\Justin\AppData\Roaming\unzhaza [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\unzhaza [x ] ()
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.178.162.3 66.189.0.100 24.217.201.67

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-09-07] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-09-07] (Avira Operations GmbH & Co. KG)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-11-04] ()
2 PnkBstrB; C:\Windows\SysWow64\PnkBstrB.exe [189248 2012-11-04] ()

==================== Drivers (Whitelisted) =====================

2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-09-07] (Avira GmbH)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-09-07] (Avira GmbH)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-09-07] (Avira GmbH)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-09-10] (DT Soft Ltd)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [14544 2010-11-01] (OpenLibSys.org)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-14 17:01 - 2013-01-14 17:01 - 00000000 ____D C:\FRST
2013-01-14 12:40 - 2013-01-14 13:31 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Roaming\unzhaza.exe
2013-01-14 12:40 - 2013-01-14 13:31 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Local\unzhaza.exe
2013-01-14 12:36 - 2013-01-14 12:42 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Roaming\unzhaza.exe
2013-01-14 12:34 - 2013-01-14 13:21 - 00114688 ____A (Juvarif) C:\Users\All Users\unzhaza.exe
2013-01-14 12:34 - 2013-01-14 12:42 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Local\unzhaza.exe
2013-01-12 02:06 - 2013-01-12 02:06 - 00000000 ____D C:\Users\All Users\Creative Labs
2013-01-11 21:23 - 2006-12-08 09:02 - 00251672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_5.dll
2013-01-11 21:23 - 2006-12-08 09:00 - 00390424 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_5.dll
2013-01-11 21:23 - 2006-11-29 10:06 - 04398360 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_32.dll
2013-01-11 21:23 - 2006-11-29 10:06 - 03426072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2013-01-11 21:23 - 2006-09-28 13:05 - 03977496 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_31.dll
2013-01-11 21:23 - 2006-09-28 13:05 - 02414360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_31.dll
2013-01-11 21:23 - 2006-09-28 13:05 - 00237848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_4.dll
2013-01-11 21:23 - 2006-09-28 13:04 - 00364824 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_4.dll
2013-01-11 21:23 - 2006-07-28 06:31 - 00083736 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_2.dll
2013-01-11 21:23 - 2006-07-28 06:30 - 00363288 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_3.dll
2013-01-11 21:23 - 2006-07-28 06:30 - 00236824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_3.dll
2013-01-11 21:23 - 2006-07-28 06:30 - 00062744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_2.dll
2013-01-11 21:23 - 2006-05-31 04:24 - 00230168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_2.dll
2013-01-11 21:23 - 2006-05-31 04:22 - 00354072 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_2.dll
2013-01-11 21:23 - 2006-03-31 09:41 - 03927248 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_30.dll
2013-01-11 21:23 - 2006-03-31 09:40 - 02388176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_30.dll
2013-01-11 21:23 - 2006-03-31 09:40 - 00352464 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_1.dll
2013-01-11 21:23 - 2006-03-31 09:39 - 00229584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_1.dll
2013-01-11 21:23 - 2006-03-31 09:39 - 00083664 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_1.dll
2013-01-11 21:23 - 2006-03-31 09:39 - 00062672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_1.dll
2013-01-11 21:23 - 2006-02-03 05:43 - 03830992 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_29.dll
2013-01-11 21:23 - 2006-02-03 05:43 - 02332368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_29.dll
2013-01-11 21:23 - 2006-02-03 05:42 - 00355536 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_0.dll
2013-01-11 21:23 - 2006-02-03 05:42 - 00230096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_0.dll
2013-01-11 21:23 - 2006-02-03 05:41 - 00016592 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_0.dll
2013-01-11 21:23 - 2006-02-03 05:41 - 00014032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_0.dll
2013-01-11 21:23 - 2005-12-05 15:09 - 03815120 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_28.dll
2013-01-11 21:23 - 2005-12-05 15:09 - 02323664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_28.dll
2013-01-11 21:23 - 2005-07-22 16:59 - 03807440 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_27.dll
2013-01-11 21:23 - 2005-07-22 16:59 - 02319568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_27.dll
2013-01-11 21:23 - 2005-05-26 12:34 - 03767504 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_26.dll
2013-01-11 21:23 - 2005-05-26 12:34 - 02297552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_26.dll
2013-01-11 21:23 - 2005-03-18 14:19 - 03823312 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_25.dll
2013-01-11 21:23 - 2005-03-18 14:19 - 02337488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_25.dll
2013-01-11 21:23 - 2005-02-05 16:45 - 03544272 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_24.dll
2013-01-11 21:23 - 2005-02-05 16:45 - 02222800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_24.dll
2013-01-11 21:22 - 2013-01-12 01:37 - 00000000 ____D C:\Program Files (x86)\TERA
2013-01-11 21:22 - 2013-01-11 21:23 - 00142616 ____A C:\Windows\DirectX.log
2013-01-11 21:22 - 2013-01-11 21:23 - 00000000 ____D C:\Users\Jason\AppData\Local\TERA
2013-01-11 21:22 - 2013-01-11 21:22 - 00001662 ____A C:\Users\Public\Desktop\TERA-Launcher.lnk
2013-01-11 17:24 - 2013-01-11 18:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-10 14:36 - 2013-01-10 14:36 - 00003891 ____A C:\Users\Justin\Desktop\Robert Tureman.htm
2013-01-10 14:36 - 2013-01-10 14:36 - 00000000 ____D C:\Users\Justin\Desktop\Robert Tureman_files
2013-01-10 14:35 - 2013-01-10 14:35 - 00041724 ____A C:\Users\Justin\Desktop\Paul D. Camp Community College _ Franklin, Suffolk, Smithfield.htm
2013-01-10 14:35 - 2013-01-10 14:35 - 00000000 ____D C:\Users\Justin\Desktop\Paul D. Camp Community College _ Franklin, Suffolk, Smithfield_files
2013-01-07 15:04 - 2013-01-14 12:40 - 00000356 ____A C:\Windows\Tasks\AmiUpdXp.job
2013-01-07 15:04 - 2013-01-07 16:31 - 00000000 ____D C:\Program Files (x86)\SweetIM
2013-01-07 15:04 - 2013-01-07 15:04 - 00000000 ____D C:\Users\Jason\AppData\Local\SwvUpdater
2013-01-03 21:58 - 2013-01-03 21:58 - 00001720 ____A C:\Users\Public\Desktop\Play League of Legends.lnk
2013-01-03 21:58 - 2008-07-31 07:41 - 00068616 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
2013-01-03 21:58 - 2008-07-31 07:40 - 00509448 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2013-01-03 21:58 - 2008-07-12 05:18 - 03851784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2013-01-03 21:58 - 2008-07-12 05:18 - 01493528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2013-01-03 21:58 - 2008-07-12 05:18 - 00467984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2013-01-03 21:53 - 2013-01-03 21:53 - 00000000 ____D C:\Riot Games
2013-01-03 21:15 - 2013-01-03 21:52 - 00000000 ____D C:\League of Legends
2013-01-03 21:13 - 2013-01-03 21:13 - 00000000 ____D C:\Program Files (x86)\Pando Networks
2013-01-03 21:12 - 2013-01-03 21:12 - 00000000 ____D C:\Users\Jason\.swt
2013-01-01 07:53 - 2013-01-14 12:42 - 00007876 ____A C:\Windows\PFRO.log
2012-12-31 18:22 - 2012-12-31 18:22 - 00000000 ____D C:\Users\Justin\AppData\Local\Adobe
2012-12-29 10:54 - 2012-12-29 10:54 - 00013248 ____A C:\Users\Jason\Documents\[121228][PoRO]?? Re-born?~??????????~????????.avi.torrent
2012-12-29 10:53 - 2012-12-29 10:53 - 00013651 ____A C:\Users\Jason\Documents\[121228][Collaboration Works]?????KISS? ~???????????!?????????????~.avi.torrent
2012-12-28 01:29 - 2013-01-14 13:20 - 00002240 ____A C:\Windows\setupact.log
2012-12-28 01:29 - 2012-12-28 01:29 - 00000000 ____A C:\Windows\setuperr.log
2012-12-25 02:13 - 2012-12-25 02:13 - 00000317 ____A C:\Users\Jason\Desktop\toggle script.txt
2012-12-23 23:31 - 2012-12-23 23:31 - 00000000 ____D C:\Users\Jason\AppData\Local\Oblivion
2012-12-22 00:27 - 2012-12-22 00:27 - 00000916 ____A C:\Users\Jason\Desktop\MGEgui.lnk
2012-12-21 23:53 - 2012-12-21 23:53 - 00001044 ____A C:\Users\Jason\Desktop\TES Construction Set.lnk
2012-12-21 23:52 - 2012-12-21 23:52 - 00000623 ____A C:\Users\Jason\Desktop\Morrowind Enhanced.lnk
2012-12-21 22:52 - 2012-12-21 22:53 - 00000616 ____A C:\Users\Jason\Desktop\1hand spear script.txt
2012-12-21 20:10 - 2012-12-21 20:10 - 00000000 ____D C:\Users\Jason\AppData\Local\Morrowind
2012-12-21 19:54 - 2012-12-25 02:36 - 00000000 ____D C:\Morrowind
2012-12-16 17:31 - 2012-12-16 17:31 - 00000000 ____D C:\Program Files (x86)\Microsoft WSE
2012-12-15 01:52 - 2012-12-15 00:51 - 00838183 ____A C:\Users\Jason\Desktop\BL2 Editor.exe
2012-12-15 01:52 - 2012-12-15 00:51 - 00727581 ____A (CheatHappens) C:\Users\Jason\Desktop\BL2 Trainer.exe

==================== One Month Modified Files and Folders =======

2013-01-14 17:01 - 2013-01-14 17:01 - 00000000 ____D C:\FRST
2013-01-14 13:31 - 2013-01-14 12:40 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Roaming\unzhaza.exe
2013-01-14 13:31 - 2013-01-14 12:40 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Local\unzhaza.exe
2013-01-14 13:21 - 2013-01-14 12:34 - 00114688 ____A (Juvarif) C:\Users\All Users\unzhaza.exe
2013-01-14 13:20 - 2012-12-28 01:29 - 00002240 ____A C:\Windows\setupact.log
2013-01-14 13:20 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-14 12:42 - 2013-01-14 12:36 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Roaming\unzhaza.exe
2013-01-14 12:42 - 2013-01-14 12:34 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Local\unzhaza.exe
2013-01-14 12:42 - 2013-01-01 07:53 - 00007876 ____A C:\Windows\PFRO.log
2013-01-14 12:40 - 2013-01-07 15:04 - 00000356 ____A C:\Windows\Tasks\AmiUpdXp.job
2013-01-14 12:40 - 2009-07-13 20:45 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-14 12:40 - 2009-07-13 20:45 - 00021888 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-14 12:37 - 2012-09-10 11:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-14 12:36 - 2012-09-10 21:34 - 00000000 ____D C:\Users\Jason\AppData\Roaming\uTorrent
2013-01-14 12:34 - 2012-09-10 19:56 - 00000000 ____D C:\Users\Jason\AppData\Roaming\vlc
2013-01-14 12:30 - 2012-09-28 21:21 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-14 06:50 - 2012-09-10 21:51 - 00000000 ____D C:\Users\Jason\Desktop\T
2013-01-14 00:53 - 2012-09-10 21:49 - 00000000 ____D C:\Program Files (x86)\The KMPlayer
2013-01-13 23:45 - 2012-10-27 11:37 - 00192744 ____A C:\Windows\WindowsUpdate.log
2013-01-13 23:00 - 2012-11-25 09:50 - 00000000 ____D C:\Users\Jason\AppData\Local\Adobe
2013-01-12 02:06 - 2013-01-12 02:06 - 00000000 ____D C:\Users\All Users\Creative Labs
2013-01-12 01:37 - 2013-01-11 21:22 - 00000000 ____D C:\Program Files (x86)\TERA
2013-01-11 21:23 - 2013-01-11 21:22 - 00142616 ____A C:\Windows\DirectX.log
2013-01-11 21:23 - 2013-01-11 21:22 - 00000000 ____D C:\Users\Jason\AppData\Local\TERA
2013-01-11 21:22 - 2013-01-11 21:22 - 00001662 ____A C:\Users\Public\Desktop\TERA-Launcher.lnk
2013-01-11 18:33 - 2013-01-11 17:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-11 14:19 - 2012-09-10 13:27 - 00000000 ____D C:\Program Files (x86)\Steam
2013-01-11 00:28 - 2012-10-06 00:38 - 00000000 ____D C:\Users\Jason\AppData\Roaming\dvdcss
2013-01-10 14:36 - 2013-01-10 14:36 - 00003891 ____A C:\Users\Justin\Desktop\Robert Tureman.htm
2013-01-10 14:36 - 2013-01-10 14:36 - 00000000 ____D C:\Users\Justin\Desktop\Robert Tureman_files
2013-01-10 14:35 - 2013-01-10 14:35 - 00041724 ____A C:\Users\Justin\Desktop\Paul D. Camp Community College _ Franklin, Suffolk, Smithfield.htm
2013-01-10 14:35 - 2013-01-10 14:35 - 00000000 ____D C:\Users\Justin\Desktop\Paul D. Camp Community College _ Franklin, Suffolk, Smithfield_files
2013-01-08 21:40 - 2012-09-10 19:53 - 00000000 ____D C:\Users\Jason\dwhelper
2013-01-08 13:30 - 2012-09-28 20:50 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-08 13:30 - 2012-09-28 20:50 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-07 16:31 - 2013-01-07 15:04 - 00000000 ____D C:\Program Files (x86)\SweetIM
2013-01-07 15:04 - 2013-01-07 15:04 - 00000000 ____D C:\Users\Jason\AppData\Local\SwvUpdater
2013-01-07 11:04 - 2012-09-10 22:54 - 00000000 ____D C:\Users\Jason\Documents\My Games
2013-01-07 11:04 - 2012-09-10 11:24 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-01-07 09:45 - 2012-09-10 11:45 - 00000000 ____D C:\Users\Jason\Desktop\Media
2013-01-03 21:58 - 2013-01-03 21:58 - 00001720 ____A C:\Users\Public\Desktop\Play League of Legends.lnk
2013-01-03 21:53 - 2013-01-03 21:53 - 00000000 ____D C:\Riot Games
2013-01-03 21:52 - 2013-01-03 21:15 - 00000000 ____D C:\League of Legends
2013-01-03 21:13 - 2013-01-03 21:13 - 00000000 ____D C:\Program Files (x86)\Pando Networks
2013-01-03 21:12 - 2013-01-03 21:12 - 00000000 ____D C:\Users\Jason\.swt
2013-01-03 21:12 - 2012-09-10 10:10 - 00000000 ____D C:\users\Jason
2013-01-01 07:59 - 2009-07-13 21:13 - 00881332 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-31 18:22 - 2012-12-31 18:22 - 00000000 ____D C:\Users\Justin\AppData\Local\Adobe
2012-12-31 18:22 - 2012-09-21 12:46 - 00000000 ____D C:\Users\Justin\AppData\Roaming\Adobe
2012-12-31 18:22 - 2012-09-21 12:40 - 00057560 ____A C:\Users\Justin\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-29 10:54 - 2012-12-29 10:54 - 00013248 ____A C:\Users\Jason\Documents\[121228][PoRO]?? Re-born?~??????????~????????.avi.torrent
2012-12-29 10:53 - 2012-12-29 10:53 - 00013651 ____A C:\Users\Jason\Documents\[121228][Collaboration Works]?????KISS? ~???????????!?????????????~.avi.torrent
2012-12-28 12:38 - 2012-09-10 21:49 - 00000000 ____D C:\Users\Jason\AppData\Roaming\DAEMON Tools Lite
2012-12-28 01:29 - 2012-12-28 01:29 - 00000000 ____A C:\Windows\setuperr.log
2012-12-27 07:42 - 2012-10-16 19:13 - 00000000 ____D C:\Users\Jason\AppData\Roaming\Ventrilo
2012-12-27 07:38 - 2012-09-12 20:09 - 00000000 ____D C:\Program Files\CCleaner
2012-12-25 02:36 - 2012-12-21 19:54 - 00000000 ____D C:\Morrowind
2012-12-25 02:13 - 2012-12-25 02:13 - 00000317 ____A C:\Users\Jason\Desktop\toggle script.txt
2012-12-24 00:20 - 2012-10-15 18:55 - 00000000 ____D C:\Program Files (x86)\Bethesda Softworks
2012-12-23 23:34 - 2012-09-10 13:39 - 00057560 ____A C:\Users\Jason\AppData\Local\GDIPFONTCACHEV1.DAT
2012-12-23 23:33 - 2009-07-13 20:45 - 04826928 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-23 23:31 - 2012-12-23 23:31 - 00000000 ____D C:\Users\Jason\AppData\Local\Oblivion
2012-12-23 14:31 - 2012-09-10 21:52 - 00000000 ____D C:\Users\Jason\Desktop\Random Text Stuff
2012-12-22 00:27 - 2012-12-22 00:27 - 00000916 ____A C:\Users\Jason\Desktop\MGEgui.lnk
2012-12-21 23:53 - 2012-12-21 23:53 - 00001044 ____A C:\Users\Jason\Desktop\TES Construction Set.lnk
2012-12-21 23:52 - 2012-12-21 23:52 - 00000623 ____A C:\Users\Jason\Desktop\Morrowind Enhanced.lnk
2012-12-21 22:53 - 2012-12-21 22:52 - 00000616 ____A C:\Users\Jason\Desktop\1hand spear script.txt
2012-12-21 20:10 - 2012-12-21 20:10 - 00000000 ____D C:\Users\Jason\AppData\Local\Morrowind
2012-12-21 20:08 - 2012-09-10 22:53 - 00000000 ____D C:\Users\Jason\AppData\Local\Skyrim
2012-12-21 20:08 - 2012-09-10 22:52 - 00000000 ____D C:\Program Files\Nexus Mod Manager
2012-12-19 10:44 - 2012-09-10 12:28 - 00000000 ____D C:\Program Files (x86)\Opera
2012-12-16 17:31 - 2012-12-16 17:31 - 00000000 ____D C:\Program Files (x86)\Microsoft WSE
2012-12-16 02:00 - 2012-09-10 21:35 - 00000000 ____D C:\Program Files (x86)\uTorrent
2012-12-15 11:01 - 2012-10-24 18:11 - 00000000 ____D C:\Program Files\PeerBlock
2012-12-15 00:51 - 2012-12-15 01:52 - 00838183 ____A C:\Users\Jason\Desktop\BL2 Editor.exe
2012-12-15 00:51 - 2012-12-15 01:52 - 00727581 ____A (CheatHappens) C:\Users\Jason\Desktop\BL2 Trainer.exe


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-11 21:22:37

==================== Memory info ===========================

Percentage of memory in use: 8%
Total physical RAM: 10237.55 MB
Available physical RAM: 9347.46 MB
Total Pagefile: 10235.75 MB
Available Pagefile: 9352.15 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:157.48 GB) NTFS
2 Drive e: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
3 Drive f: (Iomega_HDD) (Fixed) (Total:232.88 GB) (Free:17.28 GB) NTFS
4 Drive g: (USB DISK) (Removable) (Total:7.53 GB) (Free:6.16 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 232 GB 1024 KB
Disk 2 Online 7728 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 232 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Iomega_HDD NTFS Partition 232 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7727 MB 31 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G USB DISK FAT32 Removable 7727 MB Healthy

=========================================================

Last Boot: 2013-01-14 01:41

==================== End Of Log =============================

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 06:13 PM

Okay, thanks! Please allow me some time to craft a fixlist for you...I should be back within the evening. :thumbup2:

bloopie

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 06:48 PM

Hello again, :)

Okay, let's start with the fixlist then run a scan:

Step :step1:

From your clean computer:

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

start
HKU\Jason\...\Policies\system: [DisableTaskMgr] 1
HKU\Justin\...\Run: [rlqvaknd] C:\Users\Justin\AppData\Roaming\unzhaza [x]
HKLM\...\Winlogon: [Shell] explorer.exe, C:\ProgramData\unzhaza [x ] ()
2013-01-14 12:40 - 2013-01-14 13:31 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Roaming\unzhaza.exe
2013-01-14 12:40 - 2013-01-14 13:31 - 00114688 ____A (Juvarif) C:\Users\Justin\AppData\Local\unzhaza.exe
2013-01-14 12:36 - 2013-01-14 12:42 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Roaming\unzhaza.exe
2013-01-14 12:34 - 2013-01-14 13:21 - 00114688 ____A (Juvarif) C:\Users\All Users\unzhaza.exe
2013-01-14 12:34 - 2013-01-14 12:42 - 00114688 ____A (Juvarif) C:\Users\Jason\AppData\Local\unzhaza.exe
C:\Users\Justin\AppData\Roaming\unzhaza
C:\ProgramData\unzhaza
stop

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Now plug the flashdrive into the sick computer and boot into System Recovery Options just as you did before.
  • Run FRST64 and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your next reply.

==========

Now try to boot your sick computer normally...if it boots, then do the following and also post both logs for me. If you still can't boot normally, please stop and only post the above Fixlog.txt:

Step :step2:

Run Combofix

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

In your next reply, please include the following:

  • The fixlog from FRST
  • The Combofix.txt if possible

Also let me know how the machine is running now!

bloopie

#8 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 07:10 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-01-2013
Ran by SYSTEM at 2013-01-14 19:06:02 Run:1
Running from F:\

==============================================

HKEY_USERS\Jason\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\Justin\Software\Microsoft\Windows\CurrentVersion\Run\\rlqvaknd Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
C:\Users\Justin\AppData\Roaming\unzhaza.exe moved successfully.
C:\Users\Justin\AppData\Local\unzhaza.exe moved successfully.
C:\Users\Jason\AppData\Roaming\unzhaza.exe moved successfully.
C:\Users\All Users\unzhaza.exe moved successfully.
C:\Users\Jason\AppData\Local\unzhaza.exe moved successfully.
C:\Users\Justin\AppData\Roaming\unzhaza not found.
C:\ProgramData\unzhaza not found.

==== End of Fixlog ====

My desktop does seem to have let me in this time. I'm working on step two now.

Edited by Maleficus04, 14 January 2013 - 07:10 PM.


#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 07:11 PM

Okay, let me know how it goes! :thumbup2:

#10 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 07:25 PM

ComboFix 13-01-14.01 - Jason 01/14/2013 19:15:26.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.10238.8682 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\apppatch\AppLoc.exe
c:\windows\apppatch\AppLocA.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\apppatch\unins000.dat
c:\windows\apppatch\unins000.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-15 to 2013-01-15 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ------w- c:\program files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
2013-01-15 01:01 . 2013-01-15 01:01 -------- d-----w- C:\FRST
2013-01-15 00:21 . 2013-01-15 00:21 -------- d-----w- c:\users\Justin\AppData\Local\temp
2013-01-15 00:21 . 2013-01-15 00:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-12 10:06 . 2013-01-12 10:06 -------- d-----w- c:\programdata\Creative Labs
2013-01-12 05:22 . 2013-01-12 09:37 -------- d-----w- c:\program files (x86)\TERA
2013-01-12 05:22 . 2013-01-12 05:23 -------- d-----w- c:\users\Jason\AppData\Local\TERA
2013-01-07 23:04 . 2013-01-08 00:31 -------- d-----w- c:\program files (x86)\SweetIM
2013-01-07 23:04 . 2013-01-07 23:04 -------- d-----w- c:\users\Jason\AppData\Local\SwvUpdater
2013-01-04 05:58 . 2008-07-31 15:41 68616 ----a-w- c:\windows\SysWow64\XAPOFX1_1.dll
2013-01-04 05:58 . 2008-07-31 15:40 509448 ----a-w- c:\windows\SysWow64\XAudio2_2.dll
2013-01-04 05:58 . 2008-07-12 13:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
2013-01-04 05:58 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
2013-01-04 05:58 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
2013-01-04 05:53 . 2013-01-04 05:53 -------- d-----w- C:\Riot Games
2013-01-04 05:15 . 2013-01-04 05:52 -------- d-----w- C:\League of Legends
2013-01-04 05:13 . 2013-01-04 05:13 -------- d-----w- c:\program files (x86)\Pando Networks
2013-01-04 05:12 . 2013-01-04 05:12 -------- d-----w- c:\users\Jason\.swt
2013-01-02 14:41 . 2013-01-02 14:41 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9FEFFA70-0FF2-4CD6-8A86-BA422A14ACCC}\offreg.dll
2013-01-01 02:22 . 2013-01-01 02:22 -------- d-----w- c:\users\Justin\AppData\Local\Adobe
2012-12-24 07:31 . 2012-12-24 07:31 -------- d-----w- c:\users\Jason\AppData\Local\Oblivion
2012-12-22 04:10 . 2012-12-22 04:10 -------- d-----w- c:\users\Jason\AppData\Local\Morrowind
2012-12-22 03:54 . 2012-12-25 10:36 -------- d-----w- C:\Morrowind
2012-12-22 03:54 . 2001-09-05 11:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-12-22 03:54 . 2001-09-05 11:18 225280 ------w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-12-22 03:54 . 2001-09-05 11:14 176128 ------w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-12-22 03:54 . 2001-09-05 11:13 32768 ------w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-12-17 01:31 . 2012-12-17 01:31 -------- d-----w- c:\program files (x86)\Microsoft WSE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-08 21:30 . 2012-09-29 04:50 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-08 21:30 . 2012-09-29 04:50 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-22 11:12 . 2012-11-22 11:12 58704 ----a-r- c:\users\Jason\AppData\Roaming\Microsoft\Installer\{9F153AD3-3523-4542-818E-AE2F92249667}\ARPPRODUCTICON.exe
2012-11-14 04:05 . 2012-11-14 04:05 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-14 04:05 . 2012-11-14 04:05 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-11-14 04:05 . 2012-11-14 04:05 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-11-05 05:05 . 2012-09-12 22:37 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-11-05 05:05 . 2012-09-12 22:37 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-11-05 05:04 . 2012-09-12 22:37 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
"Dxtory Update Checker 2.0"="c:\program files (x86)\Dxtory Software\Dxtory2.0\UpdateChecker.exe" [2010-10-17 93696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-09-08 348664]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-09-28 642728]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-09 123856]
R3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-09-10 79360]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-09-11 1255736]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2010-11-01 14544]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-09-08 27760]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-09-11 283200]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-09-28 239616]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-09-28 361984]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-09-08 86224]
S2 AODDriver4.2;AODDriver4.2;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-04-09 57472]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2011-09-02 76056]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2011-09-02 15128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-09-29 646248]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-29 21:30]
.
2013-01-15 c:\windows\Tasks\AmiUpdXp.job
- c:\users\Jason\AppData\Local\SwvUpdater\Updater.exe [2013-01-07 23:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10005&barid={96B852AE-591E-11E2-92ED-1C6F65ADBD3C}
mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10005&barid={96B852AE-591E-11E2-92ED-1C6F65ADBD3C}
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\vjydkll8.default-1357605226962\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: 2013-01-09 00:40; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\vjydkll8.default-1357605226962\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-09 00:40; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\vjydkll8.default-1357605226962\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{7473B6BD-4691-4744-A82B-7854EB3D70B6} - (no file)
AddRemove-{9143B17E-BBDE-4EA7-A4E3-20D384D9C8A5}_is1 - c:\windows\AppPatch\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-14 19:23:33
ComboFix-quarantined-files.txt 2013-01-15 00:23
.
Pre-Run: 168,736,256,000 bytes free
Post-Run: 168,619,307,008 bytes free
.
- - End Of File - - 5F44196FBF676490F0383BEE7DEF7A32

#11 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 14 January 2013 - 07:29 PM

The only thing I can say about my computer thus far is that it is letting me do stuff, although I haven't really tried anything major. I wanted to wait until I heard back from you. Also, a few of the elements of my desktop are a bit off (background, taskbar, etc.), so I'm not sure if I just need to reset them or if there's another step to fully restore things back to how they were.

I look forward to your response.

#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 07:36 PM

Hi again,

Well done! :thumbup2:

We still have more work to do, and I will be checking your Combofix log. So give me some time to analyze the latest log and I should be back either tonight, or tomorrow (don't wait up for me) with the next steps for you! :)

Well done so far! :clapping:

bloopie

Edited by bloopie, 14 January 2013 - 07:37 PM.


#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 14 January 2013 - 09:13 PM

Hello again,

Not so bad! There are a few things that we need to discuss though:

IObit

This is a program that has stolen the virus'/malware definitions from MBAM...I personally do not condone the use of any Iobit software. My request would be to uninstall anything from Iobit. They also have a registry cleaner with it, that BC does not condone the use of.

==========

uTorrent

uTorrent is a peer to peer file sharing network, and a breeding ground for malware...here's my canned on that:

Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start orb> Programs and Features.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Now, let's get a couple of more scans:

Step :step1:

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    Posted Image

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    Posted Image
  • Click Start Scan and allow the scan process to run


    Posted Image

  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue


    Posted Image

  • Click Reboot computer
  • Please zip the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and attach it to your reply

==========

Step :step2:

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.

  • Close all programs and disconnect any USB or external drives before running the tool.
  • Right-click RogueKiller.exe and select Run as Administrator.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click Delete.
  • When the Status box shows "Deleting Finished", click Report and then copy and paste the log in your next reply.
  • The log can also be found at RKreport[1].txt on your desktop.

==========

Step :step3:

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

In your next reply, please include the following:

  • The TDSSKiller log
  • The RogueKiller log
  • The aswMBR log

Any changes to the system that I should know about?

bloopie

#14 Maleficus04

Maleficus04
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 15 January 2013 - 05:41 PM

I started on the other scans earlier today, but after I rebooted, I had the screen lock again. Should I just use the same fixlist to unlock it and continue on with the other scans?

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:19 AM

Posted 15 January 2013 - 05:46 PM

Hi again,

No, please delete FRST.txt and Fixlist.txt from your flashdrive and post a fresh FRST scanlog.

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users